--- title: Release 2025.2 slug: "/releases/2025.2" --- ## Highlights - **SSF Provider :ak-enterprise :ak-preview** Add support for Shared Signals Framework. - **RAC moved open source** Remote access is now available to everyone! - **GeoIP distance and impossible travel checks** Add the ability to check for the distance a user has moved compared to a previous login, and if the user could have travelled the distance. - **Email OTP Stage** Allow users to use their email accounts as a one-time-password during authentication. - **Fine-grained permission for superuser toggle on groups** Setting the **Is superuser** toggle on a group now requires a separate permission. ## Breaking changes - **Fixed behaviour in Source stage :ak-enterprise** In previous versions, the Source stage would incorrectly continue with the initial flow after returning from the source, which didn't match the documented behaviour. With this release this behaviour has been corrected and the source stage will now correctly run the selected enrollment/authentication flow before returning to the flow from which the source stage was executed. - **Deprecated and frozen `:latest` container image tag after 2025.2** Using the `:latest` tag with container images is not recommended as it can lead to unintentional updates and potentially broken setups. The tag will not be removed, however it will also not be updated past 2025.2. We strongly recommended the use of a specific version tag for authentik instances' container images like `:2025.2`. ## New features - **SSF Provider** :ak-enterprise :ak-preview [Shared Signals Framework](../../add-secure-apps/providers/ssf/index.md) allows applications to register a stream with authentik within which they can received events from authentik such as when a session was revoked or a credential was add/changed/deleted and execute actions based on these events. Using a SSF provider as a backchannel provider allows admins to integrate authentik with Apple Business School Manager for federated Apple IDs. - **RAC moved to open source** Remote access (RDP, VNC and SSH) has moved from enterprise to our free, open source code. We try our best to limit enterprise-specific functionality to features that would be non-essential to homelab users and far more valuable to enterprise use cases. We've had a variety of homelab users reach out with excellent use cases for RAC functionality, so while this will mean giving up some potential revenue, we think that opening up RAC to the community is the right thing to do! - **GeoIP distance and impossible travel checks** Add the ability to check for the distance a user has moved compared to a previous login, and add the option to check impossible travel distances based on client IP. These options can be used to detect and prevent access from potentially stolen authentik sessions or stolen devices. Refer to our [documentation](../../customize/policies/index.md#geoip-policy). - **Email OTP Authenticator Setup Stage** Admins now have the ability to configure the option for users to use their email address as an authenticator. Users that already have an email address set on their account will be able to use that address to receive one-time-passwords. It is also possible to configure authentik to allow users to add additional email addresses as authenticators. See [Email Authenticator Setup Stage](../../add-secure-apps/flows-stages/stages/authenticator_email/index.md). - **Application Wizard is the default way to create applications** The default way of creating an application now allows admins to configure the application and provider at the same time, and also add any kind of bindings without having to navigate through different sections of the UI. The previous way of creating a standalone application is and will stay available alongside the new and streamlined method. - **Fine-grained permission for superuser toggle on groups** Setting the **Is superuser** toggle on a group now requires a separate permission, making it much easier to allow for delegated management of groups without risking the ability for users to self-elevate permissions. For details, refer to our [documentation](../../users-sources/groups/manage_groups.mdx#modify-a-group). - **Improved debugging experienc**e For people developing authentik or building very complex, custom integrations, how to configure debugging in authentik is documented [here](../../developer-docs/setup/debugging.md). ## Upgrading This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx). :::warning When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. ::: ### Docker Compose To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands: ```shell wget -O docker-compose.yml https://goauthentik.io/version/2025.2/docker-compose.yml docker compose up -d ``` The `-O` flag retains the downloaded file's name, overwriting any existing local file with the