release: 2025.2.1

stages/authenticator_email: fix session cleanup test b (cherry-pick #13264 ) (#13276 )
Co-authored-by: Marcelo Elizeche Landó <marcelo@goauthentik.io> fix session cleanup test b (#13264)
2025-02-26 20:54:52 +01:00 · 2025-02-26 20:46:05 +01:00 · 2025-02-26 20:44:50 +01:00 · 2025-02-25 11:25:29 +01:00 · 2025-02-24 16:58:18 +01:00 · 2025-02-24 14:57:55 +01:00
290 changed files with 2323 additions and 5312 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.2.0
+current_version = 2025.2.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -28,11 +28,7 @@ Output of docker-compose logs or kubectl logs respectively
 **Version and Deployment (please complete the following information):**
-<!--
+-   authentik version: [e.g. 2021.8.5]
 Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
 -->
 -   authentik version: [e.g. 2025.2.0]
 -   Deployment: [e.g. docker-compose, helm]
 **Additional context**
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@ -20,12 +20,7 @@ Output of docker-compose logs or kubectl logs respectively
 **Version and Deployment (please complete the following information):**
-<!--
+-   authentik version: [e.g. 2021.8.5]
 Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
 -->
 -   authentik version: [e.g. 2025.2.0]
 -   Deployment: [e.g. docker-compose, helm]
 **Additional context**
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -35,7 +35,7 @@ runs:
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry sync
+        poetry install --sync
        cd web && npm ci
    - name: Generate config
      shell: poetry run python {0}
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@ -1,13 +1,9 @@
 ---
-name: authentik-translate-extract-compile
+name: authentik-backend-translate-extract-compile
 on:
  schedule:
    - cron: "0 0 * * *" # every day at midnight
  workflow_dispatch:
  pull_request:
    branches:
      - main
      - version-*
 env:
  POSTGRES_DB: authentik
@ -36,7 +32,6 @@ jobs:
          poetry run ak compilemessages
          make web-check-compile
      - name: Create Pull Request
        if: ${{ github.event_name != 'pull_request' }}
        uses: peter-evans/create-pull-request@v7
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/SECURITY.md
+++ b/SECURITY.md
@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 | Version   | Supported |
 | --------- | --------- |
 | 2024.10.x | ✅        |
 | 2024.12.x | ✅        |
 | 2025.2.x  | ✅        |
 ## Reporting a Vulnerability
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2025.2.0"
+__version__ = "2025.2.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@ -11,6 +11,7 @@
        build: "{{ build }}",
        api: {
            base: "{{ base_url }}",
            relBase: "{{ base_url_rel }}",
        },
    };
    window.addEventListener("DOMContentLoaded", function () {
--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@ -53,6 +53,7 @@ class InterfaceView(TemplateView):
        kwargs["build"] = get_build_hash()
        kwargs["url_kwargs"] = self.kwargs
        kwargs["base_url"] = self.request.build_absolute_uri(CONFIG.get("web.path", "/"))
        kwargs["base_url_rel"] = CONFIG.get("web.path", "/")
        return super().get_context_data(**kwargs)
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -64,8 +64,6 @@ debugger: false
 log_level: info
 session_storage: cache
 sessions:
  unauthenticated_age: days=1
 error_reporting:
  enabled: false
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -16,7 +16,6 @@ from authentik.lib.config import CONFIG, django_db_config, redis_url
 from authentik.lib.logging import get_logger_config, structlog_configure
 from authentik.lib.sentry import sentry_init
 from authentik.lib.utils.reflection import get_env
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_INBUILT, BACKEND_LDAP
 BASE_DIR = Path(__file__).absolute().parent.parent.parent
@ -243,9 +242,6 @@ SESSION_CACHE_ALIAS = "default"
 # Configured via custom SessionMiddleware
 # SESSION_COOKIE_SAMESITE = "None"
 # SESSION_COOKIE_SECURE = True
 SESSION_COOKIE_AGE = timedelta_from_string(
    CONFIG.get("sessions.unauthenticated_age", "days=1")
 ).total_seconds()
 SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 MESSAGE_STORAGE = "authentik.root.messages.storage.ChannelsStorage"
--- a/authentik/stages/authenticator_email/tests.py
+++ b/authentik/stages/authenticator_email/tests.py
@ -300,9 +300,11 @@ class TestAuthenticatorEmailStage(FlowTestCase):
            )
            self.assertEqual(response.status_code, 200)
            self.assertTrue(device.confirmed)
-            # Session key should be removed after device is saved
+            # Get a fresh session to check if the key was removed
-            device.save()
+            session = self.client.session
-            self.assertNotIn(SESSION_KEY_EMAIL_DEVICE, self.client.session)
+            session.save()
            session.load()
            self.assertNotIn(SESSION_KEY_EMAIL_DEVICE, session)
    def test_model_properties_and_methods(self):
        """Test model properties"""
--- a/authentik/stages/email/tasks.py
+++ b/authentik/stages/email/tasks.py
@ -12,6 +12,7 @@ from structlog.stdlib import get_logger
 from authentik.events.models import Event, EventAction, TaskStatus
 from authentik.events.system_tasks import SystemTask
 from authentik.lib.utils.reflection import class_to_path, path_to_class
 from authentik.root.celery import CELERY_APP
 from authentik.stages.authenticator_email.models import AuthenticatorEmailStage
 from authentik.stages.email.models import EmailStage
@ -32,9 +33,10 @@ def send_mails(
        Celery group promise for the email sending tasks
    """
    tasks = []
-    stage_class = stage.__class__
+    # Use the class path instead of the class itself for serialization
    stage_class_path = class_to_path(stage.__class__)
    for message in messages:
-        tasks.append(send_mail.s(message.__dict__, stage_class, str(stage.pk)))
+        tasks.append(send_mail.s(message.__dict__, stage_class_path, str(stage.pk)))
    lazy_group = group(*tasks)
    promise = lazy_group()
    return promise
@ -61,7 +63,7 @@ def get_email_body(email: EmailMultiAlternatives) -> str:
 def send_mail(
    self: SystemTask,
    message: dict[Any, Any],
-    stage_class: EmailStage | AuthenticatorEmailStage = EmailStage,
+    stage_class_path: str | None = None,
    email_stage_pk: str | None = None,
 ):
    """Send Email for Email Stage. Retries are scheduled automatically."""
@ -69,9 +71,10 @@ def send_mail(
    message_id = make_msgid(domain=DNS_NAME)
    self.set_uid(slugify(message_id.replace(".", "_").replace("@", "_")))
    try:
-        if not email_stage_pk:
+        if not stage_class_path or not email_stage_pk:
-            stage: EmailStage | AuthenticatorEmailStage = stage_class(use_global_settings=True)
+            stage = EmailStage(use_global_settings=True)
        else:
            stage_class = path_to_class(stage_class_path)
            stages = stage_class.objects.filter(pk=email_stage_pk)
            if not stages.exists():
                self.set_status(
--- a/authentik/stages/email/tests/test_tasks.py
+++ b/authentik/stages/email/tests/test_tasks.py
@ -0,0 +1,58 @@
 """Test email stage tasks"""
 from unittest.mock import patch
 from django.core.mail import EmailMultiAlternatives
 from django.test import TestCase
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.utils.reflection import class_to_path
 from authentik.stages.authenticator_email.models import AuthenticatorEmailStage
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import get_email_body, send_mails
 class TestEmailTasks(TestCase):
    """Test email stage tasks"""
    def setUp(self):
        self.user = create_test_admin_user()
        self.stage = EmailStage.objects.create(
            name="test-email",
            use_global_settings=True,
        )
        self.auth_stage = AuthenticatorEmailStage.objects.create(
            name="test-auth-email",
            use_global_settings=True,
        )
    def test_get_email_body_html(self):
        """Test get_email_body with HTML alternative"""
        message = EmailMultiAlternatives()
        message.body = "plain text"
        message.attach_alternative("<p>html content</p>", "text/html")
        self.assertEqual(get_email_body(message), "<p>html content</p>")
    def test_get_email_body_plain(self):
        """Test get_email_body with plain text only"""
        message = EmailMultiAlternatives()
        message.body = "plain text"
        self.assertEqual(get_email_body(message), "plain text")
    def test_send_mails_email_stage(self):
        """Test send_mails with EmailStage"""
        message = EmailMultiAlternatives()
        with patch("authentik.stages.email.tasks.send_mail") as mock_send:
            send_mails(self.stage, message)
            mock_send.s.assert_called_once_with(
                message.__dict__, class_to_path(EmailStage), str(self.stage.pk)
            )
    def test_send_mails_authenticator_stage(self):
        """Test send_mails with AuthenticatorEmailStage"""
        message = EmailMultiAlternatives()
        with patch("authentik.stages.email.tasks.send_mail") as mock_send:
            send_mails(self.auth_stage, message)
            mock_send.s.assert_called_once_with(
                message.__dict__, class_to_path(AuthenticatorEmailStage), str(self.auth_stage.pk)
            )
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2025.2.0 Blueprint schema",
+    "title": "authentik 2025.2.1 Blueprint schema",
    "required": [
        "version",
        "entries"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
    restart: unless-stopped
    command: server
    environment:
@ -54,7 +54,7 @@ services:
      redis:
        condition: service_healthy
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -1,8 +1,8 @@
 module goauthentik.io
-go 1.23.0
+go 1.23
-toolchain go1.24.0
+toolchain go1.23.0
 require (
 	beryju.io/ldap v0.1.0
@ -22,16 +22,16 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.8.0
-	github.com/prometheus/client_golang v1.21.0
+	github.com/prometheus/client_golang v1.20.5
-	github.com/redis/go-redis/v9 v9.7.1
+	github.com/redis/go-redis/v9 v9.7.0
 	github.com/sethvargo/go-envconfig v1.1.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025020.1
+	goauthentik.io/api/v3 v3.2024123.6
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.27.0
+	golang.org/x/oauth2 v0.26.0
 	golang.org/x/sync v0.11.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
@ -48,7 +48,7 @@ require (
 	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
 	github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 // indirect
 	github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a // indirect
-	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
@ -62,23 +62,23 @@ require (
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/klauspost/compress v1.17.9 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.opentelemetry.io/otel v1.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	golang.org/x/crypto v0.32.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
-	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
-	google.golang.org/protobuf v1.36.1 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -84,8 +84,8 @@ github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 h1:O6yi4xa9b2D
 github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27/go.mod h1:AYvN8omj7nKLmbcXS2dyABYU6JB1Lz1bHmkkq1kf4I4=
 github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a h1:v6zMvHuY9yue4+QkG/HQ/W67wvtQmWJ4SDo9aK/GIno=
 github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a/go.mod h1:I79BieaU4fxrw4LMXby6q5OS9XnoR9UIKLOzDFjUmuw=
-github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
+github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
-github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
+github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
 github.com/go-ldap/ldap/v3 v3.4.10 h1:ot/iwPOhfpNVgB1o+AVXljizWZ9JTp7YF5oeyONmcJU=
 github.com/go-ldap/ldap/v3 v3.4.10/go.mod h1:JXh4Uxgi40P6E9rdsYqpUtbW46D9UTjJ9QSwGRznplY=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@ -207,8 +207,8 @@ github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFF
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
+github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
-github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@ -239,17 +239,17 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.21.0 h1:DIsaGmiaBkSangBgMtWdNfxbMNdku5IK6iNhrEqWvdA=
+github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
-github.com/prometheus/client_golang v1.21.0/go.mod h1:U9NM32ykUErtVBxdvD3zfi+EuFkkaBvMb09mIfe0Zgg=
+github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
+github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
+github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/redis/go-redis/v9 v9.7.1 h1:4LhKRCIduqXqtvCUlaq9c8bdHOkICjDMrr1+Zb3osAc=
+github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa9E=
-github.com/redis/go-redis/v9 v9.7.1/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw=
+github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025020.1 h1:7922W4XiGif7lUCl2qlaeQJ3wSx1wDDDpXx8ryx0Hv0=
+goauthentik.io/api/v3 v3.2024123.6 h1:AGOCa7Fc/9eONCPEW4sEhTiyEBvxN57Lfqz1zm6Gy98=
-goauthentik.io/api/v3 v3.2025020.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024123.6/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@ -312,9 +312,8 @@ golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
 golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -394,8 +393,8 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -448,9 +447,8 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
 golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@ -597,8 +595,8 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
-const VERSION = "2025.2.0"
+const VERSION = "2025.2.1"
--- a/lifecycle/aws/package-lock.json
+++ b/lifecycle/aws/package-lock.json
@ -9,7 +9,7 @@
            "version": "0.0.0",
            "license": "MIT",
            "devDependencies": {
-                "aws-cdk": "^2.1000.3",
+                "aws-cdk": "^2.179.0",
                "cross-env": "^7.0.3"
            },
            "engines": {
@ -17,9 +17,9 @@
            }
        },
        "node_modules/aws-cdk": {
-            "version": "2.1000.3",
+            "version": "2.179.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1000.3.tgz",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.179.0.tgz",
-            "integrity": "sha512-y0sU603gGWpVTwqDw9MKVHg3e1t49Mvve6t3YDOvjeKY195Vu6dgHlHjW4h8n1vX04r49NKfpoApG60V8sMbdw==",
+            "integrity": "sha512-aA2+8S2g4UBQHkUEt0mYd16VLt/ucR+QfyUJi34LDKRAhOCNDjPCZ4z9z/JEDyuni0BdzsYA55pnpDN9tMULpA==",
            "dev": true,
            "license": "Apache-2.0",
            "bin": {
--- a/lifecycle/aws/package.json
+++ b/lifecycle/aws/package.json
@ -10,7 +10,7 @@
        "node": ">=20"
    },
    "devDependencies": {
-        "aws-cdk": "^2.1000.3",
+        "aws-cdk": "^2.179.0",
        "cross-env": "^7.0.3"
    }
 }
--- a/lifecycle/aws/template.yaml
+++ b/lifecycle/aws/template.yaml
@ -26,7 +26,7 @@ Parameters:
    Description: authentik Docker image
  AuthentikVersion:
    Type: String
-    Default: 2025.2.0
+    Default: 2025.2.1
    Description: authentik Docker image tag
  AuthentikServerCPU:
    Type: Number
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-02-25 00:11+0000\n"
+"POT-Creation-Date: 2025-02-14 14:49+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -109,10 +109,6 @@ msgstr ""
 msgid "Extra description not available"
 msgstr ""
 #: authentik/core/api/groups.py
 msgid "Cannot set group as parent of itself."
 msgstr ""
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@ -156,14 +152,6 @@ msgstr ""
 msgid "Remove user from group"
 msgstr ""
 #: authentik/core/models.py
 msgid "Enable superuser status"
 msgstr ""
 #: authentik/core/models.py
 msgid "Disable superuser status"
 msgstr ""
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr ""
@ -512,6 +500,57 @@ msgstr ""
 msgid "Microsoft Entra Provider Mappings"
 msgstr ""
 #: authentik/enterprise/providers/rac/models.py
 #: authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
 "lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
 msgstr ""
 #: authentik/enterprise/providers/rac/models.py
 msgid "When set to true, connection tokens will be deleted upon disconnect."
 msgstr ""
 #: authentik/enterprise/providers/rac/models.py
 msgid "RAC Provider"
 msgstr ""
 #: authentik/enterprise/providers/rac/models.py
 msgid "RAC Providers"
 msgstr ""
 #: authentik/enterprise/providers/rac/models.py
 msgid "RAC Endpoint"
 msgstr ""
 #: authentik/enterprise/providers/rac/models.py
 msgid "RAC Endpoints"
 msgstr ""
 #: authentik/enterprise/providers/rac/models.py
 msgid "RAC Provider Property Mapping"
 msgstr ""
 #: authentik/enterprise/providers/rac/models.py
 msgid "RAC Provider Property Mappings"
 msgstr ""
 #: authentik/enterprise/providers/rac/models.py
 msgid "RAC Connection token"
 msgstr ""
 #: authentik/enterprise/providers/rac/models.py
 msgid "RAC Connection tokens"
 msgstr ""
 #: authentik/enterprise/providers/rac/views.py
 msgid "Maximum connection limit reached."
 msgstr ""
 #: authentik/enterprise/providers/rac/views.py
 msgid "(You are already connected in another tab/window)"
 msgstr ""
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@ -612,7 +651,7 @@ msgstr ""
 msgid "Slack Webhook (Slack/Discord)"
 msgstr ""
-#: authentik/events/models.py authentik/stages/authenticator_validate/models.py
+#: authentik/events/models.py
 msgid "Email"
 msgstr ""
@ -1066,14 +1105,6 @@ msgstr ""
 msgid "Client IP is not in an allowed country."
 msgstr ""
 #: authentik/policies/geoip/models.py
 msgid "Distance from previous authentication is larger than threshold."
 msgstr ""
 #: authentik/policies/geoip/models.py
 msgid "Distance is further than possible."
 msgstr ""
 #: authentik/policies/geoip/models.py
 msgid "GeoIP Policy"
 msgstr ""
@ -1612,56 +1643,6 @@ msgstr ""
 msgid "Proxy Providers"
 msgstr ""
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
 "lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
 msgstr ""
 #: authentik/providers/rac/models.py
 msgid "When set to true, connection tokens will be deleted upon disconnect."
 msgstr ""
 #: authentik/providers/rac/models.py
 msgid "RAC Provider"
 msgstr ""
 #: authentik/providers/rac/models.py
 msgid "RAC Providers"
 msgstr ""
 #: authentik/providers/rac/models.py
 msgid "RAC Endpoint"
 msgstr ""
 #: authentik/providers/rac/models.py
 msgid "RAC Endpoints"
 msgstr ""
 #: authentik/providers/rac/models.py
 msgid "RAC Provider Property Mapping"
 msgstr ""
 #: authentik/providers/rac/models.py
 msgid "RAC Provider Property Mappings"
 msgstr ""
 #: authentik/providers/rac/models.py
 msgid "RAC Connection token"
 msgstr ""
 #: authentik/providers/rac/models.py
 msgid "RAC Connection tokens"
 msgstr ""
 #: authentik/providers/rac/views.py
 msgid "Maximum connection limit reached."
 msgstr ""
 #: authentik/providers/rac/views.py
 msgid "(You are already connected in another tab/window)"
 msgstr ""
 #: authentik/providers/radius/models.py
 msgid "Shared secret between clients and server to hash packets."
 msgstr ""
@ -2505,98 +2486,6 @@ msgstr ""
 msgid "Duo Devices"
 msgstr ""
 #: authentik/stages/authenticator_email/models.py
 msgid "Email OTP"
 msgstr ""
 #: authentik/stages/authenticator_email/models.py
 #: authentik/stages/email/models.py
 msgid ""
 "When enabled, global Email connection settings will be used and connection "
 "settings below will be ignored."
 msgstr ""
 #: authentik/stages/authenticator_email/models.py
 msgid "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
 msgstr ""
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Authenticator Setup Stage"
 msgstr ""
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Authenticator Setup Stages"
 msgstr ""
 #: authentik/stages/authenticator_email/models.py
 #: authentik/stages/authenticator_email/stage.py
 #: authentik/stages/email/stage.py
 msgid "Exception occurred while rendering E-mail template"
 msgstr ""
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Device"
 msgstr ""
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Devices"
 msgstr ""
 #: authentik/stages/authenticator_email/stage.py
 #: authentik/stages/authenticator_sms/stage.py
 #: authentik/stages/authenticator_totp/stage.py
 msgid "Code does not match"
 msgstr ""
 #: authentik/stages/authenticator_email/stage.py
 msgid "Invalid email"
 msgstr ""
 #: authentik/stages/authenticator_email/templates/email/email_otp.html
 #: authentik/stages/email/templates/email/password_reset.html
 #, python-format
 msgid ""
 "\n"
 "      Hi %(username)s,\n"
 "      "
 msgstr ""
 #: authentik/stages/authenticator_email/templates/email/email_otp.html
 msgid ""
 "\n"
 "          Email MFA code.\n"
 "          "
 msgstr ""
 #: authentik/stages/authenticator_email/templates/email/email_otp.html
 #, python-format
 msgid ""
 "\n"
 "    If you did not request this code, please ignore this email. The code "
 "above is valid for %(expires)s.\n"
 "    "
 msgstr ""
 #: authentik/stages/authenticator_email/templates/email/email_otp.txt
 #: authentik/stages/email/templates/email/password_reset.txt
 #, python-format
 msgid "Hi %(username)s,"
 msgstr ""
 #: authentik/stages/authenticator_email/templates/email/email_otp.txt
 msgid ""
 "\n"
 "Email MFA code\n"
 msgstr ""
 #: authentik/stages/authenticator_email/templates/email/email_otp.txt
 #, python-format
 msgid ""
 "\n"
 "If you did not request this code, please ignore this email. The code above "
 "is valid for %(expires)s.\n"
 msgstr ""
 #: authentik/stages/authenticator_sms/models.py
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
@ -2629,6 +2518,11 @@ msgstr ""
 msgid "SMS Devices"
 msgstr ""
 #: authentik/stages/authenticator_sms/stage.py
 #: authentik/stages/authenticator_totp/stage.py
 msgid "Code does not match"
 msgstr ""
 #: authentik/stages/authenticator_sms/stage.py
 msgid "Invalid phone number"
 msgstr ""
@ -2851,6 +2745,12 @@ msgstr ""
 msgid "Account Confirmation"
 msgstr ""
 #: authentik/stages/email/models.py
 msgid ""
 "When enabled, global Email connection settings will be used and connection "
 "settings below will be ignored."
 msgstr ""
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
 msgstr ""
@ -2867,6 +2767,10 @@ msgstr ""
 msgid "Email Stages"
 msgstr ""
 #: authentik/stages/email/stage.py
 msgid "Exception occurred while rendering E-mail template"
 msgstr ""
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
 msgstr ""
@ -2941,6 +2845,14 @@ msgid ""
 "This email was sent from the notification transport %(name)s.\n"
 msgstr ""
 #: authentik/stages/email/templates/email/password_reset.html
 #, python-format
 msgid ""
 "\n"
 "      Hi %(username)s,\n"
 "      "
 msgstr ""
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@ -2958,6 +2870,11 @@ msgid ""
 "    "
 msgstr ""
 #: authentik/stages/email/templates/email/password_reset.txt
 #, python-format
 msgid "Hi %(username)s,"
 msgstr ""
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
 "\n"
--- a/locale/ru/LC_MESSAGES/django.mo
+++ b/locale/ru/LC_MESSAGES/django.mo
--- a/package.json
+++ b/package.json
@ -1,5 +1,5 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2025.2.0",
+    "version": "2025.2.1",
    "private": true
 }
--- a/poetry.lock
+++ b/poetry.lock
@ -392,13 +392,13 @@ typeguard = ">=2.13.3,<4.3.0"
 [[package]]
 name = "aws-cdk-lib"
-version = "2.180.0"
+version = "2.179.0"
 description = "Version 2 of the AWS Cloud Development Kit library"
 optional = false
 python-versions = "~=3.8"
 files = [
-    {file = "aws_cdk_lib-2.180.0-py3-none-any.whl", hash = "sha256:5700a84dc4c2c6d323e596119fb4100e66aef6265a4d984bbe2e9341174d048b"},
+    {file = "aws_cdk_lib-2.179.0-py3-none-any.whl", hash = "sha256:1d7b88ee69067b8d58dac9eeb6697bbaf5d5c032a3070898389c41e7c4f3e3d7"},
-    {file = "aws_cdk_lib-2.180.0.tar.gz", hash = "sha256:28ba2c75bd55886eb5e686c58be656c9ab29b895f774f9129eaa3255ffcd6b42"},
+    {file = "aws_cdk_lib-2.179.0.tar.gz", hash = "sha256:b653a55754f4020a4b36e4ae183d213e76e27b18b842cbf9e430e9eccb700550"},
 ]
 [package.dependencies]
@ -1694,17 +1694,18 @@ files = [
 [[package]]
 name = "duo-client"
-version = "5.4.0"
+version = "5.3.0"
 description = "Reference client for Duo Security APIs"
 optional = false
 python-versions = "*"
 files = [
-    {file = "duo_client-5.4.0-py3-none-any.whl", hash = "sha256:092d2f79ca2dd7107f944807a109c98c08b99c2dd7fc422b979a248787852068"},
+    {file = "duo_client-5.3.0-py3-none-any.whl", hash = "sha256:85614bb684cef96285268aef0c1e858df939f6e8a190fb2c707d700bb0215766"},
-    {file = "duo_client-5.4.0.tar.gz", hash = "sha256:8e0fec41006951ce7d0ac5281ddfef59f154e194c71d5a00d717e1769e9077bb"},
+    {file = "duo_client-5.3.0.tar.gz", hash = "sha256:afa5ef98a42f06965a2702ca41dba9c85c483abd945e0a440f0ec4871b7593bf"},
 ]
 [package.dependencies]
 setuptools = "*"
 six = "*"
 [[package]]
 name = "durationpy"
@ -2523,13 +2524,13 @@ zookeeper = ["kazoo (>=2.8.0)"]
 [[package]]
 name = "kubernetes"
-version = "32.0.1"
+version = "32.0.0"
 description = "Kubernetes python client"
 optional = false
 python-versions = ">=3.6"
 files = [
-    {file = "kubernetes-32.0.1-py2.py3-none-any.whl", hash = "sha256:35282ab8493b938b08ab5526c7ce66588232df00ef5e1dbe88a419107dc10998"},
+    {file = "kubernetes-32.0.0-py2.py3-none-any.whl", hash = "sha256:60fd8c29e8e43d9c553ca4811895a687426717deba9c0a66fb2dcc3f5ef96692"},
-    {file = "kubernetes-32.0.1.tar.gz", hash = "sha256:42f43d49abd437ada79a79a16bd48a604d3471a117a8347e87db693f2ba0ba28"},
+    {file = "kubernetes-32.0.0.tar.gz", hash = "sha256:319fa840345a482001ac5d6062222daeb66ec4d1bcb3087402aed685adf0aecb"},
 ]
 [package.dependencies]
@ -3717,36 +3718,36 @@ files = [
 [[package]]
 name = "psycopg"
-version = "3.2.5"
+version = "3.2.4"
 description = "PostgreSQL database adapter for Python"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "psycopg-3.2.5-py3-none-any.whl", hash = "sha256:b782130983e5b3de30b4c529623d3687033b4dafa05bb661fc6bf45837ca5879"},
+    {file = "psycopg-3.2.4-py3-none-any.whl", hash = "sha256:43665368ccd48180744cab26b74332f46b63b7e06e8ce0775547a3533883d381"},
-    {file = "psycopg-3.2.5.tar.gz", hash = "sha256:f5f750611c67cb200e85b408882f29265c66d1de7f813add4f8125978bfd70e8"},
+    {file = "psycopg-3.2.4.tar.gz", hash = "sha256:f26f1346d6bf1ef5f5ef1714dd405c67fb365cfd1c6cea07de1792747b167b92"},
 ]
 [package.dependencies]
-psycopg-c = {version = "3.2.5", optional = true, markers = "implementation_name != \"pypy\" and extra == \"c\""}
+psycopg-c = {version = "3.2.4", optional = true, markers = "implementation_name != \"pypy\" and extra == \"c\""}
 typing-extensions = {version = ">=4.6", markers = "python_version < \"3.13\""}
 tzdata = {version = "*", markers = "sys_platform == \"win32\""}
 [package.extras]
-binary = ["psycopg-binary (==3.2.5)"]
+binary = ["psycopg-binary (==3.2.4)"]
-c = ["psycopg-c (==3.2.5)"]
+c = ["psycopg-c (==3.2.4)"]
-dev = ["ast-comments (>=1.1.2)", "black (>=24.1.0)", "codespell (>=2.2)", "dnspython (>=2.1)", "flake8 (>=4.0)", "isort-psycopg", "isort[colors] (>=6.0)", "mypy (>=1.14)", "pre-commit (>=4.0.1)", "types-setuptools (>=57.4)", "wheel (>=0.37)"]
+dev = ["ast-comments (>=1.1.2)", "black (>=24.1.0)", "codespell (>=2.2)", "dnspython (>=2.1)", "flake8 (>=4.0)", "mypy (>=1.14)", "pre-commit (>=4.0.1)", "types-setuptools (>=57.4)", "wheel (>=0.37)"]
 docs = ["Sphinx (>=5.0)", "furo (==2022.6.21)", "sphinx-autobuild (>=2021.3.14)", "sphinx-autodoc-typehints (>=1.12)"]
 pool = ["psycopg-pool"]
 test = ["anyio (>=4.0)", "mypy (>=1.14)", "pproxy (>=2.7)", "pytest (>=6.2.5)", "pytest-cov (>=3.0)", "pytest-randomly (>=3.5)"]
 [[package]]
 name = "psycopg-c"
-version = "3.2.5"
+version = "3.2.4"
 description = "PostgreSQL database adapter for Python -- C optimisation distribution"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "psycopg_c-3.2.5.tar.gz", hash = "sha256:57ad4cfd28de278c424aaceb1f2ad5c7910466e315dfe84e403f3c7a0a2ce81b"},
+    {file = "psycopg_c-3.2.4.tar.gz", hash = "sha256:22097a04263efb2efd2cc8b00a51fa90e23f9cd4a2e09903fe4d9c6923dac17a"},
 ]
 [[package]]
@ -4547,29 +4548,29 @@ pyasn1 = ">=0.1.3"
 [[package]]
 name = "ruff"
-version = "0.9.7"
+version = "0.9.6"
 description = "An extremely fast Python linter and code formatter, written in Rust."
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "ruff-0.9.7-py3-none-linux_armv6l.whl", hash = "sha256:99d50def47305fe6f233eb8dabfd60047578ca87c9dcb235c9723ab1175180f4"},
+    {file = "ruff-0.9.6-py3-none-linux_armv6l.whl", hash = "sha256:2f218f356dd2d995839f1941322ff021c72a492c470f0b26a34f844c29cdf5ba"},
-    {file = "ruff-0.9.7-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:d59105ae9c44152c3d40a9c40d6331a7acd1cdf5ef404fbe31178a77b174ea66"},
+    {file = "ruff-0.9.6-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:b908ff4df65dad7b251c9968a2e4560836d8f5487c2f0cc238321ed951ea0504"},
-    {file = "ruff-0.9.7-py3-none-macosx_11_0_arm64.whl", hash = "sha256:f313b5800483770bd540cddac7c90fc46f895f427b7820f18fe1822697f1fec9"},
+    {file = "ruff-0.9.6-py3-none-macosx_11_0_arm64.whl", hash = "sha256:b109c0ad2ececf42e75fa99dc4043ff72a357436bb171900714a9ea581ddef83"},
-    {file = "ruff-0.9.7-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:042ae32b41343888f59c0a4148f103208bf6b21c90118d51dc93a68366f4e903"},
+    {file = "ruff-0.9.6-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1de4367cca3dac99bcbd15c161404e849bb0bfd543664db39232648dc00112dc"},
-    {file = "ruff-0.9.7-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:87862589373b33cc484b10831004e5e5ec47dc10d2b41ba770e837d4f429d721"},
+    {file = "ruff-0.9.6-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ac3ee4d7c2c92ddfdaedf0bf31b2b176fa7aa8950efc454628d477394d35638b"},
-    {file = "ruff-0.9.7-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a17e1e01bee0926d351a1ee9bc15c445beae888f90069a6192a07a84af544b6b"},
+    {file = "ruff-0.9.6-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:5dc1edd1775270e6aa2386119aea692039781429f0be1e0949ea5884e011aa8e"},
-    {file = "ruff-0.9.7-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:7c1f880ac5b2cbebd58b8ebde57069a374865c73f3bf41f05fe7a179c1c8ef22"},
+    {file = "ruff-0.9.6-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:4a091729086dffa4bd070aa5dab7e39cc6b9d62eb2bef8f3d91172d30d599666"},
-    {file = "ruff-0.9.7-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e63fc20143c291cab2841dbb8260e96bafbe1ba13fd3d60d28be2c71e312da49"},
+    {file = "ruff-0.9.6-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d1bbc6808bf7b15796cef0815e1dfb796fbd383e7dbd4334709642649625e7c5"},
-    {file = "ruff-0.9.7-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:91ff963baed3e9a6a4eba2a02f4ca8eaa6eba1cc0521aec0987da8d62f53cbef"},
+    {file = "ruff-0.9.6-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:589d1d9f25b5754ff230dce914a174a7c951a85a4e9270613a2b74231fdac2f5"},
-    {file = "ruff-0.9.7-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:88362e3227c82f63eaebf0b2eff5b88990280fb1ecf7105523883ba8c3aaf6fb"},
+    {file = "ruff-0.9.6-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:dc61dd5131742e21103fbbdcad683a8813be0e3c204472d520d9a5021ca8b217"},
-    {file = "ruff-0.9.7-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:0372c5a90349f00212270421fe91874b866fd3626eb3b397ede06cd385f6f7e0"},
+    {file = "ruff-0.9.6-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:5e2d9126161d0357e5c8f30b0bd6168d2c3872372f14481136d13de9937f79b6"},
-    {file = "ruff-0.9.7-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:d76b8ab60e99e6424cd9d3d923274a1324aefce04f8ea537136b8398bbae0a62"},
+    {file = "ruff-0.9.6-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:68660eab1a8e65babb5229a1f97b46e3120923757a68b5413d8561f8a85d4897"},
-    {file = "ruff-0.9.7-py3-none-musllinux_1_2_i686.whl", hash = "sha256:0c439bdfc8983e1336577f00e09a4e7a78944fe01e4ea7fe616d00c3ec69a3d0"},
+    {file = "ruff-0.9.6-py3-none-musllinux_1_2_i686.whl", hash = "sha256:c4cae6c4cc7b9b4017c71114115db0445b00a16de3bcde0946273e8392856f08"},
-    {file = "ruff-0.9.7-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:115d1f15e8fdd445a7b4dc9a30abae22de3f6bcabeb503964904471691ef7606"},
+    {file = "ruff-0.9.6-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:19f505b643228b417c1111a2a536424ddde0db4ef9023b9e04a46ed8a1cb4656"},
-    {file = "ruff-0.9.7-py3-none-win32.whl", hash = "sha256:e9ece95b7de5923cbf38893f066ed2872be2f2f477ba94f826c8defdd6ec6b7d"},
+    {file = "ruff-0.9.6-py3-none-win32.whl", hash = "sha256:194d8402bceef1b31164909540a597e0d913c0e4952015a5b40e28c146121b5d"},
-    {file = "ruff-0.9.7-py3-none-win_amd64.whl", hash = "sha256:3770fe52b9d691a15f0b87ada29c45324b2ace8f01200fb0c14845e499eb0c2c"},
+    {file = "ruff-0.9.6-py3-none-win_amd64.whl", hash = "sha256:03482d5c09d90d4ee3f40d97578423698ad895c87314c4de39ed2af945633caa"},
-    {file = "ruff-0.9.7-py3-none-win_arm64.whl", hash = "sha256:b075a700b2533feb7a01130ff656a4ec0d5f340bb540ad98759b8401c32c2037"},
+    {file = "ruff-0.9.6-py3-none-win_arm64.whl", hash = "sha256:0e2bb706a2be7ddfea4a4af918562fdc1bcb16df255e5fa595bbd800ce322a5a"},
-    {file = "ruff-0.9.7.tar.gz", hash = "sha256:643757633417907510157b206e490c3aa11cab0c087c912f60e07fbafa87a4c6"},
+    {file = "ruff-0.9.6.tar.gz", hash = "sha256:81761592f72b620ec8fa1068a6fd00e98a5ebee342a3642efd84454f3031dca9"},
 ]
 [[package]]
@ -4608,13 +4609,13 @@ django-query = ["django (>=3.2)"]
 [[package]]
 name = "selenium"
-version = "4.29.0"
+version = "4.28.1"
 description = "Official Python bindings for Selenium WebDriver"
 optional = false
 python-versions = ">=3.9"
 files = [
-    {file = "selenium-4.29.0-py3-none-any.whl", hash = "sha256:ce5d26f1ddc1111641113653af33694c13947dd36c2df09cdd33f554351d372e"},
+    {file = "selenium-4.28.1-py3-none-any.whl", hash = "sha256:4238847e45e24e4472cfcf3554427512c7aab9443396435b1623ef406fff1cc1"},
-    {file = "selenium-4.29.0.tar.gz", hash = "sha256:3a62f7ec33e669364a6c0562a701deb69745b569c50d55f1a912bf8eb33358ba"},
+    {file = "selenium-4.28.1.tar.gz", hash = "sha256:0072d08670d7ec32db901bd0107695a330cecac9f196e3afb3fa8163026e022a"},
 ]
 [package.dependencies]
@ -4707,96 +4708,96 @@ tests = ["coverage[toml] (>=5.0.2)", "pytest"]
 [[package]]
 name = "setproctitle"
-version = "1.3.5"
+version = "1.3.4"
 description = "A Python module to customize the process title"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "setproctitle-1.3.5-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:02870e0cb0de7f68a7a8a5b23c2bc0ce63821cab3d9b126f9be80bb6cd674c80"},
+    {file = "setproctitle-1.3.4-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:0f6661a69c68349172ba7b4d5dd65fec2b0917abc99002425ad78c3e58cf7595"},
-    {file = "setproctitle-1.3.5-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:55b278135be742b8901067479626d909f6613bd2d2c4fd0de6bb46f80e07a919"},
+    {file = "setproctitle-1.3.4-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:754bac5e470adac7f7ec2239c485cd0b75f8197ca8a5b86ffb20eb3a3676cc42"},
-    {file = "setproctitle-1.3.5-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:53fc971f7bf7a674f571a23cdec70f2f0ac88152c59c06aa0808d0be6d834046"},
+    {file = "setproctitle-1.3.4-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f7bc7088c15150745baf66db62a4ced4507d44419eb66207b609f91b64a682af"},
-    {file = "setproctitle-1.3.5-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:fb0500e1bc6f00b8ba696c3743ddff14c8679e3c2ca9d292c008ac51488d17cf"},
+    {file = "setproctitle-1.3.4-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a46ef3ecf61e4840fbc1145fdd38acf158d0da7543eda7b773ed2b30f75c2830"},
-    {file = "setproctitle-1.3.5-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:995b3ac1b5fe510f4e1d1c19ebf19f4bceb448f2d6e8d99ea23f33cb6f1a277e"},
+    {file = "setproctitle-1.3.4-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ffcb09d5c0ffa043254ec9a734a73f3791fec8bf6333592f906bb2e91ed2af1a"},
-    {file = "setproctitle-1.3.5-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a5a05e2c3fdfbda32b9c9da72d0506398d1efb5bd2c5981b9e12d3622eb3d4f9"},
+    {file = "setproctitle-1.3.4-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:06c16b7a91cdc5d700271899e4383384a61aae83a3d53d0e2e5a266376083342"},
-    {file = "setproctitle-1.3.5-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:310c7f4ca4c8476a9840b2cd4b22ee602a49a3c902fdcd2dd8284685abd10a9a"},
+    {file = "setproctitle-1.3.4-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:9f9732e59863eaeedd3feef94b2b216cb86d40dda4fad2d0f0aaec3b31592716"},
-    {file = "setproctitle-1.3.5-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:867af4a5c3d85484fbcc50ea88bcd375acf709cff88a3259575361849c0da351"},
+    {file = "setproctitle-1.3.4-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:e152f4ab9ea1632b5fecdd87cee354f2b2eb6e2dfc3aceb0eb36a01c1e12f94c"},
-    {file = "setproctitle-1.3.5-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:8ec0a7fe9f1ba90900144489bc93ce7dd4dec3f3df1e7f188c9e58364fe4a4c5"},
+    {file = "setproctitle-1.3.4-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:020ea47a79b2bbd7bd7b94b85ca956ba7cb026e82f41b20d2e1dac4008cead25"},
-    {file = "setproctitle-1.3.5-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:aaee7acba2733a14a886488b7495bfec4a8d6407124c04a0946dbde1684230a3"},
+    {file = "setproctitle-1.3.4-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:8c52b12b10e4057fc302bd09cb3e3f28bb382c30c044eb3396e805179a8260e4"},
-    {file = "setproctitle-1.3.5-cp310-cp310-win32.whl", hash = "sha256:bd2cccd972e4282af4ce2c13cd9ebdf07be157eabafd8ce648fffdc8ae6fbe28"},
+    {file = "setproctitle-1.3.4-cp310-cp310-win32.whl", hash = "sha256:a65a147f545f3fac86f11acb2d0b316d3e78139a9372317b7eb50561b2817ba0"},
-    {file = "setproctitle-1.3.5-cp310-cp310-win_amd64.whl", hash = "sha256:81f2328ac34c9584e1e5f87eea916c0bc48476a06606a07debae07acdd7ab5ea"},
+    {file = "setproctitle-1.3.4-cp310-cp310-win_amd64.whl", hash = "sha256:66821fada6426998762a3650a37fba77e814a249a95b1183011070744aff47f6"},
-    {file = "setproctitle-1.3.5-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:1c8dcc250872385f2780a5ea58050b58cbc8b6a7e8444952a5a65c359886c593"},
+    {file = "setproctitle-1.3.4-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:f0f749f07002c2d6fecf37cedc43207a88e6c651926a470a5f229070cf791879"},
-    {file = "setproctitle-1.3.5-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:ca82fae9eb4800231dd20229f06e8919787135a5581da245b8b05e864f34cc8b"},
+    {file = "setproctitle-1.3.4-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:90ea8d302a5d30b948451d146e94674a3c5b020cc0ced9a1c28f8ddb0f203a5d"},
-    {file = "setproctitle-1.3.5-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0424e1d33232322541cb36fb279ea5242203cd6f20de7b4fb2a11973d8e8c2ce"},
+    {file = "setproctitle-1.3.4-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f859c88193ed466bee4eb9d45fbc29d2253e6aa3ccd9119c9a1d8d95f409a60d"},
-    {file = "setproctitle-1.3.5-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:fec8340ab543144d04a9d805d80a0aad73fdeb54bea6ff94e70d39a676ea4ec0"},
+    {file = "setproctitle-1.3.4-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b3afa5a0ed08a477ded239c05db14c19af585975194a00adf594d48533b23701"},
-    {file = "setproctitle-1.3.5-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:eab441c89f181271ab749077dcc94045a423e51f2fb0b120a1463ef9820a08d0"},
+    {file = "setproctitle-1.3.4-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:10a78fce9018cc3e9a772b6537bbe3fe92380acf656c9f86db2f45e685af376e"},
-    {file = "setproctitle-1.3.5-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d2c371550a2288901a0dcd84192691ebd3197a43c95f3e0b396ed6d1cedf5c6c"},
+    {file = "setproctitle-1.3.4-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5d758e2eed2643afac5f2881542fbb5aa97640b54be20d0a5ed0691d02f0867d"},
-    {file = "setproctitle-1.3.5-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:78288ff5f9c415c56595b2257ad218936dd9fa726b36341b373b31ca958590fe"},
+    {file = "setproctitle-1.3.4-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:ef133a1a2ee378d549048a12d56f4ef0e2b9113b0b25b6b77821e9af94d50634"},
-    {file = "setproctitle-1.3.5-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:f1f13a25fc46731acab518602bb1149bfd8b5fabedf8290a7c0926d61414769d"},
+    {file = "setproctitle-1.3.4-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:1d2a154b79d5fb42d1eff06e05e22f0e8091261d877dd47b37d31352b74ecc37"},
-    {file = "setproctitle-1.3.5-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:1534d6cd3854d035e40bf4c091984cbdd4d555d7579676d406c53c8f187c006f"},
+    {file = "setproctitle-1.3.4-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:202eae632815571297833876a0f407d0d9c7ad9d843b38adbe687fe68c5192ee"},
-    {file = "setproctitle-1.3.5-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:62a01c76708daac78b9688ffb95268c57cb57fa90b543043cda01358912fe2db"},
+    {file = "setproctitle-1.3.4-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:2b0080819859e80a7776ac47cf6accb4b7ad313baf55fabac89c000480dcd103"},
-    {file = "setproctitle-1.3.5-cp311-cp311-win32.whl", hash = "sha256:ea07f29735d839eaed985990a0ec42c8aecefe8050da89fec35533d146a7826d"},
+    {file = "setproctitle-1.3.4-cp311-cp311-win32.whl", hash = "sha256:9c9d7d1267dee8c6627963d9376efa068858cfc8f573c083b1b6a2d297a8710f"},
-    {file = "setproctitle-1.3.5-cp311-cp311-win_amd64.whl", hash = "sha256:ab3ae11e10d13d514d4a5a15b4f619341142ba3e18da48c40e8614c5a1b5e3c3"},
+    {file = "setproctitle-1.3.4-cp311-cp311-win_amd64.whl", hash = "sha256:475986ddf6df65d619acd52188336a20f616589403f5a5ceb3fc70cdc137037a"},
-    {file = "setproctitle-1.3.5-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:523424b9be4dea97d95b8a584b183f35c7bab2d0a3d995b01febf5b8a8de90e4"},
+    {file = "setproctitle-1.3.4-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:d06990dcfcd41bb3543c18dd25c8476fbfe1f236757f42fef560f6aa03ac8dfc"},
-    {file = "setproctitle-1.3.5-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:b6ec1d86c1b4d7b5f2bdceadf213310cf24696b82480a2a702194b8a0bfbcb47"},
+    {file = "setproctitle-1.3.4-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:317218c9d8b17a010ab2d2f0851e8ef584077a38b1ba2b7c55c9e44e79a61e73"},
-    {file = "setproctitle-1.3.5-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ea6c505264275a43e9b2acd2acfc11ac33caf52bc3167c9fced4418a810f6b1c"},
+    {file = "setproctitle-1.3.4-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cb5fefb53b9d9f334a5d9ec518a36b92a10b936011ac8a6b6dffd60135f16459"},
-    {file = "setproctitle-1.3.5-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0b91e68e6685998e6353f296100ecabc313a6cb3e413d66a03d74b988b61f5ff"},
+    {file = "setproctitle-1.3.4-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0855006261635e8669646c7c304b494b6df0a194d2626683520103153ad63cc9"},
-    {file = "setproctitle-1.3.5-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:bc1fda208ae3a2285ad27aeab44c41daf2328abe58fa3270157a739866779199"},
+    {file = "setproctitle-1.3.4-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1a88e466fcaee659679c1d64dcb2eddbcb4bfadffeb68ba834d9c173a25b6184"},
-    {file = "setproctitle-1.3.5-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:828727d220e46f048b82289018300a64547b46aaed96bf8810c05fe105426b41"},
+    {file = "setproctitle-1.3.4-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f963b6ed8ba33eda374a98d979e8a0eaf21f891b6e334701693a2c9510613c4c"},
-    {file = "setproctitle-1.3.5-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:83b016221cf80028b2947be20630faa14e3e72a403e35f0ba29550b4e856767b"},
+    {file = "setproctitle-1.3.4-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:122c2e05697fa91f5d23f00bbe98a9da1bd457b32529192e934095fadb0853f1"},
-    {file = "setproctitle-1.3.5-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:6d8a411e752e794d052434139ca4234ffeceeb8d8d8ddc390a9051d7942b2726"},
+    {file = "setproctitle-1.3.4-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:1bba0a866f5895d5b769d8c36b161271c7fd407e5065862ab80ff91c29fbe554"},
-    {file = "setproctitle-1.3.5-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:50cfbf86b9c63a2c2903f1231f0a58edeb775e651ae1af84eec8430b0571f29b"},
+    {file = "setproctitle-1.3.4-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:97f1f861998e326e640708488c442519ad69046374b2c3fe9bcc9869b387f23c"},
-    {file = "setproctitle-1.3.5-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:f3b5e2eacd572444770026c9dd3ddc7543ce427cdf452d40a408d1e95beefb30"},
+    {file = "setproctitle-1.3.4-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:726aee40357d4bdb70115442cb85ccc8e8bc554fc0bbbaa3a57cbe81df42287d"},
-    {file = "setproctitle-1.3.5-cp312-cp312-win32.whl", hash = "sha256:cf4e3ded98027de2596c6cc5bbd3302adfb3ca315c848f56516bb0b7e88de1e9"},
+    {file = "setproctitle-1.3.4-cp312-cp312-win32.whl", hash = "sha256:04d6ba8b816dbb0bfd62000b0c3e583160893e6e8c4233e1dca1a9ae4d95d924"},
-    {file = "setproctitle-1.3.5-cp312-cp312-win_amd64.whl", hash = "sha256:f7a8c01ffd013dda2bed6e7d5cb59fbb609e72f805abf3ee98360f38f7758d9b"},
+    {file = "setproctitle-1.3.4-cp312-cp312-win_amd64.whl", hash = "sha256:9c76e43cb351ba8887371240b599925cdf3ecececc5dfb7125c71678e7722c55"},
-    {file = "setproctitle-1.3.5-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:162fd76781f57f42ddf27c475e5fef6a8df4fdd69b28dd554e53e2eb2bfe0f95"},
+    {file = "setproctitle-1.3.4-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:d6e3b177e634aa6bbbfbf66d097b6d1cdb80fc60e912c7d8bace2e45699c07dd"},
-    {file = "setproctitle-1.3.5-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:4969d996bdfbe23bbd023cd0bae6c73a27371615c4ec5296a60cecce268659ef"},
+    {file = "setproctitle-1.3.4-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:6b17655a5f245b416e127e02087ea6347a48821cc4626bc0fd57101bfcd88afc"},
-    {file = "setproctitle-1.3.5-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:bd70c95a94473216e7c7a7a1f7d8ecbaca5b16d4ba93ddbfd32050fc485a8451"},
+    {file = "setproctitle-1.3.4-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fa5057a86df920faab8ee83960b724bace01a3231eb8e3f2c93d78283504d598"},
-    {file = "setproctitle-1.3.5-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:7a887582bfdb6dcbc482db0ef9e630ad23ca95875806ef2b444bf6fbd7b7d7ca"},
+    {file = "setproctitle-1.3.4-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:149fdfb8a26a555780c4ce53c92e6d3c990ef7b30f90a675eca02e83c6d5f76d"},
-    {file = "setproctitle-1.3.5-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:755671c39a9e70834eeec6dc6b61e344399c49881d2e7ea3534a1c69669dd9cc"},
+    {file = "setproctitle-1.3.4-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ded03546938a987f463c68ab98d683af87a83db7ac8093bbc179e77680be5ba2"},
-    {file = "setproctitle-1.3.5-cp313-cp313-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9ab52b4c2ce056a1b60d439991a81ca90f019488d4b4f64b2779e6badd3677e6"},
+    {file = "setproctitle-1.3.4-cp313-cp313-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8ab9f5b7f2bbc1754bc6292d9a7312071058e5a891b0391e6d13b226133f36aa"},
-    {file = "setproctitle-1.3.5-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:36178b944019ec7fc52bb967ffeee296a11d373734a7be276755bedb3db5c141"},
+    {file = "setproctitle-1.3.4-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:0b19813c852566fa031902124336fa1f080c51e262fc90266a8c3d65ca47b74c"},
-    {file = "setproctitle-1.3.5-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:269d41cd4f085b69821d1ee6599124f02dbbc79962b256e260b6c9021d037994"},
+    {file = "setproctitle-1.3.4-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:db78b645dc63c0ccffca367a498f3b13492fb106a2243a1e998303ba79c996e2"},
-    {file = "setproctitle-1.3.5-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:d880630fd81d1b3bde121c352ca7ea2f2ff507ef40c3c011d0928ed491f912c9"},
+    {file = "setproctitle-1.3.4-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:b669aaac70bd9f03c070270b953f78d9ee56c4af6f0ff9f9cd3e6d1878c10b40"},
-    {file = "setproctitle-1.3.5-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:8a7fed67ab49f60bd51f3b4cffff3f8d754d1bb0a40e42869911301ec6519b65"},
+    {file = "setproctitle-1.3.4-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:6dc3d656702791565994e64035a208be56b065675a5bc87b644c657d6d9e2232"},
-    {file = "setproctitle-1.3.5-cp313-cp313-win32.whl", hash = "sha256:e9c0d0cfcf715631b10d5950d04a9978f63bc46535724ef7c2eaf1dca9988642"},
+    {file = "setproctitle-1.3.4-cp313-cp313-win32.whl", hash = "sha256:091f682809a4d12291cf0205517619d2e7014986b7b00ebecfde3d76f8ae5a8f"},
-    {file = "setproctitle-1.3.5-cp313-cp313-win_amd64.whl", hash = "sha256:e1d28eb98c91fbebd3e443a45c7da5d84974959851ef304c330eabd654a386f1"},
+    {file = "setproctitle-1.3.4-cp313-cp313-win_amd64.whl", hash = "sha256:adcd6ba863a315702184d92d3d3bbff290514f24a14695d310f02ae5e28bd1f7"},
-    {file = "setproctitle-1.3.5-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:8995a1217b52d11d92bafd069961a47c5e13d8751ca976a32b3ecbbd471eaf9b"},
+    {file = "setproctitle-1.3.4-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:acf41cf91bbc5a36d1fa4455a818bb02bf2a4ccfed2f892ba166ba2fcbb0ec8a"},
-    {file = "setproctitle-1.3.5-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:ae2ce64ea87837c4e3e65a7a232ff80cf09aa7d916e74cb34a245c47fcd87981"},
+    {file = "setproctitle-1.3.4-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:ceb3ce3262b0e8e088e4117175591b7a82b3bdc5e52e33b1e74778b5fb53fd38"},
-    {file = "setproctitle-1.3.5-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:20b84de1780bbb0adc67560a113a0ea57e6ecfce2325680de8efe6c2a2f781ac"},
+    {file = "setproctitle-1.3.4-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2b2ef636a6a25fe7f3d5a064bea0116b74a4c8c7df9646b17dc7386c439a26cf"},
-    {file = "setproctitle-1.3.5-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1b1d2628ac9868f960d7e87b3a9b2bb337104c3644b699e52e01efd7e106e4fe"},
+    {file = "setproctitle-1.3.4-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:28b8614de08679ae95bc4e8d6daaef6b61afdf027fa0d23bf13d619000286b3c"},
-    {file = "setproctitle-1.3.5-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:fa912c4d08c66afda30dd5af8f2e9c59065dfc36a51edbd5419c3a7c962875aa"},
+    {file = "setproctitle-1.3.4-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:24f3c8be826a7d44181eac2269b15b748b76d98cd9a539d4c69f09321dcb5c12"},
-    {file = "setproctitle-1.3.5-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:dc4f783e100f8b451cd92fcabd3b831edfb1f7cb02be4a79b972f138e0001885"},
+    {file = "setproctitle-1.3.4-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fc9d79b1bf833af63b7c720a6604eb16453ac1ad4e718eb8b59d1f97d986b98c"},
-    {file = "setproctitle-1.3.5-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:8ca56e39d10b6758046694a84950e5c5570a034c409ef3337595f64fc2cfa94d"},
+    {file = "setproctitle-1.3.4-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:fb693000b65842c85356b667d057ae0d0bac6519feca7e1c437cc2cfeb0afc59"},
-    {file = "setproctitle-1.3.5-cp38-cp38-musllinux_1_2_i686.whl", hash = "sha256:8915d69260ba6a6aaf9a48f6b53dbf9f8e4dc0cb4ae25bc5edb16a1666b6e47c"},
+    {file = "setproctitle-1.3.4-cp38-cp38-musllinux_1_2_i686.whl", hash = "sha256:a166251b8fbc6f2755e2ce9d3c11e9edb0c0c7d2ed723658ff0161fbce26ac1c"},
-    {file = "setproctitle-1.3.5-cp38-cp38-musllinux_1_2_ppc64le.whl", hash = "sha256:7edd4fbb9fd17ed0e5a7f8bde9fa61c3987a34372084c45bab4eab6a2e554762"},
+    {file = "setproctitle-1.3.4-cp38-cp38-musllinux_1_2_ppc64le.whl", hash = "sha256:0361428e6378911a378841509c56ba472d991cbed1a7e3078ec0cacc103da44a"},
-    {file = "setproctitle-1.3.5-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:d0b19fd76d46b8096a463724739c3b09cf5ce38317f559f56f424f6ce7158de3"},
+    {file = "setproctitle-1.3.4-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:62d66e0423e3bd520b4c897063506b309843a8d07343fbfad04197e91a4edd28"},
-    {file = "setproctitle-1.3.5-cp38-cp38-win32.whl", hash = "sha256:53ce572cdbd43a0bed2aa24299cd823ebf233a7fa720cc7f8634728c213679c0"},
+    {file = "setproctitle-1.3.4-cp38-cp38-win32.whl", hash = "sha256:5edd01909348f3b0b2da329836d6b5419cd4869fec2e118e8ff3275b38af6267"},
-    {file = "setproctitle-1.3.5-cp38-cp38-win_amd64.whl", hash = "sha256:a58f00f35d6038ce1e8a9e5f87cb5ecce13ce118c5977a603566ad1fccc8d2cb"},
+    {file = "setproctitle-1.3.4-cp38-cp38-win_amd64.whl", hash = "sha256:59e0dda9ad245921af0328035a961767026e1fa94bb65957ab0db0a0491325d6"},
-    {file = "setproctitle-1.3.5-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:c4b299b5bbadf00034978b8d741c85af25173146747eb9dab22596ec805a52d6"},
+    {file = "setproctitle-1.3.4-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:bdaaa81a6e95a0a19fba0285f10577377f3503ae4e9988b403feba79da3e2f80"},
-    {file = "setproctitle-1.3.5-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:d57e7626329d4fb138da5ce15270b08a91326969956fb19c7a8fec2639066704"},
+    {file = "setproctitle-1.3.4-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:4ee5b19a2d794463bcc19153dfceede7beec784b4cf7967dec0bc0fc212ab3a3"},
-    {file = "setproctitle-1.3.5-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4272295721cf1fd2acf960b674d6dc09bec87f2a1e48995817b4ec4a3d483faf"},