same name. ### Kubernetes Upgrade the Helm Chart to the new version, using the following commands: ```shell helm repo update helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.2 ``` ## Minor changes/fixes - admin: monitor worker version (#12463) - api: cleanup owner permissions (#12598) - blueprints: add REPL for blueprint YAML tags (#9223) - blueprints: fix schema for meta models (#12421) - core: add indexes on ExpiringModel (#12658) - core: fix application entitlements not creatable with blueprints (#12673) - core: fix error when creating new user with default path (#12609) - core: fix generic sources not being fetchable by pk (#12896) - core: fix permissions for admin device listing (#12787) - core: search users' attributes (#12740) - core: show last password change date (#12958) - enterprise/providers: SSF (#12327) - enterprise/providers/SSF: fix a couple of bugs after real world testing (#12987) - enterprise/rac: Improve client connection status & bugfixes (#12684) - events: make sure password set event has the correct IP (#12585) - events: notification_cleanup: avoid unnecessary loop (#12417) - flows: clear flow state before redirecting to final URL (#12788) - flows: fix history containing other plans (#12655) - flows: fix inspector permission check (#12907) - flows: more tests (#11587) - flows: show policy messages in reevaluate marker (#12855) - flows/inspector: add button to open flow inspector (#12656) - internal: fix missing trailing slash in outpost websocket (#12470) - internal: fix URL generation for websocket connection (#12439) - lifecycle: update python to 3.12.8 (#12783) - lifecycle/migrate: don't migrate tenants if not enabled (#12850) - outposts: fix version label (#12486) - providers/oauth2: include scope in token response (#12921) - providers/oauth2: support token revocation for public clients (#12704) - providers/saml: fix handle Accept: application/xml for SAML Metadata endpoint (#12483) (#12518) - providers/saml: fix invalid SAML Response when assertion and response are signed (#12611) - providers/saml: provide generic metadata url when possible (#12413) - rbac: exclude permissions for internal models (#12803) - rbac: permissions endpoint: allow authenticated users (#12608) - root: backport version bump (#12426) - root: docker: ensure apt packages are up-to-date (#12683) - root: expose CONN_MAX_AGE, CONN_HEALTH_CHECKS and DISABLE_SERVER_SIDE_CURSORS for PostgreSQL config (#10159) - root: fix dev build version being invalid semver (#12472) - root: redis, make sure tlscacert isn't an empty string (#12407) - sources: allow uuid or slug to be used for retrieving a source (#12780) - sources: allow uuid or slug to be used for retrieving a source (2024.12 fix) (#12772) - sources/kerberos: authenticate with the user's username instead of the first username in authentik (#12497) - sources/kerberos: handle principal expire time (#12748) - sources/oauth: fix authentication only being sent in form body (#12713) - sources/scim: fix user creation (duplicate userName) (#12547) - stages/authenticator: add user field to devices (#12636) - stages/prompt: always show policy messages (#12765) - stages/redirect: fix query parameter when redirecting to flow (#12750) - web, core: fix grammatical issue in stage bindings (#10799) - web: fix build dev build (#12473) - web: fix error handling bug in ApplicationWizard.RACProviderForm (#12640) - web: Fix issue where Codemirror partially applies OneDark theme. (#12811) - web: fix mobile scrolling bug (#12601) - web: fix source selection and outpost integration health (#12530) - web: fix source selection and outpost integration health (#12530) - web: fixes broken docLinks - url missing s (#12789) - web: housekeeping, optimizations and small fixes (#12450) - web: improve notification and API drawers (#12659) - web: misc fixes for admin and flow inspector (#12461) - web: only load version context when authenticated (#12482) - web: update gen-client-ts to OpenAPI 7.11.0 (#12756) - web/admin: fix role changelog missing primary key filter (#12671) - web/admin: improve user display view (#12988) - web/admin: more cleanup and consistency (#12657) - web/admin: Refine navigation (#12441) - web/components: ak-number-input: add support for min (#12703) - web/flows: fix `login` / `log in` inconsistency (#12526) ## Fixed in 2025.2.1 - core: add pre-hydrated relative URL (cherry-pick #13243) (#13246) - stages/authenticator_email: Email Authenticator Stage Documentation (cherry-pick #12853) (#13218) - stages/authenticator_email: fix session cleanup test b (cherry-pick #13264) (#13276) - stages/email: Fix email stage serialization (cherry-pick #13256) (#13273) ## Fixed in 2025.2.2 - \*: fix stage incorrectly being inserted instead of appended (cherry-pick #13304) (#13327) - enterprise/stages/source: fix dispatch method signature (cherry-pick #13321) (#13326) - lib/config: fix conn_max_age parsing (cherry-pick #13370) (#13415) - providers/SCIM: fix object exists error for users, attempt to look up user ID in remote system (#13437) - providers/proxy: kubernetes outpost: fix reconcile when only annotations changed (cherry-pick #13372) (#13384) - providers/rac: fix signals and Endpoint caching (cherry-pick #13529) (#13531) - sources/oauth: fix duplicate authentication (cherry-pick #13322) (#13535) - sources/oauth: ignore missing well-known keys (cherry-pick #13468) (#13470) - stages/authenticator_email: Fix Enroll dropdown in the MFA Devices page (cherry-pick #13404) (#13414) - stages/identification: check captcha after checking authentication (cherry-pick #13533) (#13551) - web/admin: fix display bug for assigned users in application bindings in the wizard (cherry-pick #13435) (#13452) - web/flows: fix missing padding on authenticator_validate card (cherry-pick #13420) (#13519) - web/user: ensure modal container on user-settings page is min-height: 100% (cherry-pick #13402) (#13413) - web/user: show admin interface button on mobile (cherry-pick #13421) (#13518) ## Fixed in 2025.2.3 - admin: fix system API when using bearer token (cherry-pick #13651) (#13654) - core: fix core/user is_superuser filter (cherry-pick #13693) (#13694) - core: fix non-exploitable open redirect, reported by [@dominic-r](https://github.com/dominic-r) (cherry-pick #13696) (#13698) - outposts/ldap: fix paginator going into infinite loop (cherry-pick #13677) (#13679) - security: fix CVE-2025-29928 (cherry-pick #13695) (#13700) - stages/email: Clean newline characters in TemplateEmailMessage (cherry-pick #13666) (#13667) - stages/identification: refresh captcha on failure (cherry-pick #13697) (#13699) - web/admin: reworked sync status card (cherry-pick #13625) (#13692) ## Fixed in 2025.2.4 - Revert "core: fix non-exploitable open redirect (#13696)" (cherry-pick #13824) (#13826) - providers/scim: fix group membership check failing (cherry-pick #13644) (#13825) - stages/email: fix for newlines in emails (#13712) ## API Changes #### What's New --- ##### `GET` /authenticators/admin/email/ ##### `POST` /authenticators/admin/email/ ##### `GET` /authenticators/admin/email/{id}/ ##### `PUT` /authenticators/admin/email/{id}/ ##### `DELETE` /authenticators/admin/email/{id}/ ##### `PATCH` /authenticators/admin/email/{id}/ ##### `GET` /authenticators/email/ ##### `GET` /authenticators/email/{id}/ ##### `PUT` /authenticators/email/{id}/ ##### `DELETE` /authenticators/email/{id}/ ##### `PATCH` /authenticators/email/{id}/ ##### `GET` /authenticators/email/{id}/used_by/ ##### `GET` /providers/ssf/ ##### `POST` /providers/ssf/ ##### `GET` /providers/ssf/{id}/ ##### `PUT` /providers/ssf/{id}/ ##### `DELETE` /providers/ssf/{id}/ ##### `PATCH` /providers/ssf/{id}/ ##### `GET` /providers/ssf/{id}/used_by/ ##### `GET` /ssf/streams/ ##### `GET` /ssf/streams/{uuid}/ ##### `GET` /stages/authenticator/email/ ##### `POST` /stages/authenticator/email/ ##### `GET` /stages/authenticator/email/{stage_uuid}/ ##### `PUT` /stages/authenticator/email/{stage_uuid}/ ##### `DELETE` /stages/authenticator/email/{stage_uuid}/ ##### `PATCH` /stages/authenticator/email/{stage_uuid}/ ##### `GET` /stages/authenticator/email/{stage_uuid}/used_by/ #### What's Changed --- ##### `GET` /admin/workers/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` ##### `GET` /authenticators/admin/duo/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) - Property `pk` (integer) - Property `username` (string) > Required. 150 characters or fewer. Letters, digits and @/./+/-/\_ only. - Property `name` (string) > User's display name. - Property `is_active` (boolean) > Designates whether this user should be treated as active. Unselect this instead of deleting accounts. - Property `last_login` (string) - Property `email` (string) - Property `attributes` (object) - Property `uid` (string) ##### `PUT` /authenticators/admin/duo/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PATCH` /authenticators/admin/duo/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/admin/sms/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PUT` /authenticators/admin/sms/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PATCH` /authenticators/admin/sms/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/admin/totp/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PUT` /authenticators/admin/totp/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PATCH` /authenticators/admin/totp/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/admin/webauthn/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PUT` /authenticators/admin/webauthn/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PATCH` /authenticators/admin/webauthn/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/duo/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PUT` /authenticators/duo/