+    {file = "setproctitle-1.3.4-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3058a1bb0c767b3a6ccbb38b27ef870af819923eb732e21e44a3f300370fe159"},
-    {file = "setproctitle-1.3.5-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f8305b6e6c203222c61318f338f1de08269ec66c247bf251593c215ff1fbeaf9"},
+    {file = "setproctitle-1.3.4-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5a97d37ee4fe0d1c6e87d2a97229c27a88787a8f4ebfbdeee95f91b818e52efe"},
-    {file = "setproctitle-1.3.5-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:becc9f3f605936506d2bd63d9cf817b7ee66b10d204184c4a633064dbed579d6"},
+    {file = "setproctitle-1.3.4-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6e61dd7d05da11fc69bb86d51f1e0ee08f74dccf3ecf884c94de41135ffdc75d"},
-    {file = "setproctitle-1.3.5-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4629de80c47155a26e8d87a0a92d9428aa8d79ccfe2c20fd18888580619704e1"},
+    {file = "setproctitle-1.3.4-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1eb115d53dc2a1299ae72f1119c96a556db36073bacb6da40c47ece5db0d9587"},
-    {file = "setproctitle-1.3.5-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:f1af1d310b5b6cda692da52bd862a9833086c0a3f8380fa92505dd23857dcf60"},
+    {file = "setproctitle-1.3.4-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:342570716e2647a51ea859b8a9126da9dc1a96a0153c9c0a3514effd60ab57ad"},
-    {file = "setproctitle-1.3.5-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:3bb6ea3d6e690677619508050bc681d86223723bdf67e4e8a8dffc3d04ca3044"},
+    {file = "setproctitle-1.3.4-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:0ad212ae2b03951367a69584af034579b34e1e4199a75d377ef9f8e08ee299b1"},
-    {file = "setproctitle-1.3.5-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:322067ef1ffe70d297b00bee8a3862fed96021aa4318e3bce2d7c3bfa7a8d1e7"},
+    {file = "setproctitle-1.3.4-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:4afcb38e22122465013f4621b7e9ff8d42a7a48ae0ffeb94133a806cb91b4aad"},
-    {file = "setproctitle-1.3.5-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:1b58d49c32a46c48dcc2812635a89e6bee31139b03818da49a0bbaeaf01edef9"},
+    {file = "setproctitle-1.3.4-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:30bb223e6c3f95ad9e9bb2a113292759e947d1cfd60dbd4adb55851c370006b2"},
-    {file = "setproctitle-1.3.5-cp39-cp39-win32.whl", hash = "sha256:707c23d4a88f5e66f1005d93558bf84eb45fc0fb0c4f33480a0c7d0895e8e848"},
+    {file = "setproctitle-1.3.4-cp39-cp39-win32.whl", hash = "sha256:5f0521ed3bb9f02e9486573ea95e2062cd6bf036fa44e640bd54a06f22d85f35"},
-    {file = "setproctitle-1.3.5-cp39-cp39-win_amd64.whl", hash = "sha256:c64199a73d442a06d372b5286942229a43e86fa41bf36f317dcc60c036aff0bb"},
+    {file = "setproctitle-1.3.4-cp39-cp39-win_amd64.whl", hash = "sha256:0baadeb27f9e97e65922b4151f818b19c311d30b9efdb62af0e53b3db4006ce2"},
-    {file = "setproctitle-1.3.5-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:dc66b84beb0d5eb03abf0c3140c6d2cbe3d67ae9f0824a09dfa8c6ff164319a6"},
+    {file = "setproctitle-1.3.4-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:939d364a187b2adfbf6ae488664277e717d56c7951a4ddeb4f23b281bc50bfe5"},
-    {file = "setproctitle-1.3.5-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:31dc9b330e7cac7685bdef790747c07914081c11ee1066eb0c597303dfb52010"},
+    {file = "setproctitle-1.3.4-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:cb8a6a19be0cbf6da6fcbf3698b76c8af03fe83e4bd77c96c3922be3b88bf7da"},
-    {file = "setproctitle-1.3.5-pp310-pypy310_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4028639b511f5e641d116b3b54ad70c637ebd1b4baac0948283daf11b104119f"},
+    {file = "setproctitle-1.3.4-pp310-pypy310_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:779006f9e1aade9522a40e8d9635115ab15dd82b7af8e655967162e9c01e2573"},
-    {file = "setproctitle-1.3.5-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:6bddef4e27d0ed74e44b58bf050bc3108591bf17d20d461fc59cd141282f849c"},
+    {file = "setproctitle-1.3.4-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:5519f2a7b8c535b0f1f77b30441476571373add72008230c81211ee17b423b57"},
-    {file = "setproctitle-1.3.5-pp38-pypy38_pp73-macosx_11_0_arm64.whl", hash = "sha256:9996be1d1df399c3cdc6d72ce0064e46bc74fc6e29fe16a328511a303dd4d418"},
+    {file = "setproctitle-1.3.4-pp38-pypy38_pp73-macosx_11_0_arm64.whl", hash = "sha256:743836d484151334ebba1490d6907ca9e718fe815dcd5756f2a01bc3067d099c"},
-    {file = "setproctitle-1.3.5-pp38-pypy38_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:5cefc2dbdc48121022c3c05644cd3706f08e0b3c0ce07814d3c04daba0617936"},
+    {file = "setproctitle-1.3.4-pp38-pypy38_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:abda20aff8d1751e48d7967fa8945fef38536b82366c49be39b83678d4be3893"},
-    {file = "setproctitle-1.3.5-pp38-pypy38_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:cef63879c79a570aabf7c158f453bf8d1285f0fda4b6b9b7a52d64b49c084d40"},
+    {file = "setproctitle-1.3.4-pp38-pypy38_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1a2041b5788ce52f218b5be94af458e04470f997ab46fdebd57cf0b8374cc20e"},
-    {file = "setproctitle-1.3.5-pp38-pypy38_pp73-win_amd64.whl", hash = "sha256:a863296a31fb578726c570314cb78ff3a3fddb65963dc01ea33731760f20a92c"},
+    {file = "setproctitle-1.3.4-pp38-pypy38_pp73-win_amd64.whl", hash = "sha256:2c3b1ce68746557aa6e6f4547e76883925cdc7f8d7c7a9f518acd203f1265ca5"},
-    {file = "setproctitle-1.3.5-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:b63bda3cb4b6526720dc7c6940b891c593f41771d119aeb8763875801ce2296d"},
+    {file = "setproctitle-1.3.4-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:0b6a4cbabf024cb263a45bdef425760f14470247ff223f0ec51699ca9046c0fe"},
-    {file = "setproctitle-1.3.5-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:95913af603da5b4c7635bf1fb67ecc5df7c18360b6cfb6740fd743bb150a6e17"},
+    {file = "setproctitle-1.3.4-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3e55d7ecc68bdc80de5a553691a3ed260395d5362c19a266cf83cbb4e046551f"},
-    {file = "setproctitle-1.3.5-pp39-pypy39_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:36b130cf8fe76dc05ad1d48cc9ff3699eb1f0d8edbf6f46a3ce46a7041e49d7b"},
+    {file = "setproctitle-1.3.4-pp39-pypy39_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:02ca3802902d91a89957f79da3ec44b25b5804c88026362cb85eea7c1fbdefd1"},
-    {file = "setproctitle-1.3.5-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:fe3bfd5e51c24349d022e062a96c316a1b8862ea9a0cf5ea2a8b2ae008b77cec"},
+    {file = "setproctitle-1.3.4-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:47669fc8ed8b27baa2d698104732234b5389f6a59c37c046f6bcbf9150f7a94e"},
-    {file = "setproctitle-1.3.5.tar.gz", hash = "sha256:1e6eaeaf8a734d428a95d8c104643b39af7d247d604f40a7bebcf3960a853c5e"},
+    {file = "setproctitle-1.3.4.tar.gz", hash = "sha256:3b40d32a3e1f04e94231ed6dfee0da9e43b4f9c6b5450d53e6dd7754c34e0c50"},
 ]
 [package.extras]
@ -5006,13 +5007,13 @@ wsproto = ">=0.14"
 [[package]]
 name = "twilio"
-version = "9.4.6"
+version = "9.4.5"
 description = "Twilio API client and TwiML generator"
 optional = false
 python-versions = ">=3.7.0"
 files = [
-    {file = "twilio-9.4.6-py2.py3-none-any.whl", hash = "sha256:6d7d677fa9ded4ee0c366ad0155a1e0af51e129109af603b6ec9cdc8826a5c37"},
+    {file = "twilio-9.4.5-py2.py3-none-any.whl", hash = "sha256:284295946a5dcdaae65de9116c35db9065e1f3bd237d81da05b89fe1825013c6"},
-    {file = "twilio-9.4.6.tar.gz", hash = "sha256:ff33a6c3609f4a0769d02c4eb75f7ab55ff2ba962762b076cd39ef7da56fdaa4"},
+    {file = "twilio-9.4.5.tar.gz", hash = "sha256:8db69103a850cd05aaaa6bfb6952ef7a5d784aaff83f01d9a0c594b5ce784cd1"},
 ]
 [package.dependencies]
@ -5853,13 +5854,12 @@ testing = ["coverage (>=5.0.3)", "zope.event", "zope.testing"]
 [[package]]
 name = "zxcvbn"
-version = "4.5.0"
+version = "4.4.28"
 description = ""
 optional = false
 python-versions = "*"
 files = [
-    {file = "zxcvbn-4.5.0-py2.py3-none-any.whl", hash = "sha256:2b6eed621612ce6d65e6e4c7455b966acee87d0280e257956b1f06ccc66bd5ff"},
+    {file = "zxcvbn-4.4.28.tar.gz", hash = "sha256:151bd816817e645e9064c354b13544f85137ea3320ca3be1fb6873ea75ef7dc1"},
    {file = "zxcvbn-4.5.0.tar.gz", hash = "sha256:70392c0fff39459d7f55d0211151401e79e76fcc6e2c22b61add62900359c7c1"},
 ]
 [metadata]
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2025.2.0"
+version = "2025.2.1"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2025.2.0
+  version: 2025.2.1
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
--- a/scripts/api-ts-templates/README.mustache
+++ b/scripts/api-ts-templates/README.mustache
@ -4,7 +4,7 @@ This package provides a generated API Client for [authentik](https://goauthentik
 ### Building
-See https://docs.goauthentik.io/docs/developer-docs/api/making-schema-changes#building-the-web-client
+See https://docs.goauthentik.io/docs/developer-docs/making-schema-changes
 ### Consuming
--- a/web/build.mjs
+++ b/web/build.mjs
@ -88,11 +88,7 @@ const baseArgs = {
    treeShaking: true,
    external: ["*.woff", "*.woff2"],
    tsconfig: "./tsconfig.json",
-    loader: {
+    loader: { ".css": "text", ".md": "text" },
        ".css": "text",
        ".md": "text",
        ".mdx": "text",
    },
    define: definitions,
    format: "esm",
    logOverride: {
--- a/web/package-lock.json
+++ b/web/package-lock.json
@ -23,7 +23,7 @@
                "@floating-ui/dom": "^1.6.11",
                "@formatjs/intl-listformat": "^7.5.7",
                "@fortawesome/fontawesome-free": "^6.6.0",
-                "@goauthentik/api": "^2025.2.0-1740418530",
+                "@goauthentik/api": "^2024.12.3-1739965710",
                "@lit-labs/ssr": "^3.2.2",
                "@lit/context": "^1.1.2",
                "@lit/localize": "^0.12.2",
@ -1814,9 +1814,9 @@
            }
        },
        "node_modules/@goauthentik/api": {
-            "version": "2025.2.0-1740418530",
+            "version": "2024.12.3-1739965710",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.2.0-1740418530.tgz",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2024.12.3-1739965710.tgz",
-            "integrity": "sha512-vFoIzmEuQ7sbWxIEFP7l7OwEMt8M9TqvxScyv0liQSgGd/xanc2W/R+JuOdhq9ePrCfXa1YcmuZtT41HZXFP6g=="
+            "integrity": "sha512-16zoQWeJhAFSwttvqLRoXoQA43tMW1ZXDEihW6r8rtWtlxqPh7n36RtcWYraYiLcjmJskI90zdgz6k1kmY5AXw=="
        },
        "node_modules/@goauthentik/web": {
            "resolved": "",
--- a/web/package.json
+++ b/web/package.json
@ -11,7 +11,7 @@
        "@floating-ui/dom": "^1.6.11",
        "@formatjs/intl-listformat": "^7.5.7",
        "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2025.2.0-1740418530",
+        "@goauthentik/api": "^2024.12.3-1739965710",
        "@lit-labs/ssr": "^3.2.2",
        "@lit/context": "^1.1.2",
        "@lit/localize": "^0.12.2",
--- a/web/src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
@ -4,7 +4,7 @@ import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
 import renderDescriptionList from "@goauthentik/components/DescriptionList";
 import "@goauthentik/components/events/ObjectChangelog";
-import MDProviderOAuth2 from "@goauthentik/docs/add-secure-apps/providers/oauth2/index.mdx";
+import MDProviderOAuth2 from "@goauthentik/docs/add-secure-apps/providers/oauth2/index.md";
 import { AKElement } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/EmptyState";
--- a/web/src/admin/providers/proxy/ProxyProviderViewPage.ts
+++ b/web/src/admin/providers/proxy/ProxyProviderViewPage.ts
@ -13,7 +13,7 @@ import MDNginxStandalone from "@goauthentik/docs/add-secure-apps/providers/proxy
 import MDTraefikCompose from "@goauthentik/docs/add-secure-apps/providers/proxy/_traefik_compose.md";
 import MDTraefikIngress from "@goauthentik/docs/add-secure-apps/providers/proxy/_traefik_ingress.md";
 import MDTraefikStandalone from "@goauthentik/docs/add-secure-apps/providers/proxy/_traefik_standalone.md";
-import MDHeaderAuthentication from "@goauthentik/docs/add-secure-apps/providers/proxy/header_authentication.mdx";
+import MDHeaderAuthentication from "@goauthentik/docs/add-secure-apps/providers/proxy/header_authentication.md";
 import { AKElement } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/Markdown";
@ -118,7 +118,7 @@ export class ProxyProviderViewPage extends AKElement {
    }
    renderConfig(): TemplateResult {
-        const servers = [
+        const serves = [
            {
                label: msg("Nginx (Ingress)"),
                md: MDNginxIngress,
@ -184,7 +184,7 @@ export class ProxyProviderViewPage extends AKElement {
            },
        ];
        return html`<ak-tabs pageIdentifier="proxy-setup">
-            ${servers.map((server) => {
+            ${serves.map((server) => {
                return html`<section
                    slot="page-${convertToSlug(server.label)}"
                    data-tab-title="${server.label}"
--- a/web/src/common/constants.ts
+++ b/web/src/common/constants.ts
@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2025.2.0";
+export const VERSION = "2025.2.1";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
--- a/web/src/elements/ak-dual-select/ak-dual-select-provider.ts
+++ b/web/src/elements/ak-dual-select/ak-dual-select-provider.ts
@ -1,5 +1,6 @@
 import { AkControlElement } from "@goauthentik/elements/AkControlElement.js";
 import { debounce } from "@goauthentik/elements/utils/debounce";
 import { CustomListenerElement } from "@goauthentik/elements/utils/eventEmitter";
 import { msg } from "@lit/localize";
 import { PropertyValues, html } from "lit";
@ -11,11 +12,6 @@ import type { Pagination } from "@goauthentik/api";
 import "./ak-dual-select";
 import { AkDualSelect } from "./ak-dual-select";
 import {
    DualSelectChangeEvent,
    DualSelectPaginatorNavEvent,
    DualSelectSearchEvent,
 } from "./events";
 import type { DataProvider, DualSelectPair } from "./types";
 /**
@ -30,7 +26,7 @@ import type { DataProvider, DualSelectPair } from "./types";
 */
@customElement("ak-dual-select-provider")
-export class AkDualSelectProvider extends AkControlElement {
+export class AkDualSelectProvider extends CustomListenerElement(AkControlElement) {
    /** A function that takes a page and returns the DualSelectPair[] collection with which to update
     * the "Available" pane.
     *
@ -90,9 +86,9 @@ export class AkDualSelectProvider extends AkControlElement {
        this.onNav = this.onNav.bind(this);
        this.onChange = this.onChange.bind(this);
        this.onSearch = this.onSearch.bind(this);
-        this.addEventListener(DualSelectPaginatorNavEvent.eventName, this.onNav);
+        this.addCustomListener("ak-pagination-nav-to", this.onNav);
-        this.addEventListener(DualSelectSearchEvent.eventName, this.onSearch);
+        this.addCustomListener("ak-dual-select-change", this.onChange);
-        this.addEventListener(DualSelectChangeEvent.eventName, this.onChange);
+        this.addCustomListener("ak-dual-select-search", this.onSearch);
    }
    willUpdate(changedProperties: PropertyValues<this>) {
@ -126,16 +122,26 @@ export class AkDualSelectProvider extends AkControlElement {
        this.isLoading = false;
    }
-    onNav(event: DualSelectPaginatorNavEvent) {
+    onNav(event: Event) {
-        this.fetch(event.page);
+        if (!(event instanceof CustomEvent)) {
            throw new Error(`Expecting a CustomEvent for navigation, received ${event} instead`);
        }
        this.fetch(event.detail);
    }
-    onChange(event: DualSelectChangeEvent) {
+    onChange(event: Event) {
-        this.selected = this.internalSelected = event.selected;
+        if (!(event instanceof CustomEvent)) {
            throw new Error(`Expecting a CustomEvent for change, received ${event} instead`);
        }
        this.internalSelected = event.detail.value;
        this.selected = this.internalSelected;
    }
-    onSearch(event: DualSelectSearchEvent) {
+    onSearch(event: Event) {
-        this.doSearch(event.search);
+        if (!(event instanceof CustomEvent)) {
            throw new Error(`Expecting a CustomEvent for change, received ${event} instead`);
        }
        this.doSearch(event.detail);
    }
    doSearch(search: string) {
--- a/web/src/elements/ak-dual-select/ak-dual-select.ts
+++ b/web/src/elements/ak-dual-select/ak-dual-select.ts
@ -1,5 +1,8 @@
 import { AKElement } from "@goauthentik/elements/Base";
-import { match } from "ts-pattern";
+import {
    CustomEmitterElement,
    CustomListenerElement,
 } from "@goauthentik/elements/utils/eventEmitter";
 import { msg, str } from "@lit/localize";
 import { PropertyValues, html, nothing } from "lit";
@ -20,13 +23,15 @@ import { AkDualSelectSelectedPane } from "./components/ak-dual-select-selected-p
 import "./components/ak-pagination";
 import "./components/ak-search-bar";
 import {
-    DualSelectChangeEvent,
+    EVENT_ADD_ALL,
-    DualSelectMoveRequestEvent,
+    EVENT_ADD_ONE,
-    DualSelectPanelSearchEvent,
+    EVENT_ADD_SELECTED,
-    DualSelectSearchEvent,
+    EVENT_DELETE_ALL,
-    DualSelectUpdateEvent,
+    EVENT_REMOVE_ALL,
-} from "./events";
+    EVENT_REMOVE_ONE,
-import type { BasePagination, DualSelectPair } from "./types";
+    EVENT_REMOVE_SELECTED,
 } from "./constants";
 import type { BasePagination, DualSelectPair, SearchbarEvent } from "./types";
 function alphaSort([_k1, v1, s1]: DualSelectPair, [_k2, v2, s2]: DualSelectPair) {
    const [l, r] = [s1 !== undefined ? s1 : v1, s2 !== undefined ? s2 : v2];
@ -55,7 +60,7 @@ const keyfinder =
        k === key;
@customElement("ak-dual-select")
-export class AkDualSelect extends AKElement {
+export class AkDualSelect extends CustomEmitterElement(CustomListenerElement(AKElement)) {
    static get styles() {
        return styles;
    }
@ -91,9 +96,21 @@ export class AkDualSelect extends AKElement {
        super();
        this.handleMove = this.handleMove.bind(this);
        this.handleSearch = this.handleSearch.bind(this);
-        this.addEventListener(DualSelectMoveRequestEvent.eventName, this.handleMove);
+        [
-        this.addEventListener(DualSelectUpdateEvent.eventName, () => this.requestUpdate());
+            EVENT_ADD_ALL,
-        this.addEventListener(DualSelectPanelSearchEvent.eventName, this.handleSearch);
+            EVENT_ADD_SELECTED,
            EVENT_DELETE_ALL,
            EVENT_REMOVE_ALL,
            EVENT_REMOVE_SELECTED,
            EVENT_ADD_ONE,
            EVENT_REMOVE_ONE,
        ].forEach((eventName: string) => {
            this.addCustomListener(eventName, (event: Event) => this.handleMove(eventName, event));
        });
        this.addCustomListener("ak-dual-select-move", () => {
            this.requestUpdate();
        });
        this.addCustomListener("ak-search", this.handleSearch);
    }
    willUpdate(changedProperties: PropertyValues<this>) {
@ -106,17 +123,47 @@ export class AkDualSelect extends AKElement {
        }
    }
-    handleMove(event: DualSelectMoveRequestEvent) {
+    handleMove(eventName: string, event: Event) {
-        match(event.move)
+        if (!(event instanceof CustomEvent)) {
-            .with("add-all", () => this.addAllVisible())
+            throw new Error(`Expected move event here, got ${eventName}`);
-            .with("add-one", () => this.addOne(event.key))
+        }
-            .with("add-selected", () => this.addSelected())
+
-            .with("delete-all", () => this.removeAll())
+        switch (eventName) {
-            .with("remove-all", () => this.removeAllVisible())
+            case EVENT_ADD_SELECTED: {
-            .with("remove-one", () => this.removeOne(event.key))
+                this.addSelected();
-            .with("remove-selected", () => this.removeSelected())
+                break;
-            .exhaustive();
+            }
-        this.dispatchEvent(new DualSelectChangeEvent(this.value));
+            case EVENT_REMOVE_SELECTED: {
                this.removeSelected();
                break;
            }
            case EVENT_ADD_ALL: {
                this.addAllVisible();
                break;
            }
            case EVENT_REMOVE_ALL: {
                this.removeAllVisible();
                break;
            }
            case EVENT_DELETE_ALL: {
                this.removeAll();
                break;
            }
            case EVENT_ADD_ONE: {
                this.addOne(event.detail);
                break;
            }
            case EVENT_REMOVE_ONE: {
                this.removeOne(event.detail);
                break;
            }
            default:
                throw new Error(
                    `AkDualSelect.handleMove received unknown event type: ${eventName}`,
                );
        }
        this.dispatchCustomEvent("ak-dual-select-change", { value: this.value });
        event.stopPropagation();
    }
@ -135,10 +182,7 @@ export class AkDualSelect extends AKElement {
        this.availablePane.value!.clearMove();
    }
-    addOne(key?: string) {
+    addOne(key: string) {
        if (!key) {
            return;
        }
        const requested = this.options.find(keyfinder(key));
        if (requested && !this.selected.find(keyfinder(requested[0]))) {
            this.selected = [...this.selected, requested];
@ -163,10 +207,7 @@ export class AkDualSelect extends AKElement {
        this.selectedPane.value!.clearMove();
    }
-    removeOne(key?: string) {
+    removeOne(key: string) {
        if (!key) {
            return;
        }
        this.selected = this.selected.filter(([k]) => k !== key);
    }
@ -182,18 +223,18 @@ export class AkDualSelect extends AKElement {
        this.selectedPane.value!.clearMove();
    }
-    handleSearch(event: DualSelectPanelSearchEvent) {
+    handleSearch(event: SearchbarEvent) {
-        switch (event.source) {
+        switch (event.detail.source) {
            case "ak-dual-list-available-search":
-                return this.handleAvailableSearch(event.filterOn);
+                return this.handleAvailableSearch(event.detail.value);
            case "ak-dual-list-selected-search":
-                return this.handleSelectedSearch(event.filterOn);
+                return this.handleSelectedSearch(event.detail.value);
        }
        event.stopPropagation();
    }
    handleAvailableSearch(value: string) {
-        this.dispatchEvent(new DualSelectSearchEvent(value));
+        this.dispatchCustomEvent("ak-dual-select-search", value);
    }
    handleSelectedSearch(value: string) {
--- a/web/src/elements/ak-dual-select/components/ak-dual-select-available-pane.ts
+++ b/web/src/elements/ak-dual-select/components/ak-dual-select-available-pane.ts
@ -1,19 +1,26 @@
-import { bound } from "@goauthentik/elements/decorators/bound";
+import { AKElement } from "@goauthentik/elements/Base";
 import { CustomEmitterElement } from "@goauthentik/elements/utils/eventEmitter";
 import { html, nothing } from "lit";
-import { customElement, property } from "lit/decorators.js";
+import { customElement, property, state } from "lit/decorators.js";
 import { classMap } from "lit/directives/class-map.js";
 import { map } from "lit/directives/map.js";
-import { availablePaneStyles } from "./styles.css";
+import { availablePaneStyles, listStyles } from "./styles.css";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFDualListSelector from "@patternfly/patternfly/components/DualListSelector/dual-list-selector.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
-import {
+import { EVENT_ADD_ONE } from "../constants";
    DualSelectMoveAvailableEvent,
    DualSelectMoveRequestEvent,
    DualSelectUpdateEvent,
 } from "../events";
 import type { DualSelectPair } from "../types";
-import { AkDualSelectAbstractPane } from "./ak-dual-select-pane";
+
 const styles = [PFBase, PFButton, PFDualListSelector, listStyles, availablePaneStyles];
 const hostAttributes = [
    ["aria-labelledby", "dual-list-selector-available-pane-status"],
    ["aria-multiselectable", "true"],
    ["role", "listbox"],
 ];
 /**
 * @element ak-dual-select-available-panel
@ -33,9 +40,9 @@ import { AkDualSelectAbstractPane } from "./ak-dual-select-pane";
 *
 */
@customElement("ak-dual-select-available-pane")
-export class AkDualSelectAvailablePane extends AkDualSelectAbstractPane {
+export class AkDualSelectAvailablePane extends CustomEmitterElement(AKElement) {
    static get styles() {
-        return [...AkDualSelectAbstractPane.styles, availablePaneStyles];
+        return styles;
    }
    /* The array of key/value pairs this pane is currently showing */
@ -49,31 +56,68 @@ export class AkDualSelectAvailablePane extends AkDualSelectAbstractPane {
    @property({ type: Object })
    readonly selected: Set<string> = new Set();
-    @bound
+    /* This is the only mutator for this object. It collects the list of objects the user has
     * clicked on *in this pane*. It is explicitly marked as "public" to emphasize that the parent
     * orchestrator for the dual-select widget can and will access it to get the list of keys to be
     * moved (removed) if the user so requests.
     *
     */
    @state()
    public toMove: Set<string> = new Set();
    constructor() {
        super();
        this.onClick = this.onClick.bind(this);
        this.onMove = this.onMove.bind(this);
    }
    connectedCallback() {
        super.connectedCallback();
        hostAttributes.forEach(([attr, value]) => {
            if (!this.hasAttribute(attr)) {
                this.setAttribute(attr, value);
            }
        });
    }
    clearMove() {
        this.toMove = new Set();
    }
    onClick(key: string) {
        if (this.selected.has(key)) {
            return;
        }
-        this.move(key);
+        if (this.toMove.has(key)) {
-        this.dispatchEvent(new DualSelectMoveAvailableEvent(this.moveable.sort()));
+            this.toMove.delete(key);
-        this.dispatchEvent(new DualSelectUpdateEvent());
+        } else {
            this.toMove.add(key);
        }
        this.dispatchCustomEvent(
            "ak-dual-select-available-move-changed",
            Array.from(this.toMove.values()).sort(),
        );
        this.dispatchCustomEvent("ak-dual-select-move");
        // Necessary because updating a map won't trigger a state change
        this.requestUpdate();
    }
    @bound
    onMove(key: string) {
        this.toMove.delete(key);
-        this.dispatchEvent(new DualSelectMoveRequestEvent("add-one", key));
+        this.dispatchCustomEvent(EVENT_ADD_ONE, key);
        this.requestUpdate();
    }
    get moveable() {
        return Array.from(this.toMove.values());
    }
    // DO NOT use `Array.map()` instead of Lit's `map()` function. Lit's `map()` is object-aware and
    // will not re-arrange or reconstruct the list automatically if the actual sources do not
    // change; this allows the available pane to illustrate selected items with the checkmark
    // without causing the list to scroll back up to the top.
-    override render() {
+    render() {
        return html`
            <div class="pf-c-dual-list-selector__menu">
                <ul class="pf-c-dual-list-selector__list">
--- a/web/src/elements/ak-dual-select/components/ak-dual-select-controls.ts
+++ b/web/src/elements/ak-dual-select/components/ak-dual-select-controls.ts
@ -1,4 +1,5 @@
 import { AKElement } from "@goauthentik/elements/Base";
 import { CustomEmitterElement } from "@goauthentik/elements/utils/eventEmitter";
 import { msg } from "@lit/localize";
 import { css, html, nothing } from "lit";
@ -7,7 +8,13 @@ import { customElement, property } from "lit/decorators.js";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
-import { DualSelectMoveRequestEvent, type MoveEventType } from "../events";
+import {
    EVENT_ADD_ALL,
    EVENT_ADD_SELECTED,
    EVENT_DELETE_ALL,
    EVENT_REMOVE_ALL,
    EVENT_REMOVE_SELECTED,
 } from "../constants";
 const styles = [
    PFBase,
@ -40,7 +47,7 @@ const styles = [
 */
@customElement("ak-dual-select-controls")
-export class AkDualSelectControls extends AKElement {
+export class AkDualSelectControls extends CustomEmitterElement(AKElement) {
    static get styles() {
        return styles;
    }
@ -89,11 +96,11 @@ export class AkDualSelectControls extends AKElement {
        this.onClick = this.onClick.bind(this);
    }
-    onClick(eventName: MoveEventType) {
+    onClick(eventName: string) {
-        this.dispatchEvent(new DualSelectMoveRequestEvent(eventName));
+        this.dispatchCustomEvent(eventName);
    }
-    renderButton(label: string, event: MoveEventType, active: boolean, direction: string) {
+    renderButton(label: string, event: string, active: boolean, direction: string) {
        return html`
            <div class="pf-c-dual-list-selector__controls-item">
                <button
@ -114,18 +121,23 @@ export class AkDualSelectControls extends AKElement {
    render() {
        return html`
            <div class="ak-dual-list-selector__controls">
-                ${this.renderButton(msg("Add"), "add-selected", this.addActive, "fa-angle-right")}
+                ${this.renderButton(
                    msg("Add"),
                    EVENT_ADD_SELECTED,
                    this.addActive,
                    "fa-angle-right",
                )}
                ${this.selectAll
                    ? html`
                          ${this.renderButton(
                              msg("Add All Available"),
-                              "add-all",
+                              EVENT_ADD_ALL,
                              this.addAllActive,
                              "fa-angle-double-right",
                          )}
                          ${this.renderButton(
                              msg("Remove All Available"),
-                              "remove-all",
+                              EVENT_REMOVE_ALL,
                              this.removeAllActive,
                              "fa-angle-double-left",
                          )}
@ -133,14 +145,14 @@ export class AkDualSelectControls extends AKElement {
                    : nothing}
                ${this.renderButton(
                    msg("Remove"),
-                    "remove-selected",
+                    EVENT_REMOVE_SELECTED,
                    this.removeActive,
                    "fa-angle-left",
                )}
                ${this.deleteAll
                    ? html`${this.renderButton(
                          msg("Remove All"),
-                          "delete-all",
+                          EVENT_DELETE_ALL,
                          this.enableDeleteAll,
                          "fa-times",
                      )}`
--- a/web/src/elements/ak-dual-select/components/ak-dual-select-pane.ts
+++ b/web/src/elements/ak-dual-select/components/ak-dual-select-pane.ts
@ -1,75 +0,0 @@
 import { AKElement } from "@goauthentik/elements/Base";
 import { TemplateResult } from "lit";
 import { state } from "lit/decorators.js";
 import { listStyles } from "./styles.css";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFDualListSelector from "@patternfly/patternfly/components/DualListSelector/dual-list-selector.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 const styles = [PFBase, PFButton, PFDualListSelector, listStyles];
 const hostAttributes = [
    ["aria-labelledby", "dual-list-selector-selected-pane-status"],
    ["aria-multiselectable", "true"],
    ["role", "listbox"],
 ];
 /**
 * @element ak-dual-select-panel
 *
 * The "selected options" or "right" pane in a dual-list multi-select.  It receives from its parent
 * a list of the selected options, and maintains an internal list of objects selected to move.
 *
 * @fires ak-dual-select-selected-move-changed - When the list of "to move" entries changed.
 * Includes the current `toMove` content.
 *
 * @fires ak-dual-select-remove-one - Double-click with the element clicked on.
 *
 * It is not expected that the `ak-dual-select-selected-move-changed` will be used; instead, the
 * attribute will be read by the parent when a control is clicked.
 *
 */
 export abstract class AkDualSelectAbstractPane extends AKElement {
    static get styles() {
        return styles;
    }
    /*
     * This is the only mutator for this object. It collects the list of objects the user has
     * clicked on *in this pane*. It is explicitly marked as "public" to emphasize that the parent
     * orchestrator for the dual-select widget can and will access it to get the list of keys to be
     * moved (removed) if the user so requests.
     *
     */
    @state()
    public toMove: Set<string> = new Set();
    connectedCallback() {
        super.connectedCallback();
        hostAttributes.forEach(([attr, value]) => {
            if (!this.hasAttribute(attr)) {
                this.setAttribute(attr, value);
            }
        });
    }
    clearMove() {
        this.toMove = new Set();
    }
    move(key: string) {
        if (this.toMove.has(key)) {
            this.toMove.delete(key);
        } else {
            this.toMove.add(key);
        }
    }
    get moveable() {
        return Array.from(this.toMove.values());
    }
    abstract render(): TemplateResult;
 }
--- a/web/src/elements/ak-dual-select/components/ak-dual-select-selected-pane.ts
+++ b/web/src/elements/ak-dual-select/components/ak-dual-select-selected-pane.ts
@ -1,19 +1,26 @@
-import { bound } from "@goauthentik/elements/decorators/bound";
+import { AKElement } from "@goauthentik/elements/Base";
 import { CustomEmitterElement } from "@goauthentik/elements/utils/eventEmitter";
 import { html } from "lit";
-import { customElement, property } from "lit/decorators.js";
+import { customElement, property, state } from "lit/decorators.js";
 import { classMap } from "lit/directives/class-map.js";
 import { map } from "lit/directives/map.js";
-import { selectedPaneStyles } from "./styles.css";
+import { listStyles, selectedPaneStyles } from "./styles.css";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFDualListSelector from "@patternfly/patternfly/components/DualListSelector/dual-list-selector.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
-import {
+import { EVENT_REMOVE_ONE } from "../constants";
    DualSelectMoveRequestEvent,
    DualSelectMoveSelectedEvent,
    DualSelectUpdateEvent,
 } from "../events";
 import type { DualSelectPair } from "../types";
-import { AkDualSelectAbstractPane } from "./ak-dual-select-pane";
+
 const styles = [PFBase, PFButton, PFDualListSelector, listStyles, selectedPaneStyles];
 const hostAttributes = [
    ["aria-labelledby", "dual-list-selector-selected-pane-status"],
    ["aria-multiselectable", "true"],
    ["role", "listbox"],
 ];
 /**
 * @element ak-dual-select-available-panel
@ -31,32 +38,70 @@ import { AkDualSelectAbstractPane } from "./ak-dual-select-pane";
 *
 */
@customElement("ak-dual-select-selected-pane")
-export class AkDualSelectSelectedPane extends AkDualSelectAbstractPane {
+export class AkDualSelectSelectedPane extends CustomEmitterElement(AKElement) {
    static get styles() {
-        return [...AkDualSelectAbstractPane.styles, selectedPaneStyles];
+        return styles;
    }
    /* The array of key/value pairs that are in the selected list.  ALL of them. */
    @property({ type: Array })
    readonly selected: DualSelectPair[] = [];
-    @bound
+    /*
     * This is the only mutator for this object. It collects the list of objects the user has
     * clicked on *in this pane*. It is explicitly marked as "public" to emphasize that the parent
     * orchestrator for the dual-select widget can and will access it to get the list of keys to be
     * moved (removed) if the user so requests.
     *
     */
    @state()
    public toMove: Set<string> = new Set();
    constructor() {
        super();
        this.onClick = this.onClick.bind(this);
        this.onMove = this.onMove.bind(this);
    }
    connectedCallback() {
        super.connectedCallback();
        hostAttributes.forEach(([attr, value]) => {
            if (!this.hasAttribute(attr)) {
                this.setAttribute(attr, value);
            }
        });
    }
    clearMove() {
        this.toMove = new Set();
    }
    onClick(key: string) {
-        this.move(key);
+        if (this.toMove.has(key)) {
-        this.dispatchEvent(new DualSelectMoveSelectedEvent(this.moveable.sort()));
+            this.toMove.delete(key);
-        this.dispatchEvent(new DualSelectUpdateEvent());
+        } else {
            this.toMove.add(key);
        }
        this.dispatchCustomEvent(
            "ak-dual-select-selected-move-changed",
            Array.from(this.toMove.values()).sort(),
        );
        this.dispatchCustomEvent("ak-dual-select-move");
        // Necessary because updating a map won't trigger a state change
        this.requestUpdate();
    }
    @bound
    onMove(key: string) {
        this.toMove.delete(key);
-        this.dispatchEvent(new DualSelectMoveRequestEvent("remove-one", key));
+        this.dispatchCustomEvent(EVENT_REMOVE_ONE, key);
        this.requestUpdate();
    }
-    override render() {
+    get moveable() {
        return Array.from(this.toMove.values());
    }
    render() {
        return html`
            <div class="pf-c-dual-list-selector__menu">
                <ul class="pf-c-dual-list-selector__list">
--- a/web/src/elements/ak-dual-select/components/ak-pagination.ts
+++ b/web/src/elements/ak-dual-select/components/ak-pagination.ts
@ -1,4 +1,5 @@
 import { AKElement } from "@goauthentik/elements/Base";
 import { CustomEmitterElement } from "@goauthentik/elements/utils/eventEmitter";
 import { msg, str } from "@lit/localize";
 import { css, html, nothing } from "lit";
@ -8,7 +9,6 @@ import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFPagination from "@patternfly/patternfly/components/Pagination/pagination.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 import { DualSelectPaginatorNavEvent } from "../events";
 import type { BasePagination } from "../types";
 const styles = [
@ -27,7 +27,7 @@ const styles = [
 ];
@customElement("ak-pagination")
-export class AkPagination extends AKElement {
+export class AkPagination extends CustomEmitterElement(AKElement) {
    static get styles() {
        return styles;
    }
@ -41,7 +41,7 @@ export class AkPagination extends AKElement {
    }
    onClick(nav: number | undefined) {
-        this.dispatchEvent(new DualSelectPaginatorNavEvent(nav ?? 0));
+        this.dispatchCustomEvent("ak-pagination-nav-to", nav ?? 0);
    }
    render() {
--- a/web/src/elements/ak-dual-select/components/ak-search-bar.ts
+++ b/web/src/elements/ak-dual-select/components/ak-search-bar.ts
@ -1,4 +1,5 @@
 import { AKElement } from "@goauthentik/elements/Base";
 import { CustomEmitterElement } from "@goauthentik/elements/utils/eventEmitter";
 import { html } from "lit";
 import { customElement, property } from "lit/decorators.js";
@ -8,12 +9,12 @@ import type { Ref } from "lit/directives/ref.js";
 import { globalVariables, searchStyles } from "./search.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
-import { DualSelectPanelSearchEvent } from "../events";
+import type { SearchbarEvent } from "../types";
 const styles = [PFBase, globalVariables, searchStyles];
@customElement("ak-search-bar")
-export class AkSearchbar extends AKElement {
+export class AkSearchbar extends CustomEmitterElement(AKElement) {
    static get styles() {
        return styles;
    }
@ -39,7 +40,10 @@ export class AkSearchbar extends AKElement {
        if (this.input.value) {
            this.value = this.input.value.value;
        }
-        this.dispatchEvent(new DualSelectPanelSearchEvent(this.name, this.value));
+        this.dispatchCustomEvent<SearchbarEvent>("ak-search", {
            source: this.name,
            value: this.value,
        });
    }
    render() {
--- a/web/src/elements/ak-dual-select/events.ts
+++ b/web/src/elements/ak-dual-select/events.ts
@ -1,112 +0,0 @@
 import { DualSelectPair } from "./types";
 // Handled by the Server layer provider
 // Request to provide a different page of the paginated results in the "available" panel.
 export class DualSelectPaginatorNavEvent extends Event {
    static readonly eventName = "ak-dual-select-paginator-nav";
    constructor(public page: number = 0) {
        super(DualSelectPaginatorNavEvent.eventName, { bubbles: true, composed: true });
    }
 }
 // Request to provide a filtered collection for the "available" panel via a search string
 export class DualSelectSearchEvent extends Event {
    static readonly eventName = "ak-dual-select-search";
    constructor(public search: string) {
        super(DualSelectSearchEvent.eventName, { bubbles: true, composed: true });
    }
 }
 // Request to update the "selected" list in the provider
 export class DualSelectChangeEvent extends Event {
    static readonly eventName = "ak-dual-select-change";
    constructor(public selected: DualSelectPair[]) {
        super(DualSelectChangeEvent.eventName, { bubbles: true, composed: true });
    }
 }
 // Paginator and specific item events
 export const moveEvents = [
    "add-all",
    "add-one",
    "add-selected",
    "delete-all",
    "remove-all",
    "remove-one",
    "remove-selected",
 ] as const;
 export type MoveEventType = (typeof moveEvents)[number];
 // Request to add or remove all, some, or just one item from the "selected" panel
 export class DualSelectMoveRequestEvent extends Event {
    static readonly eventName = "ak-dual-select-request-move";
    constructor(
        public move: MoveEventType,
        public key?: string,
    ) {
        super(DualSelectMoveRequestEvent.eventName, { bubbles: true, composed: true });
    }
 }
 // Update events
 // Request to update the viewset
 export class DualSelectUpdateEvent extends Event {
    static readonly eventName = "ak-dual-select-update";
    constructor() {
        super(DualSelectUpdateEvent.eventName, { bubbles: true, composed: true });
    }
 }
 interface DualSelectMoveChangedEvent {
    keys: string[];
 }
 // Request to update the list of "marked for move" items in the "available" panel
 export class DualSelectMoveAvailableEvent extends Event implements DualSelectMoveChangedEvent {
    static readonly eventName = "ak-dual-select-move-available";
    constructor(public keys: string[]) {
        super(DualSelectMoveAvailableEvent.eventName, { bubbles: true, composed: true });
    }
 }
 // Request to update the list of "marked for move" items in the "selected" panel
 export class DualSelectMoveSelectedEvent extends Event implements DualSelectMoveChangedEvent {
    static readonly eventName = "ak-dual-select-move-selected";
    constructor(public keys: string[]) {
        super(DualSelectMoveSelectedEvent.eventName, { bubbles: true, composed: true });
    }
 }
 // Request to update either panel with a Filter
 export class DualSelectPanelSearchEvent extends Event {
    static readonly eventName = "ak-dual-select-panel-search";
    constructor(
        public source: string,
        public filterOn: string,
    ) {
        super(DualSelectPanelSearchEvent.eventName, { bubbles: true, composed: true });
    }
 }
 declare global {
    interface HTMLElementEventMap {
        [DualSelectUpdateEvent.eventName]: DualSelectUpdateEvent;
        [DualSelectMoveAvailableEvent.eventName]: DualSelectMoveAvailableEvent;
        [DualSelectMoveSelectedEvent.eventName]: DualSelectMoveSelectedEvent;
        [DualSelectMoveRequestEvent.eventName]: DualSelectMoveRequestEvent;
        [DualSelectPaginatorNavEvent.eventName]: DualSelectPaginatorNavEvent;
        [DualSelectSearchEvent.eventName]: DualSelectSearchEvent;
        [DualSelectChangeEvent.eventName]: DualSelectChangeEvent;
        [DualSelectPanelSearchEvent.eventName]: DualSelectPanelSearchEvent;
    }
    interface WindowEventMap {
        [DualSelectMoveRequestEvent.eventName]: DualSelectMoveRequestEvent;
        [DualSelectPaginatorNavEvent.eventName]: DualSelectPaginatorNavEvent;
        [DualSelectMoveSelectedEvent.eventName]: DualSelectMoveSelectedEvent;
    }
 }
--- a/web/src/elements/ak-dual-select/stories/ak-dual-select-available-pane.stories.ts
+++ b/web/src/elements/ak-dual-select/stories/ak-dual-select-available-pane.stories.ts
@ -6,7 +6,6 @@ import { TemplateResult, html } from "lit";
 import "../components/ak-dual-select-available-pane";
 import { AkDualSelectAvailablePane } from "../components/ak-dual-select-available-pane";
 import { DualSelectMoveSelectedEvent } from "../events";
 import "./sb-host-provider";
 const metadata: Meta<AkDualSelectAvailablePane> = {
@ -54,15 +53,15 @@ const container = (testItem: TemplateResult) =>
    </div>`;
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
-const handleMoveChanged = (result: DualSelectMoveSelectedEvent) => {
+const handleMoveChanged = (result: any) => {
    const target = document.querySelector("#action-button-message-pad");
    target!.innerHTML = "";
-    result.keys.forEach((key: string) => {
+    result.detail.forEach((key: string) => {
        target!.append(new DOMParser().parseFromString(`<li>${key}</li>`, "text/xml").firstChild!);
    });
 };
-window.addEventListener(DualSelectMoveSelectedEvent.eventName, handleMoveChanged);
+window.addEventListener("ak-dual-select-available-move-changed", handleMoveChanged);
 type Story = StoryObj;
--- a/web/src/elements/ak-dual-select/stories/ak-dual-select-controls.stories.ts
+++ b/web/src/elements/ak-dual-select/stories/ak-dual-select-controls.stories.ts
@ -5,7 +5,6 @@ import { TemplateResult, html } from "lit";
 import "../components/ak-dual-select-controls";
 import { AkDualSelectControls } from "../components/ak-dual-select-controls";
 import { DualSelectMoveRequestEvent } from "../events";
 const metadata: Meta<AkDualSelectControls> = {
    title: "Elements / Dual Select / Control Panel",
@ -60,9 +59,10 @@ const displayMessage = (result: any) => {
    target!.appendChild(doc.firstChild!);
 };
-window.addEventListener(DualSelectMoveRequestEvent.eventName, (ev: DualSelectMoveRequestEvent) =>
+window.addEventListener("ak-dual-select-add", () => displayMessage("add"));
-    displayMessage(ev.move.toString()),
+window.addEventListener("ak-dual-select-remove", () => displayMessage("remove"));
-);
+window.addEventListener("ak-dual-select-add-all", () => displayMessage("add all"));
 window.addEventListener("ak-dual-select-remove-all", () => displayMessage("remove all"));
 type Story = StoryObj;
--- a/web/src/elements/ak-dual-select/stories/ak-dual-select-master.stories.ts
+++ b/web/src/elements/ak-dual-select/stories/ak-dual-select-master.stories.ts
@ -9,7 +9,6 @@ import { Pagination } from "@goauthentik/api";
 import "../ak-dual-select";
 import { AkDualSelect } from "../ak-dual-select";
 import { DualSelectPaginatorNavEvent } from "../events";
 import type { DualSelectPair } from "../types";
 const goodForYouRaw = `
@ -84,11 +83,11 @@ export class AkSbFruity extends LitElement {
            totalPages: Math.ceil(this.options.length / this.pageLength),
        };
        this.onNavigation = this.onNavigation.bind(this);
-        this.addEventListener(DualSelectPaginatorNavEvent.eventName, this.onNavigation);
+        this.addEventListener("ak-pagination-nav-to", this.onNavigation);
    }
-    onNavigation(evt: DualSelectPaginatorNavEvent) {
+    onNavigation(evt: Event) {
-        const current = evt.page;
+        const current: number = (evt as CustomEvent).detail;
        const index = current - 1;
        if (index * this.pageLength > this.options.length) {
            console.warn(
--- a/web/src/elements/ak-dual-select/stories/ak-dual-select-selected-pane.stories.ts
+++ b/web/src/elements/ak-dual-select/stories/ak-dual-select-selected-pane.stories.ts
@ -6,7 +6,6 @@ import { TemplateResult, html } from "lit";
 import "../components/ak-dual-select-selected-pane";
 import { AkDualSelectSelectedPane } from "../components/ak-dual-select-selected-pane";
 import { DualSelectMoveSelectedEvent } from "../events";
 import "./sb-host-provider";
 const metadata: Meta<AkDualSelectSelectedPane> = {
@ -51,15 +50,15 @@ const container = (testItem: TemplateResult) =>
    </div>`;
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
-const handleMoveChanged = (result: DualSelectMoveSelectedEvent) => {
+const handleMoveChanged = (result: any) => {
    const target = document.querySelector("#action-button-message-pad");
    target!.innerHTML = "";
-    result.keys.forEach((key: string) => {
+    result.detail.forEach((key: string) => {
        target!.append(new DOMParser().parseFromString(`<li>${key}</li>`, "text/xml").firstChild!);
    });
 };
-window.addEventListener(DualSelectMoveSelectedEvent.eventName, handleMoveChanged);
+window.addEventListener("ak-dual-select-selected-move-changed", handleMoveChanged);
 type Story = StoryObj;
--- a/web/src/elements/ak-dual-select/stories/ak-pagination.stories.ts
+++ b/web/src/elements/ak-dual-select/stories/ak-pagination.stories.ts
@ -5,7 +5,6 @@ import { TemplateResult, html } from "lit";
 import "../components/ak-pagination";
 import { AkPagination } from "../components/ak-pagination";
 import { DualSelectPaginatorNavEvent } from "../events";
 const metadata: Meta<AkPagination> = {
    title: "Elements / Dual Select / Pagination Control",
@ -44,18 +43,18 @@ const container = (testItem: TemplateResult) =>
    </div>`;
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
-const handleMoveChanged = (result: DualSelectPaginatorNavEvent) => {
+const handleMoveChanged = (result: any) => {
    console.debug(result);
    const target = document.querySelector("#action-button-message-pad");
    target!.append(
        new DOMParser().parseFromString(
-            `<li>Request to move to page ${result.page}</li>`,
+            `<li>Request to move to page ${result.detail}</li>`,
            "text/xml",
        ).firstChild!,
    );
 };
-window.addEventListener(DualSelectPaginatorNavEvent.eventName, handleMoveChanged);
+window.addEventListener("ak-pagination-nav-to", handleMoveChanged);
 type Story = StoryObj;
--- a/web/src/elements/ak-dual-select/types.ts
+++ b/web/src/elements/ak-dual-select/types.ts
@ -29,3 +29,10 @@ export type DataProvision = {
 };
 export type DataProvider = (page: number, search?: string) => Promise<DataProvision>;
 export interface SearchbarEvent extends CustomEvent {
    detail: {
        source: string;
        value: string;
    };
 }
--- a/web/src/flow/FlowExecutor.ts
+++ b/web/src/flow/FlowExecutor.ts
@ -5,6 +5,7 @@ import {
    TITLE_DEFAULT,
 } from "@goauthentik/common/constants";
 import { globalAK } from "@goauthentik/common/global";
 import { purify } from "@goauthentik/common/purify";
 import { configureSentry } from "@goauthentik/common/sentry";
 import { first } from "@goauthentik/common/utils";
 import { WebsocketClient } from "@goauthentik/common/ws";
@ -13,7 +14,6 @@ import "@goauthentik/elements/LoadingOverlay";
 import "@goauthentik/elements/ak-locale-context";
 import { DefaultBrand } from "@goauthentik/elements/sidebar/SidebarBrand";
 import { themeImage } from "@goauthentik/elements/utils/images";
 import "@goauthentik/flow/components/ak-brand-footer";
 import "@goauthentik/flow/sources/apple/AppleLoginInit";
 import "@goauthentik/flow/sources/plex/PlexLoginInit";
 import "@goauthentik/flow/stages/FlowErrorStage";
@ -537,10 +537,27 @@ export class FlowExecutor extends Interface implements StageHost {
                                            </div>
                                            ${until(this.renderChallenge())}
                                        </div>
-                                        <ak-brand-links
+                                        <footer class="pf-c-login__footer">
-                                            class="pf-c-login__footer"
+                                            <ul class="pf-c-list pf-m-inline">
-                                            .links=${this.brand?.uiFooterLinks ?? []}
+                                                ${this.brand?.uiFooterLinks?.map((link) => {
-                                        ></ak-brand-links>
+                                                    if (link.href) {
                                                        return html`${purify(
                                                            html`<li>
                                                                <a href="${link.href}"