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PATCH` /authenticators/duo/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/sms/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PUT` /authenticators/sms/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PATCH` /authenticators/sms/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/totp/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PUT` /authenticators/totp/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PATCH` /authenticators/totp/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/webauthn/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PUT` /authenticators/webauthn/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PATCH` /authenticators/webauthn/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `GET` /policies/event_matcher/{policy_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum values: - `authentik.providers.rac` - `authentik.stages.authenticator_email` - `authentik.enterprise.providers.ssf` Removed enum value: - `authentik.enterprise.providers.rac` - Changed property `model` (string) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. Added enum values: - `authentik_stages_authenticator_email.authenticatoremailstage` - `authentik_stages_authenticator_email.emaildevice` - `authentik_providers_ssf.ssfprovider` ##### `PUT` /policies/event_matcher/{policy_uuid}/ ###### Request: Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum values: - `authentik.providers.rac` - `authentik.stages.authenticator_email` - `authentik.enterprise.providers.ssf` Removed enum value: - `authentik.enterprise.providers.rac` - Changed property `model` (string) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. Added enum values: - `authentik_stages_authenticator_email.authenticatoremailstage` - `authentik_stages_authenticator_email.emaildevice` - `authentik_providers_ssf.ssfprovider` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum values: - `authentik.providers.rac` - `authentik.stages.authenticator_email` - `authentik.enterprise.providers.ssf` Removed enum value: - `authentik.enterprise.providers.rac` - Changed property `model` (string) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. Added enum values: - `authentik_stages_authenticator_email.authenticatoremailstage` - `authentik_stages_authenticator_email.emaildevice` - `authentik_providers_ssf.ssfprovider` ##### `PATCH` /policies/event_matcher/{policy_uuid}/ ###### Request: Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum values: - `authentik.providers.rac` - `authentik.stages.authenticator_email` - `authentik.enterprise.providers.ssf` Removed enum value: - `authentik.enterprise.providers.rac` - Changed property `model` (string) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. Added enum values: - `authentik_stages_authenticator_email.authenticatoremailstage` - `authentik_stages_authenticator_email.emaildevice` - `authentik_providers_ssf.ssfprovider` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum values: - `authentik.providers.rac` - `authentik.stages.authenticator_email` - `authentik.enterprise.providers.ssf` Removed enum value: - `authentik.enterprise.providers.rac` - Changed property `model` (string) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. Added enum values: - `authentik_stages_authenticator_email.authenticatoremailstage` - `authentik_stages_authenticator_email.emaildevice` - `authentik_providers_ssf.ssfprovider` ##### `GET` /providers/saml/{id}/metadata/ ###### Return Type: Changed response : **200 OK** - New content type : `application/xml` ##### `POST` /authenticators/admin/duo/ ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/admin/duo/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for Duo authenticator devices New required properties: - `user` * Added property `user` (object) ##### `POST` /authenticators/admin/sms/ ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/admin/sms/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for sms authenticator devices New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/admin/static/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PUT` /authenticators/admin/static/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PATCH` /authenticators/admin/static/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `POST` /authenticators/admin/totp/ ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/admin/totp/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for totp authenticator devices New required properties: - `user` * Added property `user` (object) ##### `POST` /authenticators/admin/webauthn/ ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/admin/webauthn/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for WebAuthn authenticator devices New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/duo/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for Duo