                                                                    >${link.name}</a
                                                                >
                                                            </li>`,
                                                        )}`;
                                                    }
                                                    return html`<li>
                                                        <span>${link.name}</span>
                                                    </li>`;
                                                })}
                                                <li>
                                                    <span>${msg("Powered by authentik")}</span>
                                                </li>
                                            </ul>
                                        </footer>
                                    </div>
                                </div>
                            </div>
--- a/web/src/flow/components/ak-brand-footer.ts
+++ b/web/src/flow/components/ak-brand-footer.ts
@ -1,51 +0,0 @@
 import { purify } from "@goauthentik/common/purify";
 import { AKElement } from "@goauthentik/elements/Base.js";
 import { msg } from "@lit/localize";
 import { css, html } from "lit";
 import { customElement, property } from "lit/decorators.js";
 import { map } from "lit/directives/map.js";
 import PFList from "@patternfly/patternfly/components/List/list.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 import { FooterLink } from "@goauthentik/api";
 const styles = css`
    .pf-c-list a {
        color: unset;
    }
    ul.pf-c-list.pf-m-inline {
        justify-content: center;
        padding: calc(var(--pf-global--spacer--xs) / 2) 0px;
    }
 `;
 const poweredBy: FooterLink = { name: msg("Powered by authentik"), href: null };
@customElement("ak-brand-links")
 export class BrandLinks extends AKElement {
    static get styles() {
        return [PFBase, PFList, styles];
    }
    @property({ type: Array, attribute: false })
    links: FooterLink[] = [];
    render() {
        const links = [...(this.links ?? []), poweredBy];
        return html` <ul class="pf-c-list pf-m-inline">
            ${map(links, (link) =>
                link.href
                    ? purify(html`<li><a href="${link.href}">${link.name}</a></li>`)
                    : html`<li><span>${link.name}</span></li>`,
            )}
        </ul>`;
    }
 }
 declare global {
    interface HTMLElementTagNameMap {
        "ak-brand-links": BrandLinks;
    }
 }
--- a/web/src/global.d.ts
+++ b/web/src/global.d.ts
@ -6,12 +6,6 @@ declare module "*.md" {
    const filename: string;
 }
 declare module "*.mdx" {
    const html: string;
    const metadata: { [key: string]: string };
    const filename: string;
 }
 declare namespace Intl {
    class ListFormat {
        constructor(locale: string, args: { [key: string]: string });
--- a/web/xliff/de.xlf
+++ b/web/xliff/de.xlf
@ -8600,7 +8600,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -8926,96 +8926,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
 </trans-unit>
 <trans-unit id="s140111d464591e6b">
  <source>Create a new application and configure a provider for it.</source>
 </trans-unit>
 <trans-unit id="s5e0c81c05565bf42">
  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
 </trans-unit>
 <trans-unit id="s035bfd9c5f97e4d3">
  <source>Distance settings</source>
 </trans-unit>
 <trans-unit id="s207e6f8a8b3515fd">
  <source>Check historical distance of logins</source>
 </trans-unit>
 <trans-unit id="s8158f4b3e5c869be">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
 </trans-unit>
 <trans-unit id="sb8b7450c8515894c">
  <source>Maximum distance</source>
 </trans-unit>
 <trans-unit id="s40cdbaa532bc9899">
  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
 </trans-unit>
 <trans-unit id="seef852b5c0f8a529">
  <source>Distance tolerance</source>
 </trans-unit>
 <trans-unit id="sce567ced300aeb8a">
  <source>Tolerance in checking for distances in kilometers.</source>
 </trans-unit>
 <trans-unit id="s9ea9cdabd74f8f97">
  <source>Historical Login Count</source>
 </trans-unit>
 <trans-unit id="s27aec4c2de1ae777">
  <source>Amount of previous login events to check against.</source>
 </trans-unit>
 <trans-unit id="s48611ce6e85874dc">
  <source>Check impossible travel</source>
 </trans-unit>
 <trans-unit id="s8cf926e8311f8065">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
 </trans-unit>
 <trans-unit id="sa963d05af436770b">
  <source>Impossible travel tolerance</source>
 </trans-unit>
 <trans-unit id="s5760cd97ca42a238">
  <source>Static rule settings</source>
 </trans-unit>
 <trans-unit id="s8fec035fa1737294">
  <source>Create with Provider</source>
 </trans-unit>
 <trans-unit id="sca2487321ec12bd6">
  <source>Email address the verification email will be sent from.</source>
 </trans-unit>
 <trans-unit id="s24a8fdfc73e8137f">
  <source>Stage used to configure an email-based authenticator.</source>
 </trans-unit>
 <trans-unit id="sea0da186a814a212">
  <source>Use global connection settings</source>
 </trans-unit>
 <trans-unit id="s7754fa56a4439de4">
  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
 </trans-unit>
 <trans-unit id="s7e2bcca51126ec9c">
  <source>Subject of the verification email.</source>
 </trans-unit>
 <trans-unit id="sc12c90b1da0f3a47">
  <source>Token expiration</source>
 </trans-unit>
 <trans-unit id="sc264a82f9c710f14">
  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
 </trans-unit>
 <trans-unit id="s15986693bfc99fb7">
  <source>Email-based Authenticators</source>
 </trans-unit>
 <trans-unit id="s6bb30c61df4cf486">
  <source>Caps Lock is enabled.</source>
 </trans-unit>
 <trans-unit id="s3f8a07912545e72e">
  <source>Configure your email</source>
 </trans-unit>
 <trans-unit id="scedf77e8b75cad5a">
  <source>Please enter your email address.</source>
 </trans-unit>
 <trans-unit id="s7cdd62c100b6b17b">
  <source>Please enter the code you received via email</source>
 </trans-unit>
 <trans-unit id="s1d64dba9bb8b284d">
  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
 </trans-unit>
 <trans-unit id="s833cfe815918c143">
  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/en.xlf
+++ b/web/xliff/en.xlf
@ -7128,7 +7128,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -7453,96 +7453,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
 </trans-unit>
 <trans-unit id="s140111d464591e6b">
  <source>Create a new application and configure a provider for it.</source>
 </trans-unit>
 <trans-unit id="s5e0c81c05565bf42">
  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
 </trans-unit>
 <trans-unit id="s035bfd9c5f97e4d3">
  <source>Distance settings</source>
 </trans-unit>
 <trans-unit id="s207e6f8a8b3515fd">
  <source>Check historical distance of logins</source>
 </trans-unit>
 <trans-unit id="s8158f4b3e5c869be">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
 </trans-unit>
 <trans-unit id="sb8b7450c8515894c">
  <source>Maximum distance</source>
 </trans-unit>
 <trans-unit id="s40cdbaa532bc9899">
  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
 </trans-unit>
 <trans-unit id="seef852b5c0f8a529">
  <source>Distance tolerance</source>
 </trans-unit>
 <trans-unit id="sce567ced300aeb8a">
  <source>Tolerance in checking for distances in kilometers.</source>
 </trans-unit>
 <trans-unit id="s9ea9cdabd74f8f97">
  <source>Historical Login Count</source>
 </trans-unit>
 <trans-unit id="s27aec4c2de1ae777">
  <source>Amount of previous login events to check against.</source>
 </trans-unit>
 <trans-unit id="s48611ce6e85874dc">
  <source>Check impossible travel</source>
 </trans-unit>
 <trans-unit id="s8cf926e8311f8065">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
 </trans-unit>
 <trans-unit id="sa963d05af436770b">
  <source>Impossible travel tolerance</source>
 </trans-unit>
 <trans-unit id="s5760cd97ca42a238">
  <source>Static rule settings</source>
 </trans-unit>
 <trans-unit id="s8fec035fa1737294">
  <source>Create with Provider</source>
 </trans-unit>
 <trans-unit id="sca2487321ec12bd6">
  <source>Email address the verification email will be sent from.</source>
 </trans-unit>
 <trans-unit id="s24a8fdfc73e8137f">
  <source>Stage used to configure an email-based authenticator.</source>
 </trans-unit>
 <trans-unit id="sea0da186a814a212">
  <source>Use global connection settings</source>
 </trans-unit>
 <trans-unit id="s7754fa56a4439de4">
  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
 </trans-unit>
 <trans-unit id="s7e2bcca51126ec9c">
  <source>Subject of the verification email.</source>
 </trans-unit>
 <trans-unit id="sc12c90b1da0f3a47">
  <source>Token expiration</source>
 </trans-unit>
 <trans-unit id="sc264a82f9c710f14">
  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
 </trans-unit>
 <trans-unit id="s15986693bfc99fb7">
  <source>Email-based Authenticators</source>
 </trans-unit>
 <trans-unit id="s6bb30c61df4cf486">
  <source>Caps Lock is enabled.</source>
 </trans-unit>
 <trans-unit id="s3f8a07912545e72e">
  <source>Configure your email</source>
 </trans-unit>
 <trans-unit id="scedf77e8b75cad5a">
  <source>Please enter your email address.</source>
 </trans-unit>
 <trans-unit id="s7cdd62c100b6b17b">
  <source>Please enter the code you received via email</source>
 </trans-unit>
 <trans-unit id="s1d64dba9bb8b284d">
  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
 </trans-unit>
 <trans-unit id="s833cfe815918c143">
  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/es.xlf
+++ b/web/xliff/es.xlf
@ -8688,7 +8688,7 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
  <target>Aplicaciones externas que utilizan <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> como proveedor de identidad a través de protocolos como OAuth2 y SAML. Aquí se muestran todas las aplicaciones, incluso aquellas a las que no puede acceder.</target>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
@ -9019,96 +9019,6 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
 </trans-unit>
 <trans-unit id="s140111d464591e6b">
  <source>Create a new application and configure a provider for it.</source>
 </trans-unit>
 <trans-unit id="s5e0c81c05565bf42">
  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
 </trans-unit>
 <trans-unit id="s035bfd9c5f97e4d3">
  <source>Distance settings</source>
 </trans-unit>
 <trans-unit id="s207e6f8a8b3515fd">
  <source>Check historical distance of logins</source>
 </trans-unit>
 <trans-unit id="s8158f4b3e5c869be">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
 </trans-unit>
 <trans-unit id="sb8b7450c8515894c">
  <source>Maximum distance</source>
 </trans-unit>
 <trans-unit id="s40cdbaa532bc9899">
  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
 </trans-unit>
 <trans-unit id="seef852b5c0f8a529">
  <source>Distance tolerance</source>
 </trans-unit>
 <trans-unit id="sce567ced300aeb8a">
  <source>Tolerance in checking for distances in kilometers.</source>
 </trans-unit>
 <trans-unit id="s9ea9cdabd74f8f97">
  <source>Historical Login Count</source>
 </trans-unit>
 <trans-unit id="s27aec4c2de1ae777">
  <source>Amount of previous login events to check against.</source>
 </trans-unit>
 <trans-unit id="s48611ce6e85874dc">
  <source>Check impossible travel</source>
 </trans-unit>
 <trans-unit id="s8cf926e8311f8065">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
 </trans-unit>
 <trans-unit id="sa963d05af436770b">
  <source>Impossible travel tolerance</source>
 </trans-unit>
 <trans-unit id="s5760cd97ca42a238">
  <source>Static rule settings</source>
 </trans-unit>
 <trans-unit id="s8fec035fa1737294">
  <source>Create with Provider</source>
 </trans-unit>
 <trans-unit id="sca2487321ec12bd6">
  <source>Email address the verification email will be sent from.</source>
 </trans-unit>
 <trans-unit id="s24a8fdfc73e8137f">
  <source>Stage used to configure an email-based authenticator.</source>
 </trans-unit>
 <trans-unit id="sea0da186a814a212">
  <source>Use global connection settings</source>
 </trans-unit>
 <trans-unit id="s7754fa56a4439de4">
  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
 </trans-unit>
 <trans-unit id="s7e2bcca51126ec9c">
  <source>Subject of the verification email.</source>
 </trans-unit>
 <trans-unit id="sc12c90b1da0f3a47">
  <source>Token expiration</source>
 </trans-unit>
 <trans-unit id="sc264a82f9c710f14">
  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
 </trans-unit>
 <trans-unit id="s15986693bfc99fb7">
  <source>Email-based Authenticators</source>
 </trans-unit>
 <trans-unit id="s6bb30c61df4cf486">
  <source>Caps Lock is enabled.</source>
 </trans-unit>
 <trans-unit id="s3f8a07912545e72e">
  <source>Configure your email</source>
 </trans-unit>
 <trans-unit id="scedf77e8b75cad5a">
  <source>Please enter your email address.</source>
 </trans-unit>
 <trans-unit id="s7cdd62c100b6b17b">
  <source>Please enter the code you received via email</source>
 </trans-unit>
 <trans-unit id="s1d64dba9bb8b284d">
  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
 </trans-unit>
 <trans-unit id="s833cfe815918c143">
  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/fr.xlf
+++ b/web/xliff/fr.xlf
@ -9046,7 +9046,7 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
  <target>Cette option configure les liens affichés en bas de page sur l’exécuteur de flux. L'URL est limitée à des addresses web et courriel. Si le nom est laissé vide, l'URL sera affichée.</target>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
  <target>Applications externes qui utilisent <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> comme fournisseur d'identité en utilisant des protocoles comme OAuth2 et SAML. Toutes les applications sont affichées ici, même celles auxquelles vous n'avez pas accès.</target>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
@ -9482,96 +9482,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
  <target>Moins de détails</target>
 </trans-unit>
 <trans-unit id="s140111d464591e6b">
  <source>Create a new application and configure a provider for it.</source>
 </trans-unit>
 <trans-unit id="s5e0c81c05565bf42">
  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
 </trans-unit>
 <trans-unit id="s035bfd9c5f97e4d3">
  <source>Distance settings</source>
 </trans-unit>
 <trans-unit id="s207e6f8a8b3515fd">
  <source>Check historical distance of logins</source>
 </trans-unit>
 <trans-unit id="s8158f4b3e5c869be">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
 </trans-unit>
 <trans-unit id="sb8b7450c8515894c">
  <source>Maximum distance</source>
 </trans-unit>
 <trans-unit id="s40cdbaa532bc9899">
  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
 </trans-unit>
 <trans-unit id="seef852b5c0f8a529">
  <source>Distance tolerance</source>
 </trans-unit>
 <trans-unit id="sce567ced300aeb8a">
  <source>Tolerance in checking for distances in kilometers.</source>
 </trans-unit>
 <trans-unit id="s9ea9cdabd74f8f97">
  <source>Historical Login Count</source>
 </trans-unit>
 <trans-unit id="s27aec4c2de1ae777">
  <source>Amount of previous login events to check against.</source>
 </trans-unit>
 <trans-unit id="s48611ce6e85874dc">
  <source>Check impossible travel</source>
 </trans-unit>
 <trans-unit id="s8cf926e8311f8065">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
 </trans-unit>
 <trans-unit id="sa963d05af436770b">
  <source>Impossible travel tolerance</source>
 </trans-unit>
 <trans-unit id="s5760cd97ca42a238">
  <source>Static rule settings</source>
 </trans-unit>
 <trans-unit id="s8fec035fa1737294">
  <source>Create with Provider</source>
 </trans-unit>
 <trans-unit id="sca2487321ec12bd6">
  <source>Email address the verification email will be sent from.</source>
 </trans-unit>
 <trans-unit id="s24a8fdfc73e8137f">
  <source>Stage used to configure an email-based authenticator.</source>
 </trans-unit>
 <trans-unit id="sea0da186a814a212">
  <source>Use global connection settings</source>
 </trans-unit>
 <trans-unit id="s7754fa56a4439de4">
  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
 </trans-unit>
 <trans-unit id="s7e2bcca51126ec9c">
  <source>Subject of the verification email.</source>
 </trans-unit>
 <trans-unit id="sc12c90b1da0f3a47">
  <source>Token expiration</source>
 </trans-unit>
 <trans-unit id="sc264a82f9c710f14">
  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
 </trans-unit>
 <trans-unit id="s15986693bfc99fb7">
  <source>Email-based Authenticators</source>
 </trans-unit>
 <trans-unit id="s6bb30c61df4cf486">
  <source>Caps Lock is enabled.</source>
 </trans-unit>
 <trans-unit id="s3f8a07912545e72e">
  <source>Configure your email</source>
 </trans-unit>
 <trans-unit id="scedf77e8b75cad5a">
  <source>Please enter your email address.</source>
 </trans-unit>
 <trans-unit id="s7cdd62c100b6b17b">
  <source>Please enter the code you received via email</source>
 </trans-unit>
 <trans-unit id="s1d64dba9bb8b284d">
  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
 </trans-unit>
 <trans-unit id="s833cfe815918c143">
  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/it.xlf
+++ b/web/xliff/it.xlf
@ -9015,7 +9015,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <target>Questo opzione configura il link in basso nel flusso delle pagine di esecuzione. L'URL e' limitato a web e indirizzo mail-Se il nome viene lasciato vuoto, verra' visualizzato l'URL</target>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
  <target>Applicazioni esterne che usano <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> come identity provider tramite protocolli come OAuth2 e SAML. Sono mostrate tutte le applicazioni, anche quelle alle quali non hai accesso.</target>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
@ -9370,96 +9370,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
 </trans-unit>
 <trans-unit id="s140111d464591e6b">
  <source>Create a new application and configure a provider for it.</source>
 </trans-unit>
 <trans-unit id="s5e0c81c05565bf42">
  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
 </trans-unit>
 <trans-unit id="s035bfd9c5f97e4d3">
  <source>Distance settings</source>
 </trans-unit>
 <trans-unit id="s207e6f8a8b3515fd">
  <source>Check historical distance of logins</source>
 </trans-unit>
 <trans-unit id="s8158f4b3e5c869be">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
 </trans-unit>
 <trans-unit id="sb8b7450c8515894c">
  <source>Maximum distance</source>
 </trans-unit>
 <trans-unit id="s40cdbaa532bc9899">
  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
 </trans-unit>
 <trans-unit id="seef852b5c0f8a529">
  <source>Distance tolerance</source>
 </trans-unit>
 <trans-unit id="sce567ced300aeb8a">
  <source>Tolerance in checking for distances in kilometers.</source>
 </trans-unit>
 <trans-unit id="s9ea9cdabd74f8f97">
  <source>Historical Login Count</source>
 </trans-unit>
 <trans-unit id="s27aec4c2de1ae777">
  <source>Amount of previous login events to check against.</source>
 </trans-unit>
 <trans-unit id="s48611ce6e85874dc">
  <source>Check impossible travel</source>
 </trans-unit>
 <trans-unit id="s8cf926e8311f8065">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
 </trans-unit>
 <trans-unit id="sa963d05af436770b">
  <source>Impossible travel tolerance</source>
 </trans-unit>
 <trans-unit id="s5760cd97ca42a238">
  <source>Static rule settings</source>
 </trans-unit>
 <trans-unit id="s8fec035fa1737294">
  <source>Create with Provider</source>
 </trans-unit>
 <trans-unit id="sca2487321ec12bd6">
  <source>Email address the verification email will be sent from.</source>
 </trans-unit>
 <trans-unit id="s24a8fdfc73e8137f">
  <source>Stage used to configure an email-based authenticator.</source>
 </trans-unit>
 <trans-unit id="sea0da186a814a212">
  <source>Use global connection settings</source>
 </trans-unit>
 <trans-unit id="s7754fa56a4439de4">
  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
 </trans-unit>
 <trans-unit id="s7e2bcca51126ec9c">
  <source>Subject of the verification email.</source>
 </trans-unit>
 <trans-unit id="sc12c90b1da0f3a47">
  <source>Token expiration</source>
 </trans-unit>
 <trans-unit id="sc264a82f9c710f14">
  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
 </trans-unit>
 <trans-unit id="s15986693bfc99fb7">
  <source>Email-based Authenticators</source>
 </trans-unit>
 <trans-unit id="s6bb30c61df4cf486">
  <source>Caps Lock is enabled.</source>
 </trans-unit>
 <trans-unit id="s3f8a07912545e72e">
  <source>Configure your email</source>
 </trans-unit>
 <trans-unit id="scedf77e8b75cad5a">
  <source>Please enter your email address.</source>
 </trans-unit>
 <trans-unit id="s7cdd62c100b6b17b">
  <source>Please enter the code you received via email</source>
 </trans-unit>
 <trans-unit id="s1d64dba9bb8b284d">
  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
 </trans-unit>
 <trans-unit id="s833cfe815918c143">
  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/ko.xlf
+++ b/web/xliff/ko.xlf
@ -8600,7 +8600,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -8926,96 +8926,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
 </trans-unit>
 <trans-unit id="s140111d464591e6b">
  <source>Create a new application and configure a provider for it.</source>
 </trans-unit>
 <trans-unit id="s5e0c81c05565bf42">
  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
 </trans-unit>
 <trans-unit id="s035bfd9c5f97e4d3">
  <source>Distance settings</source>
 </trans-unit>
 <trans-unit id="s207e6f8a8b3515fd">
  <source>Check historical distance of logins</source>
 </trans-unit>
 <trans-unit id="s8158f4b3e5c869be">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
 </trans-unit>
 <trans-unit id="sb8b7450c8515894c">
  <source>Maximum distance</source>
 </trans-unit>
 <trans-unit id="s40cdbaa532bc9899">
  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
 </trans-unit>
 <trans-unit id="seef852b5c0f8a529">
  <source>Distance tolerance</source>
 </trans-unit>
 <trans-unit id="sce567ced300aeb8a">
  <source>Tolerance in checking for distances in kilometers.</source>
 </trans-unit>
 <trans-unit id="s9ea9cdabd74f8f97">
  <source>Historical Login Count</source>
 </trans-unit>
 <trans-unit id="s27aec4c2de1ae777">
  <source>Amount of previous login events to check against.</source>
 </trans-unit>
 <trans-unit id="s48611ce6e85874dc">
  <source>Check impossible travel</source>
 </trans-unit>
 <trans-unit id="s8cf926e8311f8065">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
 </trans-unit>
 <trans-unit id="sa963d05af436770b">
  <source>Impossible travel tolerance</source>
 </trans-unit>
 <trans-unit id="s5760cd97ca42a238">
  <source>Static rule settings</source>
 </trans-unit>
 <trans-unit id="s8fec035fa1737294">
  <source>Create with Provider</source>
 </trans-unit>
 <trans-unit id="sca2487321ec12bd6">
  <source>Email address the verification email will be sent from.</source>
 </trans-unit>
 <trans-unit id="s24a8fdfc73e8137f">
  <source>Stage used to configure an email-based authenticator.</source>
 </trans-unit>
 <trans-unit id="sea0da186a814a212">
  <source>Use global connection settings</source>
 </trans-unit>
 <trans-unit id="s7754fa56a4439de4">
  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
 </trans-unit>
 <trans-unit id="s7e2bcca51126ec9c">
  <source>Subject of the verification email.</source>
 </trans-unit>
 <trans-unit id="sc12c90b1da0f3a47">
  <source>Token expiration</source>
 </trans-unit>
 <trans-unit id="sc264a82f9c710f14">
  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
 </trans-unit>
 <trans-unit id="s15986693bfc99fb7">
  <source>Email-based Authenticators</source>
 </trans-unit>
 <trans-unit id="s6bb30c61df4cf486">
  <source>Caps Lock is enabled.</source>
 </trans-unit>
 <trans-unit id="s3f8a07912545e72e">
  <source>Configure your email</source>
 </trans-unit>
 <trans-unit id="scedf77e8b75cad5a">
  <source>Please enter your email address.</source>
 </trans-unit>
 <trans-unit id="s7cdd62c100b6b17b">
  <source>Please enter the code you received via email</source>
 </trans-unit>
 <trans-unit id="s1d64dba9bb8b284d">
  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
 </trans-unit>
 <trans-unit id="s833cfe815918c143">
  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/nl.xlf
+++ b/web/xliff/nl.xlf
@ -8501,7 +8501,7 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -8827,96 +8827,6 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
 </trans-unit>
 <trans-unit id="s140111d464591e6b">
  <source>Create a new application and configure a provider for it.</source>
 </trans-unit>
 <trans-unit id="s5e0c81c05565bf42">
  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
 </trans-unit>
 <trans-unit id="s035bfd9c5f97e4d3">
  <source>Distance settings</source>
 </trans-unit>
 <trans-unit id="s207e6f8a8b3515fd">
  <source>Check historical distance of logins</source>
 </trans-unit>
 <trans-unit id="s8158f4b3e5c869be">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
 </trans-unit>
 <trans-unit id="sb8b7450c8515894c">
  <source>Maximum distance</source>
 </trans-unit>
 <trans-unit id="s40cdbaa532bc9899">
  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
 </trans-unit>
 <trans-unit id="seef852b5c0f8a529">
  <source>Distance tolerance</source>
 </trans-unit>
 <trans-unit id="sce567ced300aeb8a">
  <source>Tolerance in checking for distances in kilometers.</source>
 </trans-unit>
 <trans-unit id="s9ea9cdabd74f8f97">
  <source>Historical Login Count</source>
 </trans-unit>
 <trans-unit id="s27aec4c2de1ae777">
  <source>Amount of previous login events to check against.</source>
 </trans-unit>
 <trans-unit id="s48611ce6e85874dc">
  <source>Check impossible travel</source>
 </trans-unit>
 <trans-unit id="s8cf926e8311f8065">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
 </trans-unit>
 <trans-unit id="sa963d05af436770b">
  <source>Impossible travel tolerance</source>
 </trans-unit>
 <trans-unit id="s5760cd97ca42a238">
  <source>Static rule settings</source>
 </trans-unit>
 <trans-unit id="s8fec035fa1737294">
  <source>Create with Provider</source>
 </trans-unit>
 <trans-unit id="sca2487321ec12bd6">
  <source>Email address the verification email will be sent from.</source>
 </trans-unit>
 <trans-unit id="s24a8fdfc73e8137f">
  <source>Stage used to configure an email-based authenticator.</source>
 </trans-unit>
 <trans-unit id="sea0da186a814a212">
  <source>Use global connection settings</source>
 </trans-unit>
 <trans-unit id="s7754fa56a4439de4">
  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
 </trans-unit>
 <trans-unit id="s7e2bcca51126ec9c">
  <source>Subject of the verification email.</source>
 </trans-unit>
 <trans-unit id="sc12c90b1da0f3a47">
  <source>Token expiration</source>
 </trans-unit>
 <trans-unit id="sc264a82f9c710f14">
  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
 </trans-unit>
 <trans-unit id="s15986693bfc99fb7">
  <source>Email-based Authenticators</source>
 </trans-unit>
 <trans-unit id="s6bb30c61df4cf486">
  <source>Caps Lock is enabled.</source>
 </trans-unit>
 <trans-unit id="s3f8a07912545e72e">
  <source>Configure your email</source>
 </trans-unit>
 <trans-unit id="scedf77e8b75cad5a">
  <source>Please enter your email address.</source>
 </trans-unit>
 <trans-unit id="s7cdd62c100b6b17b">
  <source>Please enter the code you received via email</source>
 </trans-unit>
 <trans-unit id="s1d64dba9bb8b284d">
  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
 </trans-unit>
 <trans-unit id="s833cfe815918c143">
  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pl.xlf
+++ b/web/xliff/pl.xlf
@ -8930,7 +8930,7 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -9256,96 +9256,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
 </trans-unit>
 <trans-unit id="s140111d464591e6b">
  <source>Create a new application and configure a provider for it.</source>
 </trans-unit>
 <trans-unit id="s5e0c81c05565bf42">
  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
 </trans-unit>
 <trans-unit id="s035bfd9c5f97e4d3">
  <source>Distance settings</source>
 </trans-unit>
 <trans-unit id="s207e6f8a8b3515fd">
  <source>Check historical distance of logins</source>
 </trans-unit>
 <trans-unit id="s8158f4b3e5c869be">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
 </trans-unit>
 <trans-unit id="sb8b7450c8515894c">
  <source>Maximum distance</source>
 </trans-unit>
 <trans-unit id="s40cdbaa532bc9899">
  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
 </trans-unit>
 <trans-unit id="seef852b5c0f8a529">
  <source>Distance tolerance</source>
 </trans-unit>
 <trans-unit id="sce567ced300aeb8a">
  <source>Tolerance in checking for distances in kilometers.</source>
 </trans-unit>
 <trans-unit id="s9ea9cdabd74f8f97">
  <source>Historical Login Count</source>
 </trans-unit>
 <trans-unit id="s27aec4c2de1ae777">
  <source>Amount of previous login events to check against.</source>
 </trans-unit>
 <trans-unit id="s48611ce6e85874dc">
  <source>Check impossible travel</source>
 </trans-unit>
 <trans-unit id="s8cf926e8311f8065">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
 </trans-unit>
 <trans-unit id="sa963d05af436770b">
  <source>Impossible travel tolerance</source>
 </trans-unit>
 <trans-unit id="s5760cd97ca42a238">
  <source>Static rule settings</source>
 </trans-unit>
 <trans-unit id="s8fec035fa1737294">
  <source>Create with Provider</source>
 </trans-unit>
 <trans-unit id="sca2487321ec12bd6">
  <source>Email address the verification email will be sent from.</source>
 </trans-unit>
 <trans-unit id="s24a8fdfc73e8137f">
  <source>Stage used to configure an email-based authenticator.</source>
 </trans-unit>
 <trans-unit id="sea0da186a814a212">
  <source>Use global connection settings</source>
 </trans-unit>
 <trans-unit id="s7754fa56a4439de4">
  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
 </trans-unit>
 <trans-unit id="s7e2bcca51126ec9c">
  <source>Subject of the verification email.</source>
 </trans-unit>
 <trans-unit id="sc12c90b1da0f3a47">
  <source>Token expiration</source>
 </trans-unit>
 <trans-unit id="sc264a82f9c710f14">
  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
 </trans-unit>
 <trans-unit id="s15986693bfc99fb7">
  <source>Email-based Authenticators</source>
 </trans-unit>
 <trans-unit id="s6bb30c61df4cf486">
  <source>Caps Lock is enabled.</source>
 </trans-unit>
 <trans-unit id="s3f8a07912545e72e">
  <source>Configure your email</source>
 </trans-unit>
 <trans-unit id="scedf77e8b75cad5a">
  <source>Please enter your email address.</source>
 </trans-unit>
 <trans-unit id="s7cdd62c100b6b17b">
  <source>Please enter the code you received via email</source>
 </trans-unit>
 <trans-unit id="s1d64dba9bb8b284d">
  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
 </trans-unit>
 <trans-unit id="s833cfe815918c143">
  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pseudo-LOCALE.xlf
+++ b/web/xliff/pseudo-LOCALE.xlf
@ -8937,7 +8937,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -9263,94 +9263,4 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
 </trans-unit>
 <trans-unit id="s140111d464591e6b">
  <source>Create a new application and configure a provider for it.</source>
 </trans-unit>
 <trans-unit id="s5e0c81c05565bf42">
  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
 </trans-unit>
 <trans-unit id="s035bfd9c5f97e4d3">
  <source>Distance settings</source>
 </trans-unit>
 <trans-unit id="s207e6f8a8b3515fd">
  <source>Check historical distance of logins</source>
 </trans-unit>
 <trans-unit id="s8158f4b3e5c869be">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
 </trans-unit>
 <trans-unit id="sb8b7450c8515894c">
  <source>Maximum distance</source>
 </trans-unit>
 <trans-unit id="s40cdbaa532bc9899">
  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
 </trans-unit>
 <trans-unit id="seef852b5c0f8a529">
  <source>Distance tolerance</source>
 </trans-unit>
 <trans-unit id="sce567ced300aeb8a">
  <source>Tolerance in checking for distances in kilometers.</source>
 </trans-unit>
 <trans-unit id="s9ea9cdabd74f8f97">
  <source>Historical Login Count</source>
 </trans-unit>
 <trans-unit id="s27aec4c2de1ae777">
  <source>Amount of previous login events to check against.</source>
 </trans-unit>
 <trans-unit id="s48611ce6e85874dc">
  <source>Check impossible travel</source>
 </trans-unit>
 <trans-unit id="s8cf926e8311f8065">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
 </trans-unit>
 <trans-unit id="sa963d05af436770b">
  <source>Impossible travel tolerance</source>
 </trans-unit>
 <trans-unit id="s5760cd97ca42a238">
  <source>Static rule settings</source>
 </trans-unit>
 <trans-unit id="s8fec035fa1737294">
  <source>Create with Provider</source>
 </trans-unit>
 <trans-unit id="sca2487321ec12bd6">
  <source>Email address the verification email will be sent from.</source>
 </trans-unit>
 <trans-unit id="s24a8fdfc73e8137f">
  <source>Stage used to configure an email-based authenticator.</source>
 </trans-unit>
 <trans-unit id="sea0da186a814a212">
  <source>Use global connection settings</source>
 </trans-unit>
 <trans-unit id="s7754fa56a4439de4">
  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
 </trans-unit>
 <trans-unit id="s7e2bcca51126ec9c">
  <source>Subject of the verification email.</source>
 </trans-unit>
 <trans-unit id="sc12c90b1da0f3a47">
  <source>Token expiration</source>
 </trans-unit>
 <trans-unit id="sc264a82f9c710f14">
  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
 </trans-unit>
 <trans-unit id="s15986693bfc99fb7">
  <source>Email-based Authenticators</source>
 </trans-unit>
 <trans-unit id="s6bb30c61df4cf486">
  <source>Caps Lock is enabled.</source>
 </trans-unit>
 <trans-unit id="s3f8a07912545e72e">
  <source>Configure your email</source>
 </trans-unit>
 <trans-unit id="scedf77e8b75cad5a">
  <source>Please enter your email address.</source>
 </trans-unit>
 <trans-unit id="s7cdd62c100b6b17b">
  <source>Please enter the code you received via email</source>
 </trans-unit>
 <trans-unit id="s1d64dba9bb8b284d">
  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
 </trans-unit>
 <trans-unit id="s833cfe815918c143">
  <source>Tokens sent via email.</source>
 </trans-unit>
 </body></file></xliff>
--- a/web/xliff/ru.xlf
+++ b/web/xliff/ru.xlf
@ -8963,7 +8963,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -9289,96 +9289,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
 </trans-unit>
 <trans-unit id="s140111d464591e6b">
  <source>Create a new application and configure a provider for it.</source>
 </trans-unit>
 <trans-unit id="s5e0c81c05565bf42">
  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
 </trans-unit>
 <trans-unit id="s035bfd9c5f97e4d3">
  <source>Distance settings</source>
 </trans-unit>
 <trans-unit id="s207e6f8a8b3515fd">
  <source>Check historical distance of logins</source>
 </trans-unit>
 <trans-unit id="s8158f4b3e5c869be">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
 </trans-unit>
 <trans-unit id="sb8b7450c8515894c">
  <source>Maximum distance</source>
 </trans-unit>
 <trans-unit id="s40cdbaa532bc9899">
  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
 </trans-unit>
 <trans-unit id="seef852b5c0f8a529">
  <source>Distance tolerance</source>
 </trans-unit>
 <trans-unit id="sce567ced300aeb8a">
  <source>Tolerance in checking for distances in kilometers.</source>
 </trans-unit>
 <trans-unit id="s9ea9cdabd74f8f97">
  <source>Historical Login Count</source>
 </trans-unit>
 <trans-unit id="s27aec4c2de1ae777">
  <source>Amount of previous login events to check against.</source>
 </trans-unit>
 <trans-unit id="s48611ce6e85874dc">
  <source>Check impossible travel</source>
 </trans-unit>
 <trans-unit id="s8cf926e8311f8065">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
 </trans-unit>
 <trans-unit id="sa963d05af436770b">
  <source>Impossible travel tolerance</source>
 </trans-unit>
 <trans-unit id="s5760cd97ca42a238">
  <source>Static rule settings</source>
 </trans-unit>
 <trans-unit id="s8fec035fa1737294">
  <source>Create with Provider</source>
 </trans-unit>
 <trans-unit id="sca2487321ec12bd6">
  <source>Email address the verification email will be sent from.</source>
 </trans-unit>
 <trans-unit id="s24a8fdfc73e8137f">
  <source>Stage used to configure an email-based authenticator.</source>
 </trans-unit>
 <trans-unit id="sea0da186a814a212">
  <source>Use global connection settings</source>
 </trans-unit>
 <trans-unit id="s7754fa56a4439de4">
  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
 </trans-unit>
 <trans-unit id="s7e2bcca51126ec9c">
  <source>Subject of the verification email.</source>
 </trans-unit>
 <trans-unit id="sc12c90b1da0f3a47">
  <source>Token expiration</source>
 </trans-unit>
 <trans-unit id="sc264a82f9c710f14">
  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
 </trans-unit>
 <trans-unit id="s15986693bfc99fb7">
  <source>Email-based Authenticators</source>
 </trans-unit>
 <trans-unit id="s6bb30c61df4cf486">
  <source>Caps Lock is enabled.</source>
 </trans-unit>
 <trans-unit id="s3f8a07912545e72e">
  <source>Configure your email</source>
 </trans-unit>
 <trans-unit id="scedf77e8b75cad5a">
  <source>Please enter your email address.</source>
 </trans-unit>
 <trans-unit id="s7cdd62c100b6b17b">
  <source>Please enter the code you received via email</source>
 </trans-unit>
 <trans-unit id="s1d64dba9bb8b284d">
  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
 </trans-unit>
 <trans-unit id="s833cfe815918c143">
  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/tr.xlf
+++ b/web/xliff/tr.xlf
@ -8993,7 +8993,7 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -9319,96 +9319,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
 </trans-unit>
 <trans-unit id="s140111d464591e6b">
  <source>Create a new application and configure a provider for it.</source>
 </trans-unit>
 <trans-unit id="s5e0c81c05565bf42">
  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
 </trans-unit>
 <trans-unit id="s035bfd9c5f97e4d3">
  <source>Distance settings</source>
 </trans-unit>
 <trans-unit id="s207e6f8a8b3515fd">
  <source>Check historical distance of logins</source>
 </trans-unit>
 <trans-unit id="s8158f4b3e5c869be">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
 </trans-unit>
 <trans-unit id="sb8b7450c8515894c">
  <source>Maximum distance</source>
 </trans-unit>
 <trans-unit id="s40cdbaa532bc9899">
  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
 </trans-unit>
 <trans-unit id="seef852b5c0f8a529">
  <source>Distance tolerance</source>
 </trans-unit>
 <trans-unit id="sce567ced300aeb8a">
  <source>Tolerance in checking for distances in kilometers.</source>
 </trans-unit>
 <trans-unit id="s9ea9cdabd74f8f97">
  <source>Historical Login Count</source>
 </trans-unit>
 <trans-unit id="s27aec4c2de1ae777">
  <source>Amount of previous login events to check against.</source>
 </trans-unit>
 <trans-unit id="s48611ce6e85874dc">
  <source>Check impossible travel</source>
 </trans-unit>
 <trans-unit id="s8cf926e8311f8065">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
 </trans-unit>
 <trans-unit id="sa963d05af436770b">
  <source>Impossible travel tolerance</source>
 </trans-unit>
 <trans-unit id="s5760cd97ca42a238">
  <source>Static rule settings</source>
 </trans-unit>
 <trans-unit id="s8fec035fa1737294">
  <source>Create with Provider</source>
 </trans-unit>
 <trans-unit id="sca2487321ec12bd6">
  <source>Email address the verification email will be sent from.</source>
 </trans-unit>
 <trans-unit id="s24a8fdfc73e8137f">
  <source>Stage used to configure an email-based authenticator.</source>
 </trans-unit>
 <trans-unit id="sea0da186a814a212">
  <source>Use global connection settings</source>
 </trans-unit>
 <trans-unit id="s7754fa56a4439de4">
  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
 </trans-unit>
 <trans-unit id="s7e2bcca51126ec9c">
  <source>Subject of the verification email.</source>
 </trans-unit>
 <trans-unit id="sc12c90b1da0f3a47">
  <source>Token expiration</source>
 </trans-unit>
 <trans-unit id="sc264a82f9c710f14">
  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
 </trans-unit>
 <trans-unit id="s15986693bfc99fb7">
  <source>Email-based Authenticators</source>
 </trans-unit>
 <trans-unit id="s6bb30c61df4cf486">
  <source>Caps Lock is enabled.</source>
 </trans-unit>
 <trans-unit id="s3f8a07912545e72e">
  <source>Configure your email</source>
 </trans-unit>
 <trans-unit id="scedf77e8b75cad5a">
  <source>Please enter your email address.</source>
 </trans-unit>
 <trans-unit id="s7cdd62c100b6b17b">
  <source>Please enter the code you received via email</source>
 </trans-unit>
 <trans-unit id="s1d64dba9bb8b284d">
  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
 </trans-unit>
 <trans-unit id="s833cfe815918c143">
  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh-CN.xlf
+++ b/web/xliff/zh-CN.xlf
@ -5730,7 +5730,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -6056,96 +6056,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
 </trans-unit>
 <trans-unit id="s140111d464591e6b">
  <source>Create a new application and configure a provider for it.</source>
 </trans-unit>
 <trans-unit id="s5e0c81c05565bf42">
  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
 </trans-unit>
 <trans-unit id="s035bfd9c5f97e4d3">
  <source>Distance settings</source>
 </trans-unit>
 <trans-unit id="s207e6f8a8b3515fd">
  <source>Check historical distance of logins</source>
 </trans-unit>
 <trans-unit id="s8158f4b3e5c869be">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
 </trans-unit>
 <trans-unit id="sb8b7450c8515894c">
  <source>Maximum distance</source>
 </trans-unit>
 <trans-unit id="s40cdbaa532bc9899">
  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
 </trans-unit>
 <trans-unit id="seef852b5c0f8a529">
  <source>Distance tolerance</source>
 </trans-unit>
 <trans-unit id="sce567ced300aeb8a">
  <source>Tolerance in checking for distances in kilometers.</source>
 </trans-unit>
 <trans-unit id="s9ea9cdabd74f8f97">
  <source>Historical Login Count</source>
 </trans-unit>
 <trans-unit id="s27aec4c2de1ae777">
  <source>Amount of previous login events to check against.</source>
 </trans-unit>
 <trans-unit id="s48611ce6e85874dc">
  <source>Check impossible travel</source>
 </trans-unit>
 <trans-unit id="s8cf926e8311f8065">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
 </trans-unit>
 <trans-unit id="sa963d05af436770b">
  <source>Impossible travel tolerance</source>
 </trans-unit>
 <trans-unit id="s5760cd97ca42a238">
  <source>Static rule settings</source>
 </trans-unit>
 <trans-unit id="s8fec035fa1737294">
  <source>Create with Provider</source>
 </trans-unit>
 <trans-unit id="sca2487321ec12bd6">
  <source>Email address the verification email will be sent from.</source>
 </trans-unit>
 <trans-unit id="s24a8fdfc73e8137f">
  <source>Stage used to configure an email-based authenticator.</source>
 </trans-unit>
 <trans-unit id="sea0da186a814a212">
  <source>Use global connection settings</source>
 </trans-unit>
 <trans-unit id="s7754fa56a4439de4">
  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
 </trans-unit>
 <trans-unit id="s7e2bcca51126ec9c">
  <source>Subject of the verification email.</source>
 </trans-unit>
 <trans-unit id="sc12c90b1da0f3a47">
  <source>Token expiration</source>
 </trans-unit>
 <trans-unit id="sc264a82f9c710f14">
  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
 </trans-unit>
 <trans-unit id="s15986693bfc99fb7">
  <source>Email-based Authenticators</source>
 </trans-unit>
 <trans-unit id="s6bb30c61df4cf486">
  <source>Caps Lock is enabled.</source>
 </trans-unit>
 <trans-unit id="s3f8a07912545e72e">
  <source>Configure your email</source>
 </trans-unit>
 <trans-unit id="scedf77e8b75cad5a">
  <source>Please enter your email address.</source>
 </trans-unit>
 <trans-unit id="s7cdd62c100b6b17b">
  <source>Please enter the code you received via email</source>
 </trans-unit>
 <trans-unit id="s1d64dba9bb8b284d">
  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
 </trans-unit>
 <trans-unit id="s833cfe815918c143">
  <source>Tokens sent via email.</source>
 </trans-unit>
 </body>
 </file>
 </xliff>
--- a/web/xliff/zh-Hans.xlf
+++ b/web/xliff/zh-Hans.xlf
@ -9047,7 +9047,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <target>此选项配置流程执行器页面上的页脚链接。URL 限为 Web 和电子邮件地址。如果名称留空，则显示 URL 自身。</target>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
  <target>通过 OAuth2 和 SAML 等协议，使用 <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> 作为身份提供程序的外部应用程序。此处显示了所有应用程序，即使您无法访问的也包括在内。</target>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
@ -9483,96 +9483,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
  <target>显示更少</target>
 </trans-unit>
 <trans-unit id="s140111d464591e6b">
  <source>Create a new application and configure a provider for it.</source>
 </trans-unit>
 <trans-unit id="s5e0c81c05565bf42">
  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
 </trans-unit>
 <trans-unit id="s035bfd9c5f97e4d3">
  <source>Distance settings</source>
 </trans-unit>
 <trans-unit id="s207e6f8a8b3515fd">
  <source>Check historical distance of logins</source>
 </trans-unit>
 <trans-unit id="s8158f4b3e5c869be">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
 </trans-unit>
 <trans-unit id="sb8b7450c8515894c">
  <source>Maximum distance</source>
 </trans-unit>
 <trans-unit id="s40cdbaa532bc9899">
  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
 </trans-unit>
 <trans-unit id="seef852b5c0f8a529">
  <source>Distance tolerance</source>
 </trans-unit>
 <trans-unit id="sce567ced300aeb8a">
  <source>Tolerance in checking for distances in kilometers.</source>
 </trans-unit>
 <trans-unit id="s9ea9cdabd74f8f97">
  <source>Historical Login Count</source>
 </trans-unit>
 <trans-unit id="s27aec4c2de1ae777">
  <source>Amount of previous login events to check against.</source>
 </trans-unit>
 <trans-unit id="s48611ce6e85874dc">
  <source>Check impossible travel</source>
 </trans-unit>
 <trans-unit id="s8cf926e8311f8065">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
 </trans-unit>
 <trans-unit id="sa963d05af436770b">
  <source>Impossible travel tolerance</source>
 </trans-unit>
 <trans-unit id="s5760cd97ca42a238">
  <source>Static rule settings</source>
 </trans-unit>
 <trans-unit id="s8fec035fa1737294">
  <source>Create with Provider</source>
 </trans-unit>
 <trans-unit id="sca2487321ec12bd6">
  <source>Email address the verification email will be sent from.</source>
 </trans-unit>
 <trans-unit id="s24a8fdfc73e8137f">
  <source>Stage used to configure an email-based authenticator.</source>
 </trans-unit>
 <trans-unit id="sea0da186a814a212">
  <source>Use global connection settings</source>
 </trans-unit>
 <trans-unit id="s7754fa56a4439de4">
  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
 </trans-unit>
 <trans-unit id="s7e2bcca51126ec9c">
  <source>Subject of the verification email.</source>
 </trans-unit>
 <trans-unit id="sc12c90b1da0f3a47">
  <source>Token expiration</source>
 </trans-unit>
 <trans-unit id="sc264a82f9c710f14">
  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
 </trans-unit>
 <trans-unit id="s15986693bfc99fb7">
  <source>Email-based Authenticators</source>
 </trans-unit>
 <trans-unit id="s6bb30c61df4cf486">
  <source>Caps Lock is enabled.</source>
 </trans-unit>
 <trans-unit id="s3f8a07912545e72e">
  <source>Configure your email</source>
 </trans-unit>
 <trans-unit id="scedf77e8b75cad5a">
  <source>Please enter your email address.</source>
 </trans-unit>
 <trans-unit id="s7cdd62c100b6b17b">
  <source>Please enter the code you received via email</source>
 </trans-unit>
 <trans-unit id="s1d64dba9bb8b284d">
  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
 </trans-unit>
 <trans-unit id="s833cfe815918c143">
  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh-Hant.xlf
+++ b/web/xliff/zh-Hant.xlf
@ -6828,7 +6828,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -7153,96 +7153,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
 </trans-unit>
 <trans-unit id="s140111d464591e6b">
  <source>Create a new application and configure a provider for it.</source>
 </trans-unit>
 <trans-unit id="s5e0c81c05565bf42">
  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
 </trans-unit>
 <trans-unit id="s035bfd9c5f97e4d3">
  <source>Distance settings</source>
 </trans-unit>
 <trans-unit id="s207e6f8a8b3515fd">
  <source>Check historical distance of logins</source>
 </trans-unit>
 <trans-unit id="s8158f4b3e5c869be">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
 </trans-unit>
 <trans-unit id="sb8b7450c8515894c">
  <source>Maximum distance</source>
 </trans-unit>
 <trans-unit id="s40cdbaa532bc9899">
  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
 </trans-unit>
 <trans-unit id="seef852b5c0f8a529">
  <source>Distance tolerance</source>
 </trans-unit>
 <trans-unit id="sce567ced300aeb8a">
  <source>Tolerance in checking for distances in kilometers.</source>
 </trans-unit>
 <trans-unit id="s9ea9cdabd74f8f97">
  <source>Historical Login Count</source>
 </trans-unit>
 <trans-unit id="s27aec4c2de1ae777">
  <source>Amount of previous login events to check against.</source>
 </trans-unit>
 <trans-unit id="s48611ce6e85874dc">
  <source>Check impossible travel</source>
 </trans-unit>
 <trans-unit id="s8cf926e8311f8065">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
 </trans-unit>
 <trans-unit id="sa963d05af436770b">
  <source>Impossible travel tolerance</source>
 </trans-unit>
 <trans-unit id="s5760cd97ca42a238">
  <source>Static rule settings</source>
 </trans-unit>
 <trans-unit id="s8fec035fa1737294">
  <source>Create with Provider</source>
 </trans-unit>
 <trans-unit id="sca2487321ec12bd6">
  <source>Email address the verification email will be sent from.</source>
 </trans-unit>
 <trans-unit id="s24a8fdfc73e8137f">
  <source>Stage used to configure an email-based authenticator.</source>
 </trans-unit>
 <trans-unit id="sea0da186a814a212">
  <source>Use global connection settings</source>
 </trans-unit>
 <trans-unit id="s7754fa56a4439de4">
  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
 </trans-unit>
 <trans-unit id="s7e2bcca51126ec9c">
  <source>Subject of the verification email.</source>
 </trans-unit>
 <trans-unit id="sc12c90b1da0f3a47">
  <source>Token expiration</source>
 </trans-unit>
 <trans-unit id="sc264a82f9c710f14">
  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
 </trans-unit>
 <trans-unit id="s15986693bfc99fb7">
  <source>Email-based Authenticators</source>
 </trans-unit>
 <trans-unit id="s6bb30c61df4cf486">
  <source>Caps Lock is enabled.</source>
 </trans-unit>
 <trans-unit id="s3f8a07912545e72e">
  <source>Configure your email</source>
 </trans-unit>
 <trans-unit id="scedf77e8b75cad5a">
  <source>Please enter your email address.</source>
 </trans-unit>
 <trans-unit id="s7cdd62c100b6b17b">
  <source>Please enter the code you received via email</source>
 </trans-unit>
 <trans-unit id="s1d64dba9bb8b284d">
  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
 </trans-unit>
 <trans-unit id="s833cfe815918c143">
  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh_TW.xlf
+++ b/web/xliff/zh_TW.xlf
@ -8577,7 +8577,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -8903,96 +8903,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
 </trans-unit>
 <trans-unit id="s140111d464591e6b">
  <source>Create a new application and configure a provider for it.</source>
 </trans-unit>
 <trans-unit id="s5e0c81c05565bf42">
  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
 </trans-unit>
 <trans-unit id="s035bfd9c5f97e4d3">
  <source>Distance settings</source>
 </trans-unit>
 <trans-unit id="s207e6f8a8b3515fd">
  <source>Check historical distance of logins</source>
 </trans-unit>
 <trans-unit id="s8158f4b3e5c869be">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
 </trans-unit>
 <trans-unit id="sb8b7450c8515894c">
  <source>Maximum distance</source>
 </trans-unit>
 <trans-unit id="s40cdbaa532bc9899">
  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
 </trans-unit>
 <trans-unit id="seef852b5c0f8a529">
  <source>Distance tolerance</source>
 </trans-unit>
 <trans-unit id="sce567ced300aeb8a">
  <source>Tolerance in checking for distances in kilometers.</source>
 </trans-unit>
 <trans-unit id="s9ea9cdabd74f8f97">
  <source>Historical Login Count</source>
 </trans-unit>
 <trans-unit id="s27aec4c2de1ae777">
  <source>Amount of previous login events to check against.</source>
 </trans-unit>
 <trans-unit id="s48611ce6e85874dc">
  <source>Check impossible travel</source>
 </trans-unit>
 <trans-unit id="s8cf926e8311f8065">
  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
 </trans-unit>
 <trans-unit id="sa963d05af436770b">
  <source>Impossible travel tolerance</source>
 </trans-unit>
 <trans-unit id="s5760cd97ca42a238">
  <source>Static rule settings</source>
 </trans-unit>
 <trans-unit id="s8fec035fa1737294">
  <source>Create with Provider</source>
 </trans-unit>
 <trans-unit id="sca2487321ec12bd6">
  <source>Email address the verification email will be sent from.</source>
 </trans-unit>
 <trans-unit id="s24a8fdfc73e8137f">
  <source>Stage used to configure an email-based authenticator.</source>
 </trans-unit>
 <trans-unit id="sea0da186a814a212">
  <source>Use global connection settings</source>
 </trans-unit>
 <trans-unit id="s7754fa56a4439de4">
  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
 </trans-unit>
 <trans-unit id="s7e2bcca51126ec9c">
  <source>Subject of the verification email.</source>
 </trans-unit>
 <trans-unit id="sc12c90b1da0f3a47">
  <source>Token expiration</source>
 </trans-unit>
 <trans-unit id="sc264a82f9c710f14">
  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
 </trans-unit>
 <trans-unit id="s15986693bfc99fb7">
  <source>Email-based Authenticators</source>
 </trans-unit>
 <trans-unit id="s6bb30c61df4cf486">
  <source>Caps Lock is enabled.</source>
 </trans-unit>
 <trans-unit id="s3f8a07912545e72e">
  <source>Configure your email</source>
 </trans-unit>
 <trans-unit id="scedf77e8b75cad5a">
  <source>Please enter your email address.</source>
 </trans-unit>
 <trans-unit id="s7cdd62c100b6b17b">
  <source>Please enter the code you received via email</source>
 </trans-unit>
 <trans-unit id="s1d64dba9bb8b284d">
  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
 </trans-unit>
 <trans-unit id="s833cfe815918c143">
  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/website/docs/add-secure-apps/applications/index.md
+++ b/website/docs/add-secure-apps/applications/index.md
@ -6,12 +6,12 @@ Applications, as defined in authentik, are used to configure and separate the au
 When a user logs into authentik, they see a list of the applications for which authentik is configured to provide authentication and authorization (the applications that that they are authorized to use).
-Applications are the "other half" of providers. They typically exist in a 1-to-1 relationship; each application needs a provider and every provider can be used with one application. Applications can, however, use specific, additional providers to augment the functionality of the main provider. For more information, see [Backchannel providers](./manage_apps.mdx#backchannel-providers).
+Applications are the "other half" of providers. They typically exist in a 1-to-1 relationship; each application needs a provider and every provider can be used with one application. Applications can, however, use specific, additional providers to augment the functionality of the main provider. For more information, see [Backchannel providers](./manage_apps.md#backchannel-providers).
 Furthermore, the [RAC (Remote Access Control)](../providers/rac/index.md) feature uses a single application and a single provider, but multiple "endpoints". An endpoint defines each remote machine.
 :::info
-For information about creating and managing applications, refer to [Manage applications](./manage_apps.mdx).
+For information about creating and managing applications, refer to [Manage applications](./manage_apps.md).
 :::
 ## Appearance
--- a/website/docs/add-secure-apps/applications/manage_apps.mdx
+++ b/website/docs/add-secure-apps/applications/manage_apps.mdx
@ -37,12 +37,8 @@ When multiple policies/groups/users are attached, you can configure the _Policy
 ## Application Entitlements
-<p className="badge-group">
+<span class="badge badge--preview">Preview</span>
-
+<span class="badge badge--version">authentik 2024.12+</span>
 :ak-version[2024.12]
 :ak-preview
 </p>
 Application entitlements can be used through authentik to manage authorization within an application (what areas of the app users or groups can access). Entitlements are scoped to a single application and can be bound to multiple users and/or groups (binding policies is not currently supported), giving them access to the entitlement. An application can either check for the name of the entitlement (via the `entitlements` scope), or via attributes stored in entitlements.
--- a/website/docs/add-secure-apps/flows-stages/bindings/index.md
+++ b/website/docs/add-secure-apps/flows-stages/bindings/index.md
@ -24,7 +24,7 @@ A _policy binding_ connects a specific policy to a flow or to a stage. With the
 You can also bind groups and users to another component (a policy, a stage, a flow, etc.). For example, you can create a binding for a specific group, and then [bind that to a stage binding](../stages/index.md#bind-users-and-groups-to-a-flows-stage-binding), with the result that everyone in that group now will see that stage (and any policies bound to that stage) as part of their flow. Or more specifically, and going one step deeper, you can also _bind a binding to a binding_.
-Bindings are also used for [Application Entitlements](../../applications/manage_apps.mdx#application-entitlements), where you can bind specific users or groups to an application as a way to manage who has access to the application.
+Bindings are also used for [Application Entitlements](../../applications/manage_apps.md#application-entitlements), where you can bind specific users or groups to an application as a way to manage who has access to the application.
 It's important to remember that bindings are instantiated objects themselves, and conceptually can be considered as a "connector" between two components. This is why you might read about "binding a binding", because technically, a binding is "spliced" into another binding, in order to intercept and enforce the criteria defined in the second binding.
--- a/website/docs/add-secure-apps/flows-stages/bindings/work_with_bindings.md
+++ b/website/docs/add-secure-apps/flows-stages/bindings/work_with_bindings.md
@ -8,6 +8,6 @@ For instructions to create a binding, refer to the documentation for the specifi
 - [Bind a stage to a flow](../stages/index.md#bind-a-stage-to-a-flow)
 - [Bind a policy to a flow or stage](../../../customize/policies/working_with_policies#bind-a-policy-to-a-flow-or-stage)
- [Bind users or groups to a specific application with an Application Entitlement](../../applications/manage_apps.mdx#application-entitlements)
+- [Bind users or groups to a specific application with an Application Entitlement](../../applications/manage_apps.md#application-entitlements)
- [Bind a policy to a specific application when you create a new application and provider](../../applications/manage_apps.mdx#instructions)
+- [Bind a policy to a specific application when you create a new application and provider](../../applications/manage_apps.md#instructions)
 - [Bind users and groups to a stage binding, to define whether or not that stage is shown](../stages/index.md#bind-users-and-groups-to-a-flows-stage-binding)
--- a/website/docs/add-secure-apps/flows-stages/flow/context/index.mdx
+++ b/website/docs/add-secure-apps/flows-stages/flow/context/index.mdx
@ -24,11 +24,11 @@ Keys prefixed with `goauthentik.io` are used internally by authentik and are sub
 ### Common keys
-#### `pending_user` ([User object](../../../../users-sources/user/user_ref.mdx#object-properties))
+#### `pending_user` ([User object](../../../../users-sources/user/user_ref.md#object-properties))
-`pending_user` is used by multiple stages. In the context of most flow executions, it represents the data of the user that is executing the flow. This value is not set automatically, it is set via the [Identification stage](../../stages/identification/index.mdx).
+`pending_user` is used by multiple stages. In the context of most flow executions, it represents the data of the user that is executing the flow. This value is not set automatically, it is set via the [Identification stage](../../stages/identification/index.md).
-Stages that require a user, such as the [Password stage](../../stages/password/index.md), the [Authenticator validation stage](../../stages/authenticator_validate/index.mdx) and others will use this value if it is set, and fallback to the request's users when possible.
+Stages that require a user, such as the [Password stage](../../stages/password/index.md), the [Authenticator validation stage](../../stages/authenticator_validate/index.md) and others will use this value if it is set, and fallback to the request's users when possible.
 #### `prompt_data` (Dictionary)
@ -62,7 +62,7 @@ When an unauthenticated user attempts to access a secured resource, they are red
 When a user authenticates/enrolls via an external source, this will be set to the source they are using.
-#### `outpost` (dictionary):ak-version[2024.10]
+#### `outpost` (dictionary) <span class="badge badge--version">authentik 2024.10+</span>
 When a flow is executed by an Outpost (for example the [LDAP](../../../providers/ldap/index.md) or [RADIUS](../../../providers/radius/index.mdx)), this will be set to a dictionary containing the Outpost instance under the key `"instance"`.
@ -76,7 +76,7 @@ This key is set to `True` when the flow is executed from an "SSO" context. For e
 This key is set when a flow execution is continued from a token. This happens for example when an [Email stage](../../stages/email/index.mdx) is used and the user clicks on the link within the email. The token object contains the key that was used to restore the flow execution.
-#### `is_redirected` (Flow object):ak-version[2024.12]
+#### `is_redirected` (Flow object) <span class="badge badge--version">authentik 2024.12+</span>
 This key is set when the current flow was reached through a [Redirect stage](../../stages/redirect/index.md) in Flow mode.
@ -98,7 +98,7 @@ URL that the form will be submitted to.
 Key-value pairs of the data that is included in the form and will be submitted to `url`.
-#### Captcha stage:ak-version[2024.6]
+#### Captcha stage <span class="badge badge--version">authentik 2024.6+</span>
 ##### `captcha` (dictionary)
@ -118,7 +118,7 @@ An optional list of all permissions that will be given to the application by gra
 #### Deny stage
-##### `deny_message` (string)
+##### `deny_message` (string) <span class="badge badge--version">authentik 2023.10+</span>
 Optionally overwrite the deny message shown, has a higher priority than the message configured in the stage.
@ -134,7 +134,7 @@ If set, this must be a list of group objects and not group names.
 Path the `pending_user` will be written to. If not set in the flow, falls back to the value set in the user_write stage, and otherwise to the `users` path.
-##### `user_type` (string)
+##### `user_type` (string) <span class="badge badge--version">authentik 2023.10+</span>
 Type the `pending_user` will be created as. Must be one of `internal`, `external` or `service_account`.
@ -146,7 +146,7 @@ Set by the [Password stage](../../stages/password/index.md) after successfully a
 ##### `auth_method` (string)
-Set by the [Password stage](../../stages/password/index.md), the [Authenticator validation stage](../../stages/authenticator_validate/index.mdx), the [OAuth2 Provider](../../../providers/oauth2/index.mdx), and the API authentication depending on which method was used to authenticate.
+Set by the [Password stage](../../stages/password/index.md), the [Authenticator validation stage](../../stages/authenticator_validate/index.md), the [OAuth2 Provider](../../../providers/oauth2/index.md), and the API authentication depending on which method was used to authenticate.
 Possible options:
@ -154,8 +154,8 @@ Possible options:
 - `token` (Authenticated via API token)
 - `ldap` (Authenticated via LDAP bind from an LDAP source)
 - `auth_mfa` (Authentication via MFA device without password)
- `auth_webauthn_pwl` (Passwordless authentication via WebAuthn with Passkeys)
+- `auth_webauthn_pwl` (Passwordless authentication via WebAuthn)
- `jwt` ([M2M](../../../providers/oauth2/client_credentials.mdx) authentication via an existing JWT)
+- `jwt` ([M2M](../../../providers/oauth2/client_credentials.md) authentication via an existing JWT)
 ##### `auth_method_args` (dictionary)
@ -198,7 +198,7 @@ If _Show matched user_ is disabled, this key will be set to the user identifier
 #### Redirect stage
-##### `redirect_stage_target` (string):ak-version[2024.12]
+##### `redirect_stage_target` (string) <span class="badge badge--version">authentik 2024.12+</span>
 [Set this key](../../../../customize/policies/expression/managing_flow_context_keys.md) in an Expression Policy to override [Redirect stage](../../stages/redirect/index.md) to force it to redirect to a certain URL or flow. This is useful when a flow requires that the redirection target be decided dynamically.
--- a/website/docs/add-secure-apps/flows-stages/flow/examples/snippets.mdx
+++ b/website/docs/add-secure-apps/flows-stages/flow/examples/snippets.mdx
@ -2,7 +2,7 @@
 title: Example policy snippets for flows
 ---
-### Redirect current flow to another URL
+### Redirect current flow to another URL <span class="badge badge--version">authentik 2022.7+</span>
 ```python
 plan = request.context.get("flow_plan")
--- a/website/docs/add-secure-apps/flows-stages/flow/executors/headless.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/executors/headless.md
@ -6,6 +6,6 @@ The headless flow executor is used by clients that don't have access to the web
 The following stages are supported:
- [**Identification stage**](../../stages/identification/index.mdx)
+- [**Identification stage**](../../stages/identification/index.md)
 - [**Password stage**](../../stages/password/index.md)
- [**Authenticator Validation Stage**](../../stages/authenticator_validate/index.mdx)
+- [**Authenticator Validation Stage**](../../stages/authenticator_validate/index.md)
--- a/website/docs/add-secure-apps/flows-stages/flow/executors/sfe.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/executors/sfe.md
@ -1,8 +1,9 @@
 ---
 title: Simplified flow executor
 authentik_version: "2024.6.1"
 ---
 <span class="badge badge--version">authentik 2024.6.1+</span>
 A simplified web-based flow executor that authentik automatically uses for older browsers that do not support modern web technologies.
 Currently this flow executor is automatically used for the following browsers:
@ -12,14 +13,14 @@ Currently this flow executor is automatically used for the following browsers:
 The following stages are supported:
- [**Identification stage**](../../stages/identification/index.mdx)
+- [**Identification stage**](../../stages/identification/index.md)
    :::info
    Only user identifier and user identifier + password stage configurations are supported; sources and passwordless configurations are not supported.
    :::
 - [**Password stage**](../../stages/password/index.md)
- [**Authenticator Validation Stage**](../../stages/authenticator_validate/index.mdx)
+- [**Authenticator Validation Stage**](../../stages/authenticator_validate/index.md)
 Compared to the [default flow executor](./if-flow.md), this flow executor does _not_ support the following features:
--- a/website/docs/add-secure-apps/flows-stages/flow/executors/user-settings.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/executors/user-settings.md
@ -2,6 +2,10 @@
 title: User settings
 ---
 <span class="badge badge--version">authentik 2023.3+</span>
 ---
 The user interface (/if/user/) uses a specialized flow executor to allow individual users to customize their profile. A user's profile consists of key/value fields, so this executor only supports Prompt or User Write stages. If the configured flow contains another stage, a button will be shown to open the default executor.
 Because the stages in a flow can change during its execution, be awre that configuring this executor to use any stage type other than Prompt or User Write will automatically trigger a redirect to the standard executor.
--- a/website/docs/add-secure-apps/flows-stages/flow/flow_list/_defaultflowlist.mdx
+++ b/website/docs/add-secure-apps/flows-stages/flow/flow_list/_defaultflowlist.mdx
@ -6,7 +6,7 @@
 - **Invalidation**: designates a default flow to be used to invalidate a session. Use `default-invalidation-flow` for invalidation from authentik itself, or use `default-provider-invalidation-flow` to invalidate when the session of an application ends. When you use the `default-invalidation-flow` as a global invalidation flow, it should contain a [**User Logout**](../../stages/user_logout.md) stage. When you use the `default-provider-invalidation-flow` (supported with OIDC, SAML, Proxy, and RAC providers), you can configure this default flow to present users log-off options such as "log out of the app but remain logged in to authentik" or "return to the **My Applications** page", or "log out completely". (Alternatively, you can create a custom invalidation flow, with a branded background image.)
- **Recovery**: designates a flow for recovery. This flow normally contains an [**Identification**](../../stages/identification/index.mdx) stage to find the user. It can also contain any amount of verification stages, such as [**Email**](../../stages/email/index.mdx) or [**CAPTCHA**](../../stages/captcha/index.md). Afterwards, use the [**Prompt**](../../stages/prompt/index.md) stage to ask the user for a new password and the [**User Write**](../../stages/user_write.md) stage to update the password.
+- **Recovery**: designates a flow for recovery. This flow normally contains an [**Identification**](../../stages/identification/index.md) stage to find the user. It can also contain any amount of verification stages, such as [**Email**](../../stages/email/index.mdx) or [**CAPTCHA**](../../stages/captcha/index.md). Afterwards, use the [**Prompt**](../../stages/prompt/index.md) stage to ask the user for a new password and the [**User Write**](../../stages/user_write.md) stage to update the password.
 - **Stage configuration**: designates a flow for general setup. This designation doesn't have any constraints in what you can do. For example, by default this designation is used to configure authenticators, like change a password and set up TOTP.
--- a/website/docs/add-secure-apps/flows-stages/flow/index.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/index.md
@ -20,7 +20,7 @@ When these stages are successfully completed, authentik logs in the user.
 By default, policies are evaluated dynamically, right before the stage (to which a policy is bound) is presented to the user. This flexibility allows the login process to continue, change, or stop, based on the success or failure of each policy.
-This default behaviour can be altered by enabling the **Evaluate when flow is planned** option on the stage binding. With this setting a _flow plan_ containing all stages is generated upon flow execution. This means that all attached policies are evaluated upon execution. For more information about flow plans, read our [flow context documentation](./context/index.mdx).
+This default behaviour can be altered by enabling the **Evaluate when flow is planned** option on the stage binding. With this setting a _flow plan_ containing all stages is generated upon flow execution. This means that all attached policies are evaluated upon execution. For more information about flow plans, read our [flow context documentation](./context/index.md).
 ## Permissions
--- a/website/docs/add-secure-apps/flows-stages/flow/inspector.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/inspector.md
@ -2,7 +2,7 @@
 title: Flow Inspector
 ---
-The flow inspector, introduced in 2021.10, allows administrators to visually determine how custom flows work, inspect the current [flow context](./context/index.mdx), and investigate issues.
+The flow inspector, introduced in 2021.10, allows administrators to visually determine how custom flows work, inspect the current [flow context](./context/index.md), and investigate issues.
 As shown in the screenshot below, the flow inspector displays next to the selected flow (in this case, "Change Password"), with [information](#flow-inspector-details) about that specific flow and flow context.
--- a/website/docs/add-secure-apps/flows-stages/stages/authenticator_duo/index.mdx
+++ b/website/docs/add-secure-apps/flows-stages/stages/authenticator_duo/index.mdx
@ -10,7 +10,7 @@ Copy all of the integration key, secret key and API hostname, and paste them in
 Devices created reference the stage they were created with, since the API credentials are needed to authenticate. This also means when the stage is deleted, all devices are removed.
-## Importing users
+## Importing users <span class="badge badge--version">authentik 2022.9+</span>
 :::info
 Due to the way the Duo API works, authentik can only automatically import existing Duo users when a Duo MFA or higher license is active.
@ -20,7 +20,7 @@ To import a device, open the Stages list in the authentik Admin interface. On th
 The Duo username can be found by navigating to your Duo Admin dashboard and selecting _Users_ in the sidebar. Optionally if you have multiple users with the same username, you can click on a User and copy their ID from the URL, and use that to import the device.
-### Older versions
+### Older versions <span class="badge badge--version">authentik 2021.9.1+</span>
 You can call the `/api/v3/stages/authenticator/duo/{stage_uuid}/import_devices/` endpoint ([see here](https://goauthentik.io/api/#post-/stages/authenticator/duo/-stage_uuid-/import_devices/)) using the following parameters:
--- a/website/docs/add-secure-apps/flows-stages/stages/authenticator_email/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/authenticator_email/index.md
@ -8,7 +8,7 @@ This stage configures an email-based authenticator that sends a one-time code to
 When a user goes through a flow that includes this stage, they are prompted for their email address (if not already set). The user then receives an email with a one-time code, which they enter into the authentik Login panel.
-The email address will be saved and can be used with the [Authenticator validation](../authenticator_validate/index.mdx) stage for future authentications.
+The email address will be saved and can be used with the [Authenticator validation](../authenticator_validate/index.md) stage for future authentications.
 ## Flow integration
--- a/website/docs/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/index.md
@ -1,8 +1,11 @@
 ---
 title: Endpoint Authenticator Google Device Trust Connector Stage
-authentik_version: "2024.10"
+---
-authentik_preview: true
+
-authentik_enterprise: true
+<span class="badge badge--primary">Enterprise</span>
 <span class="badge badge--preview">Preview</span>
 <span class="badge badge--version">authentik 2024.10+</span>
 ---
 With this stage, authentik can validate users' Chrome browsers and ensure that users' devices are compliant and up-to-date.
@ -15,11 +18,10 @@ This stage only works with Google Chrome, as it relies on the [Chrome Verified A
 The main steps to set up your Google workspace are as follows:
- [Configuration](#configuration)
+1. [Create your Google Cloud Project](#create-a-google-cloud-project)
-    - [Create a Google cloud project](#create-a-google-cloud-project)
+2. [Create a service account](#create-a-service-account)
-    - [Create a service account](#create-a-service-account)
+3. [Set credentials for the service account](#set-credentials-for-the-service-account)
-    - [Set credentials for the service account](#set-credentials-for-the-service-account)
+4. [Define access and scope in the Admin Console](#set-credentials-for-the-service-account)
    - [Create the stage](#create-the-stage)
 For detailed instructions, refer to Google documentation.
@ -74,4 +76,4 @@ For detailed instructions, refer to Google documentation.
 4. Click **Finish**.
-After creating the stage, it can be used in any flow. Compared to other Authenticator stages, this stage does not require enrollment. Instead of adding an [Authenticator Validation Stage](../authenticator_validate/index.mdx), this stage only verifies the users' browser.
+After creating the stage, it can be used in any flow. Compared to other Authenticator stages, this stage does not require enrollment. Instead of adding an [Authenticator Validation Stage](../authenticator_validate/index.md), this stage only verifies the users' browser.
--- a/website/docs/add-secure-apps/flows-stages/stages/authenticator_sms/index.mdx
+++ b/website/docs/add-secure-apps/flows-stages/stages/authenticator_sms/index.mdx
@ -46,9 +46,9 @@ return {
 }
 ```
-## Verify only
+## Verify only <span class="badge badge--version">authentik 2022.6+</span>
-To only verify the validity of a users' phone number, without saving it in an easily accessible way, you can enable this option. Phone numbers from devices enrolled through this stage will only have their hashed phone number saved. These devices can also not be used with the [Authenticator validation](../authenticator_validate/index.mdx) stage.
+To only verify the validity of a users' phone number, without saving it in an easily accessible way, you can enable this option. Phone numbers from devices enrolled through this stage will only have their hashed phone number saved. These devices can also not be used with the [Authenticator validation](../authenticator_validate/index.md) stage.
 ## Limiting phone numbers
--- a/website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
+++ b/website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
@ -4,12 +4,12 @@ title: Authenticator Validation stage
 This stage validates an already configured Authenticator Device. This device has to be configured using any of the other authenticator stages:
- [Duo authenticator stage](../authenticator_duo/index.mdx)
+- [Duo authenticator stage](../authenticator_duo/index.md)
 - [Email authenticator stage](../authenticator_email/index.md)
- [SMS authenticator stage](../authenticator_sms/index.mdx)
+- [SMS authenticator stage](../authenticator_sms/index.md)
 - [Static authenticator stage](../authenticator_static/index.md)
 - [TOTP authenticator stage](../authenticator_totp/index.md)
- [WebAuthn authenticator stage](../authenticator_webauthn/index.mdx)
+- [WebAuthn authenticator stage](../authenticator_webauthn/index.md)
 You can select which type of device classes are allowed.
@ -24,17 +24,17 @@ Keep in mind that when using Code-based devices (TOTP, Static and SMS), values l
 ### Options
-#### Less-frequent validation
+#### Less-frequent validation <span class="badge badge--version">authentik 2022.5.1+</span>
 You can configure this stage to only ask for MFA validation if the user hasn't authenticated themselves within a defined time period. To configure this, set _Last validation threshold_ to any non-zero value. Any of the users devices within the selected classes are checked.
-#### Passwordless authentication
+#### Passwordless authentication <span class="badge badge--version">authentik 2021.12.4+</span>
 :::caution
 Firefox has some known issues regarding TouchID (see https://bugzilla.mozilla.org/show_bug.cgi?id=1536482)
 :::
-Passwordless authentication currently only supports WebAuthn devices, which provides for the use of passkeys, security keys and biometrics. For an alternate passwordless setup, see [Password stage](../password/index.md#passwordless-login), which supports other types.
+Passwordless authentication currently only supports WebAuthn devices, like security keys and biometrics. For an alternate passwordless setup, see [Password stage](../password/index.md#passwordless-login), which supports other types.
 To configure passwordless authentication, create a new Flow with the designation set to _Authentication_.
@ -69,7 +69,7 @@ Logins which used Passwordless authentication have the _auth_method_ context var
 }
 ```
-#### WebAuthn Device type restrictions:ak-version[2024.4]
+#### WebAuthn Device type restrictions <span class="badge badge--version">authentik 2024.4+</span>
 Optionally restrict which WebAuthn device types can be used to authenticate.
--- a/website/docs/add-secure-apps/flows-stages/stages/authenticator_webauthn/index.mdx
+++ b/website/docs/add-secure-apps/flows-stages/stages/authenticator_webauthn/index.mdx
@ -1,9 +1,7 @@
 ---
-title: WebAuthn / Passkeys Authenticator setup stage
+title: WebAuthn Authenticator Setup stage
 ---
 <span class="badge badge--version">authentik 2021.3.1+</span>
 This stage configures a WebAuthn-based Authenticator. This can either be a browser, biometrics or a Security stick like a YubiKey.
 ### Options
@ -14,13 +12,13 @@ Configure if authentik should require, prefer or discourage user verification fo
 #### Resident key requirement
-Configure if the created authenticator is stored in the encrypted memory on the device or in persistent memory. When configuring [passwordless login](../identification/index.mdx#passwordless-flow), this should be set to either _Preferred_ or _Required_, otherwise the authenticator cannot be used for passwordless authentication.
+Configure if the created authenticator is stored in the encrypted memory on the device or in persistent memory. When configuring [passwordless login](../identification/index.md#passwordless-flow), this should be set to either _Preferred_ or _Required_, otherwise the authenticator cannot be used for passwordless authentication.
 #### Authenticator Attachment
 Configure if authentik will require either a removable device (like a YubiKey, Google Titan, etc) or a non-removable device (like Windows Hello, TouchID or password managers), or not send a requirement.
-#### Device type restrictions:ak-version[2024.4]
+#### Device type restrictions <span class="badge badge--version">authentik 2024.4+</span>
 Optionally restrict the types of devices allowed to be enrolled. This option can be used to ensure users are only able to enroll FIPS-compliant devices for example.
--- a/website/docs/add-secure-apps/flows-stages/stages/identification/index.mdx
+++ b/website/docs/add-secure-apps/flows-stages/stages/identification/index.mdx
@ -30,13 +30,13 @@ To run a CAPTCHA process in the background while the user is entering their iden
 These fields specify if and which flows are linked on the form. The enrollment flow is linked as `Need an account? Sign up.`, and the recovery flow is linked as `Forgot username or password?`.
-## Pretend user exists:ak-version[2024.2]
+## Pretend user exists <span class="badge badge--version">authentik 2024.2+</span>
 When enabled, any user identifier will be accepted as valid (as long as they match the correct format, i.e. when [User fields](#user-fields) is set to only allow Emails, then the identifier still needs to be an Email). The stage will succeed and the flow will continue to the next stage. Stages like the [Password stage](../password/index.md) and [Email stage](../email/index.mdx) are aware of this "pretend" user and will behave the same as if the user would exist.
 ## Source settings
-Some sources (like the [OAuth Source](../../../../users-sources/sources/protocols/oauth/index.mdx) and [SAML Source](../../../../users-sources/sources/protocols/saml/index.md)) require user interaction. To make these sources available to users, they can be selected in the Identification stage settings, which will show them below the selected [user field](#user-fields).
+Some sources (like the [OAuth Source](../../../../users-sources/sources/protocols/oauth/index.md) and [SAML Source](../../../../users-sources/sources/protocols/saml/index.md)) require user interaction. To make these sources available to users, they can be selected in the Identification stage settings, which will show them below the selected [user field](#user-fields).
 By default, sources are only shown with their icon, which can be changed with the _Show sources' labels_ option.
@ -50,7 +50,7 @@ Starting with authentik 2023.5, when no user fields are selected and only one so
 ### Passwordless flow
-See [Passwordless authentication](../authenticator_validate/index.mdx#passwordless-authentication).
+See [Passwordless authentication](../authenticator_validate/index.md#passwordless-authentication-authentik-2021124).
 ### Enrollment flow
--- a/website/docs/add-secure-apps/flows-stages/stages/password/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/password/index.md
@ -6,7 +6,7 @@ This is a generic password prompt which authenticates the current `pending_user`
 ## Passwordless login
-There are two different ways to configure passwordless authentication; you can follow the instructions [here](../authenticator_validate/index.mdx#passwordless-authentication) to allow users to directly authenticate with their authenticator (only supported for WebAuthn devices), or dynamically skip the password stage depending on the users device, which is documented here.
+There are two different ways to configure passwordless authentication; you can follow the instructions [here](../authenticator_validate/index.md#passwordless-authentication-authentik-2021124) to allow users to directly authenticate with their authenticator (only supported for WebAuthn devices), or dynamically skip the password stage depending on the users device, which is documented here.
 Depending on what kind of device you want to require the user to have:
--- a/website/docs/add-secure-apps/flows-stages/stages/redirect/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/redirect/index.md
@ -1,6 +1,9 @@
 ---
 title: Redirect stage
-authentik_version: "2024.12"
+---
 <span class="badge badge--version">authentik 2024.12+</span>
 ---
 This stage's main purpose is to redirect the user to a new Flow while keeping flow context. For convenience, it can also redirect the user to a static URL.
@ -13,6 +16,6 @@ When the user reaches this stage, they are redirected to a static URL.
 ### Flow mode
-When the user reaches this stage, they are redirected to a specified flow, retaining all [flow context](../../flow/context/index.mdx).
+When the user reaches this stage, they are redirected to a specified flow, retaining all [flow context](../../flow/context).
-Optionally, untoggle the "Keep flow context" switch. If this is untoggled, all flow context is cleared with the exception of the [is_redirected](../../flow/context#is_redirected-flow-object) key.
+Optionally, untoggle the "Keep flow context" switch. If this is untoggled, all flow context is cleared with the exception of the [is_redirected](../../flow/context#is_redirected-flow-object-authentik-202412) key.
--- a/website/docs/add-secure-apps/flows-stages/stages/source/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/source/index.md
@ -1,10 +1,13 @@
 ---
 title: Source stage
 authentik_version: "2024.4"
 authentik_enterprise: true
 ---
-The source stage injects an [OAuth](../../../../users-sources/sources/protocols/oauth/index.mdx) or [SAML](../../../../users-sources/sources/protocols/saml/index.md) Source into the flow execution. This allows for additional user verification, or to dynamically access different sources for different user identifiers (username, email address, etc).
+<span class="badge badge--primary">Enterprise</span>
 <span class="badge badge--version">authentik 2024.4+</span>
 ---
 The source stage injects an [OAuth](../../../../users-sources/sources/protocols/oauth/index.md) or [SAML](../../../../users-sources/sources/protocols/saml/index.md) Source into the flow execution. This allows for additional user verification, or to dynamically access different sources for different user identifiers (username, email address, etc).
 ```mermaid
 sequenceDiagram
@ -41,13 +44,13 @@ This stage can be used to leverage an external OAuth/SAML identity provider.
 For example, you can authenticate users by routing them through a custom device-health solution.
-Another use case is to route users to authenticate with your legacy (Okta, etc) IdP and then use the returned identity and attributes within authentik as part of an authorization flow, for example as part of an IdP migration. For authentication/enrollment this is also possible with an [OAuth](../../../../users-sources/sources/protocols/oauth/index.mdx)/[SAML](../../../../users-sources/sources/protocols/saml/index.md) source by itself.
+Another use case is to route users to authenticate with your legacy (Okta, etc) IdP and then use the returned identity and attributes within authentik as part of an authorization flow, for example as part of an IdP migration. For authentication/enrollment this is also possible with an [OAuth](../../../../users-sources/sources/protocols/oauth/index.md)/[SAML](../../../../users-sources/sources/protocols/saml/index.md) source by itself.
 ### Options
 #### Source
-The source the user is redirected to. Must be a web-based source, such as [OAuth](../../../../users-sources/sources/protocols/oauth/index.mdx) or [SAML](../../../../users-sources/sources/protocols/saml/index.md). Sources like [LDAP](../../../../users-sources/sources/protocols/ldap/index.md) are _not_ compatible.
+The source the user is redirected to. Must be a web-based source, such as [OAuth](../../../../users-sources/sources/protocols/oauth/index.md) or [SAML](../../../../users-sources/sources/protocols/saml/index.md). Sources like [LDAP](../../../../users-sources/sources/protocols/ldap/index.md) are _not_ compatible.
 #### Resume timeout
--- a/website/docs/add-secure-apps/providers/entra/add-entra-provider.md
+++ b/website/docs/add-secure-apps/providers/entra/add-entra-provider.md
@ -1,6 +1,9 @@
 ---
 title: Add an Entra ID provider
-authentik_enterprise: true
+---
 <span class="badge badge--primary">Enterprise</span>
 ---
 For more information about using an Entra ID provider, see the [Overview](./index.md) documentation.
--- a/website/docs/add-secure-apps/providers/entra/index.md
+++ b/website/docs/add-secure-apps/providers/entra/index.md
@ -1,6 +1,9 @@
 ---
 title: Microsoft Entra ID provider
-authentik_enterprise: true
+---
 <span class="badge badge--primary">Enterprise</span>
 ---
 With the Microsoft Entra ID provider, authentik serves as the single source of truth for all users and groups. Configuring Entra ID as a provider allows for auto-discovery of user and group accounts, on-going synchronization of user data such as email address, name, and status, and integrated data mapping of field names and values.
--- a/website/docs/add-secure-apps/providers/entra/setup-entra.md
+++ b/website/docs/add-secure-apps/providers/entra/setup-entra.md
@ -1,6 +1,9 @@
 ---
 title: Configure Entra ID
-authentik_enterprise: true
+---
 <span class="badge badge--primary">Enterprise</span>
 ---
 The configuration of your Microsoft Entra ID environment must be completed before you [add the new provider](./add-entra-provider.md) in authentik.
--- a/website/docs/add-secure-apps/providers/gws/add-gws-provider.md
+++ b/website/docs/add-secure-apps/providers/gws/add-gws-provider.md
@ -1,6 +1,9 @@
 ---
 title: Create a Google Workspace provider
-authentik_enterprise: true
+---
 <span class="badge badge--primary">Enterprise</span>
 ---
 For more information about using a Google Workspace provider, see the [Overview](./index.md) documentation.
--- a/website/docs/add-secure-apps/providers/gws/index.md
+++ b/website/docs/add-secure-apps/providers/gws/index.md
@ -1,6 +1,9 @@
 ---
 title: Google Workspace provider
-authentik_enterprise: true
+---
 <span class="badge badge--primary">Enterprise</span>
 ---
 With the Google Workspace provider, authentik serves as the single source of truth for all users and groups, when using Google products like Gmail.
--- a/website/docs/add-secure-apps/providers/gws/setup-gws.md
+++ b/website/docs/add-secure-apps/providers/gws/setup-gws.md
@ -1,6 +1,9 @@
 ---
 title: Configure Google Workspace
-authentik_enterprise: true
+---
 <span class="badge badge--primary">Enterprise</span>
 ---
 The configuration and set up of your Google Workspace must be completed before you [add the new provider](./add-gws-provider.md) in authentik.
--- a/website/docs/add-secure-apps/providers/index.mdx
+++ b/website/docs/add-secure-apps/providers/index.mdx
@ -9,9 +9,9 @@ A Provider is an authentication method, a service that is used by authentik to a
 Providers are the "other half" of [applications](../applications/index.md). They typically exist in a 1-to-1 relationship; each application needs a provider and every provider can be used with one application.
-Applications can use additional providers to augment the functionality of the main provider. For more information, see [Backchannel providers](../applications/manage_apps.mdx#backchannel-providers).
+Applications can use additional providers to augment the functionality of the main provider. For more information, see [Backchannel providers](../applications/manage_apps.md#backchannel-providers).
-You can create a new provider in the Admin interface, or you can use the [**Create with provider** option](../applications/manage_apps.mdx#instructions) to create a new application and its provider at the same time.
+You can create a new provider in the Admin interface, or you can use the [**Create with provider** option](../applications/manage_apps.md#instructions) to create a new application and its provider at the same time.
 When you create certain types of providers, you need to select specific [flows](../flows-stages/flow/index.md) to apply to users who access authentik via the provider. To learn more, refer to our [default flow documentation](../flows-stages/flow/examples/default_flows.md).
--- a/website/docs/add-secure-apps/providers/ldap/generic_setup.md
+++ b/website/docs/add-secure-apps/providers/ldap/generic_setup.md
@ -9,7 +9,7 @@ title: Create an LDAP provider
    Note the DN of this user will be `cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io`
 :::info
-Note: The `default-authentication-flow` validates MFA by default, and currently everything but SMS-based devices and WebAuthn (which enables passkey-based authentication) devices are supported by LDAP. If you plan to use only dedicated service accounts to bind to LDAP, or don't use SMS-based authenticators, then you can use the default flow and skip the extra steps below and continue at [Create LDAP Application & Provider](#create-ldap-application--provider)
+Note: The `default-authentication-flow` validates MFA by default, and currently everything but SMS-based devices and WebAuthn devices are supported by LDAP. If you plan to use only dedicated service accounts to bind to LDAP, or don't use SMS-based authenticators, then you can use the default flow and skip the extra steps below and continue at [Create LDAP Application & Provider](#create-ldap-application--provider)
 :::
 ### LDAP Flow
--- a/website/docs/add-secure-apps/providers/ldap/index.md
+++ b/website/docs/add-secure-apps/providers/ldap/index.md
@ -64,7 +64,7 @@ Starting with 2023.3, periods and slashes in custom attributes will be sanitized
 You can also configure SSL for your LDAP Providers by selecting a certificate and a server name in the provider settings.
-Starting with authentik 2023.6, StartTLS is supported, and the provider will pick the correct certificate based on the configured _TLS Server name_ field. The certificate is not picked based on the Bind DN, as the StartTLS operation should happen before the bind request to ensure bind credentials are transmitted over TLS.
+Starting with authentik 2023.6, StartTLS is supported, and the provider will pick the correct certificate based on the configured _TLS Server name_ field. The certificate is not picked based on the Bind DN, as the StartTLS operation should happen be the bind request to ensure bind credentials are transmitted over TLS.
 This enables you to bind on port 636 using LDAPS.
@ -78,9 +78,9 @@ All bind modes rely on flows.
 The following stages are supported:
- [Identification](../../flows-stages/stages/identification/index.mdx)
+- [Identification](../../flows-stages/stages/identification/index.md)
 - [Password](../../flows-stages/stages/password/index.md)
- [Authenticator validation](../../flows-stages/stages/authenticator_validate/index.mdx)
+- [Authenticator validation](../../flows-stages/stages/authenticator_validate/index.md)
    Note: Authenticator validation currently only supports DUO, TOTP and static authenticators.
--- a/website/docs/add-secure-apps/providers/oauth2/client_credentials.mdx
+++ b/website/docs/add-secure-apps/providers/oauth2/client_credentials.mdx
@ -30,7 +30,7 @@ In addition to that, with authentik 2024.4 it is also possible to pass the confi
 ### JWT-authentication
-#### Externally issued JWTs
+#### Externally issued JWTs <span class="badge badge--version">authentik 2022.4+</span>
 You can authenticate and get a token using an existing JWT. For readability we will refer to the JWT issued by the external issuer/platform as input JWT, and the resulting JWT from authentik as the output JWT.
@ -59,7 +59,7 @@ To dynamically limit access based on the claims of the tokens, you can use _[Exp
 return request.context["oauth_jwt"]["iss"] == "https://my.issuer"
 ```
-#### authentik-issued JWTs:ak-version[2024.12]
+#### authentik-issued JWTs <span class="badge badge--version">authentik 2024.12+</span>
 To allow federation between providers, modify the provider settings of the application (whose token will be used for authentication) to select the provider of the application to which you want to federate.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Marc 'risson' Schmitt	31fe0e5923	release: 2025.2.1	2025-02-26 20:54:52 +01:00
gcp-cherry-pick-bot[bot]	8b619635ea	stages/authenticator_email: fix session cleanup test b (cherry-pick #13264 ) (#13276 ) Co-authored-by: Marcelo Elizeche Landó <marcelo@goauthentik.io> fix session cleanup test b (#13264)	2025-02-26 20:46:05 +01:00
gcp-cherry-pick-bot[bot]	1f1db523c0	stages/email: Fix email stage serialization (cherry-pick #13256 ) (#13273 ) Co-authored-by: Marcelo Elizeche Landó <marcelo@goauthentik.io> Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Fix email stage serialization (#13256)	2025-02-26 20:44:50 +01:00
gcp-cherry-pick-bot[bot]	bbc23e1d77	core: add pre-hydrated relative URL (cherry-pick #13243 ) (#13246 ) core: add pre-hydrated relative URL (#13243) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-25 11:25:29 +01:00
gcp-cherry-pick-bot[bot]	c30b7ee3e9	website/docs: fix missing breaking entry for 2025.2 release notes (cherry-pick #13223 ) (#13224 ) website/docs: fix missing breaking entry for 2025.2 release notes (#13223) * website/docs: fix missing breaking entry for 2025.2 release notes * Update website/docs/releases/2025/v2025.2.md --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens L. <jens@beryju.org> Co-authored-by: Jens L. <jens@goauthentik.io> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>	2025-02-24 16:58:18 +01:00
Marc 'risson' Schmitt	2ba79627bc	stages/authenticator_email: Email Authenticator Stage Documentation (cherry-pick #12853 ) (#13218 ) Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Co-authored-by: Tana M Berry <tana@goauthentik.com> Co-authored-by: Marcelo Elizeche Landó <marcelo@goauthentik.io>	2025-02-24 14:57:55 +01:00
gcp-cherry-pick-bot[bot]	198cbe1d9d	website/docs: add paragraph about impossible travel (cherry-pick #13125 ) (#13220 ) Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Co-authored-by: Tana M Berry <tana@goauthentik.com> Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>	2025-02-24 14:55:34 +01:00
Marc 'risson' Schmitt	db6da159d5	website/docs: remove mention of wizard (cherry-pick #13126 ) (#13219 ) Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Co-authored-by: Tana M Berry <tana@goauthentik.com>	2025-02-24 14:54:48 +01:00
Marc 'risson' Schmitt	9862e32078	website/docs: add info about new perms for super-user in groups (cherry-pick #13188 ) (#13217 ) Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Co-authored-by: Tana M Berry <tana@goauthentik.com> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-24 14:49:15 +01:00
gcp-cherry-pick-bot[bot]	a7714e2892	website/docs: add new SSF provider docs (cherry-pick #13102 ) (#13215 ) Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Co-authored-by: Tana M Berry <tana@goauthentik.com>	2025-02-24 14:49:05 +01:00
gcp-cherry-pick-bot[bot]	073e1d241b	website/docs: remove Enterprise badge from RAC docs (cherry-pick #13069 ) (#13216 ) Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>	2025-02-24 14:47:56 +01:00
Jens Langhammer	5c5cc1c7da	release: 2025.2.0	2025-02-24 12:55:17 +01:00
gcp-cherry-pick-bot[bot]	3dccce1095	web/user: fix display for RAC tile (cherry-pick #13211 ) (#13212 ) web/user: fix display for RAC tile (#13211) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-24 12:18:36 +01:00
gcp-cherry-pick-bot[bot]	78f997fbee	web/flow: fix translate extract (cherry-pick #13208 ) (#13210 ) web/flow: fix translate extract (#13208) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-24 11:59:29 +01:00
Jens Langhammer	ed83c2b0b1	release: 2025.2.0-rc3	2025-02-23 16:02:45 +01:00
gcp-cherry-pick-bot[bot]	af780deb27	core: add darkreader-lock (cherry-pick #13183 ) (#13184 ) core: add darkreader-lock (#13183) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-23 04:53:09 +01:00
gcp-cherry-pick-bot[bot]	a4be38567f	web/admin: fix default selection for binding policy (cherry-pick #13180 ) (#13182 ) web/admin: fix default selection for binding policy (#13180) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-23 04:20:04 +01:00
gcp-cherry-pick-bot[bot]	39aafbb34a	web/flow: grab focus to uid input field (cherry-pick #13177 ) (#13178 ) web/flow: grab focus to uid input field (#13177) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-23 00:52:37 +01:00
gcp-cherry-pick-bot[bot]	07eb5fe533	web/flow: update default flow background (cherry-pick #13175 ) (#13176 ) web/flow: update default flow background (#13175) * web/flow: update default flow background * Optimised images with calibre/image-actions --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io> Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>	2025-02-22 23:37:10 +01:00
gcp-cherry-pick-bot[bot]	301a89dd92	web/admin: only show message when not editing an application (cherry-pick #13165 ) (#13168 ) web/admin: only show message when not editing an application (#13165) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-21 23:37:14 +01:00
gcp-cherry-pick-bot[bot]	cd6d0a47f3	web/user: fix race condition in user settings flow executor (cherry-pick #13163 ) (#13169 ) web/user: fix race condition in user settings flow executor (#13163) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-21 23:36:59 +01:00
gcp-cherry-pick-bot[bot]	8a23eaef1e	web/user: fix RAC launch not opening when clicking icon (cherry-pick #13164 ) (#13166 ) web/user: fix RAC launch not opening when clicking icon (#13164) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-21 19:21:40 +01:00
gcp-cherry-pick-bot[bot]	8f285fbcc5	web: Indicate when caps-lock is active during password input. (cherry-pick #12733 ) (#13160 ) web: Indicate when caps-lock is active during password input. (#12733) Determining the state of the caps-lock key can be tricky as we're dependant on a user-provided input to set a value. Thus, our initial state defaults to not display any warning until the first keystroke. - Revise to better use lit-html. Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>	2025-02-21 17:09:35 +01:00
gcp-cherry-pick-bot[bot]	5d391424f7	web/user: fix post MFA creation link being invalid (cherry-pick #13157 ) (#13159 ) web/user: fix post MFA creation link being invalid (#13157) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-21 17:01:09 +01:00
Jens Langhammer	2de11f8a69	release: 2025.2.0-rc2	2025-02-20 23:47:15 +01:00
gcp-cherry-pick-bot[bot]	b2dcf94aba	policies/geoip: fix math in impossible travel (cherry-pick #13141 ) (#13145 ) policies/geoip: fix math in impossible travel (#13141) * policies/geoip: fix math in impossible travel * fix threshold --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-20 23:46:21 +01:00
gcp-cherry-pick-bot[bot]	adb532fc5d	enterprise/stages/source: fix Source stage not executing authentication/enrollment flow (cherry-pick #12875 ) (#13146 ) enterprise/stages/source: fix Source stage not executing authentication/enrollment flow (#12875) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-20 23:45:43 +01:00
gcp-cherry-pick-bot[bot]	5d3b35d1ba	revert: rbac: exclude permissions for internal models (#12803 ) (cherry-pick #13138 ) (#13140 ) revert: rbac: exclude permissions for internal models (#12803) (#13138) Revert "rbac: exclude permissions for internal models (#12803)" This reverts commit `e08ccf4ca0`. Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-20 16:07:21 +01:00
gcp-cherry-pick-bot[bot]	433a94d9ee	web/flows: fix error on interactive Captcha stage when retrying captcha (cherry-pick #13119 ) (#13139 ) web/flows: fix error on interactive Captcha stage when retrying captcha (#13119) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-20 15:12:03 +01:00
gcp-cherry-pick-bot[bot]	f28d622d10	cmd: set version in outposts (cherry-pick #13116 ) (#13122 ) cmd: set version in outposts (#13116) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-19 18:20:28 +01:00
gcp-cherry-pick-bot[bot]	50a68c22c5	sources/oauth: add group sync for azure_ad (cherry-pick #12894 ) (#13123 ) sources/oauth: add group sync for azure_ad (#12894) * sources/oauth: add group sync for azure_ad * make group sync optional --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-19 18:20:16 +01:00
gcp-cherry-pick-bot[bot]	13c99c8546	web/user: fix opening application with Enter not respecting new tab setting (cherry-pick #13115 ) (#13118 ) web/user: fix opening application with Enter not respecting new tab setting (#13115) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-19 17:57:18 +01:00
gcp-cherry-pick-bot[bot]	7243add30f	web/admin: update Application Wizard button placement (cherry-pick #12771 ) (#13121 ) web/admin: update Application Wizard button placement (#12771) * web: Add InvalidationFlow to Radius Provider dialogues ## What - Bugfix: adds the InvalidationFlow to the Radius Provider dialogues - Repairs: `{"invalidation_flow":["This field is required."]}` message, which was not propagated to the Notification. - Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/` ## Note Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the Property Mappings to the wizard, and yes, I know I'm going to have pain with the new version of the wizard. But this is a serious bug; you can't make Radius servers with either of the current dialogues at the moment. * This (temporary) change is needed to prevent the unit tests from failing. \# What \# Why \# How \# Designs \# Test Steps \# Other Notes * Revert "This (temporary) change is needed to prevent the unit tests from failing." This reverts commit `dddde09be5`. * web: Make using the wizard the default for new applications # What 1. I removed the "Wizard Hint" bar and migrated the "Create With Wizard" button down to the default position as "Create With Provider," moving the "Create" button to a secondary position. Primary coloring has been kept for both. 2. Added an alert to the "Create" legacy dialog: > Using this form will only create an Application. In order to authenticate with the application, > you will have to manually pair it with a Provider. 3. Updated the subtitle on the Wizard dialog: ``` diff - wizardDescription = msg("Create a new application"); + wizardDescription = msg("Create a new application and configure a provider for it."); ``` 4. Updated the User page so that, if the User is-a Administrator and the number of Applications in the system is zero, the user will be invited to create a new Application using the Wizard rather than the legacy Form: ```diff renderNewAppButton() { const href = paramURL("/core/applications", { - createForm: true, + createWizard: true, }); ``` 5. Fixed a bug where, on initial render, if the `this.brand` field was not available, an error would appear in the console. The effects were usually harmless, as brand information came quickly and filled in before the user could notice, but it looked bad in the debugger. 6. Fixed a bug in testing where the wizard page "Configure Policy Bindings" had been changed to "Configure Policy/User/Group Binding". # Testing Since the wizard OUID didn't change (`data-ouia-component-id="start-application-wizard"`), the E2E tests for "Application Wizard" completed without any substantial changes to the routine or to the tests. ``` sh npm run test:e2e:watch -- --spec ./tests/specs/new-application-by-wizard.ts ``` # User documentation changes required. These changes were made at the request of docs, as an initial draft to show how the page looks with the Application Wizard as he default tool for creating new Applications. # Developer documentation changes required. None. Co-authored-by: Ken Sternberg <133134217+kensternberg-authentik@users.noreply.github.com>	2025-02-19 17:57:03 +01:00
gcp-cherry-pick-bot[bot]	6611a64a62	web: bump API Client version (cherry-pick #13113 ) (#13114 ) web: bump API Client version (#13113) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>	2025-02-19 13:16:48 +01:00
gcp-cherry-pick-bot[bot]	5262f61483	providers/rac: move to open source (cherry-pick #13015 ) (#13112 ) providers/rac: move to open source (#13015) * move RAC to open source * move web out of enterprise * remove enterprise license requirements from RAC * format --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io>	2025-02-19 13:16:18 +01:00
Jens Langhammer	9dcbb4af9e	release: 2025.2.0-rc1	2025-02-19 02:36:48 +01:00
gcp-cherry-pick-bot[bot]	0665bfac58	website/docs: add 2025.2 release notes (cherry-pick #13002 ) (#13108 ) website/docs: add 2025.2 release notes (#13002) * website/docs: add 2025.2 release notes * make compile * ffs * ffs --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-19 02:12:47 +01:00
gcp-cherry-pick-bot[bot]	790e0c4d80	core: clear expired database sessions (cherry-pick #13105 ) (#13106 ) core: clear expired database sessions (#13105) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-18 23:22:21 +01:00