authenticator devices New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/sms/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for sms authenticator devices New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/static/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PUT` /authenticators/static/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `PATCH` /authenticators/static/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/totp/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for totp authenticator devices New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/webauthn/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for WebAuthn authenticator devices New required properties: - `user` * Added property `user` (object) ##### `GET` /core/tokens/{identifier}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user_obj` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `PUT` /core/tokens/{identifier}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user_obj` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `PATCH` /core/tokens/{identifier}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user_obj` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `GET` /core/users/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `PUT` /core/users/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `PATCH` /core/users/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `GET` /policies/bindings/{policy_binding_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user_obj` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `PUT` /policies/bindings/{policy_binding_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user_obj` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `PATCH` /policies/bindings/{policy_binding_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user_obj` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `POST` /policies/event_matcher/ ###### Request: Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum values: - `authentik.providers.rac` - `authentik.stages.authenticator_email` - `authentik.enterprise.providers.ssf` Removed enum value: - `authentik.enterprise.providers.rac` - Changed property `model` (string) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. Added enum values: - `authentik_stages_authenticator_email.authenticatoremailstage` - `authentik_stages_authenticator_email.emaildevice` - `authentik_providers_ssf.ssfprovider` ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum values: - `authentik.providers.rac` - `authentik.stages.authenticator_email` - `authentik.enterprise.providers.ssf` Removed enum value: - `authentik.enterprise.providers.rac` - Changed property `model` (string) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. Added enum values: - `authentik_stages_authenticator_email.authenticatoremailstage` - `authentik_stages_authenticator_email.emaildevice` - `authentik_providers_ssf.ssfprovider` ##### `GET` /policies/event_matcher/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Event Matcher Policy Serializer - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum values: - `authentik.providers.rac` - `authentik.stages.authenticator_email` - `authentik.enterprise.providers.ssf` Removed enum value: - `authentik.enterprise.providers.rac` - Changed property `model` (string) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. Added enum values: - `authentik_stages_authenticator_email.authenticatoremailstage` - `authentik_stages_authenticator_email.emaildevice` - `authentik_providers_ssf.ssfprovider` ##### `GET` /policies/geoip/{policy_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `check_history_distance` (boolean) - Added property `history_max_distance_km` (integer) - Added property `distance_tolerance_km` (integer) - Added property `history_login_count` (integer) - Added property `check_impossible_travel` (boolean) - Added property `impossible_tolerance_km` (integer) ##### `PUT` /policies/geoip/{policy_uuid}/ ###### Request: Changed content type : `application/json` - Added property `check_history_distance` (boolean) - Added property `history_max_distance_km` (integer) - Added property `distance_tolerance_km` (integer) - Added property `history_login_count` (integer) - Added property `check_impossible_travel` (boolean) - Added property `impossible_tolerance_km` (integer) ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `check_history_distance` (boolean) - Added property `history_max_distance_km` (integer) - Added property `distance_tolerance_km` (integer) - Added property `history_login_count` (integer) - Added property `check_impossible_travel` (boolean) - Added property `impossible_tolerance_km` (integer) ##### `PATCH` /policies/geoip/{policy_uuid}/ ###### Request: Changed content type : `application/json` - Added property `check_history_distance` (boolean) - Added property `history_max_distance_km` (integer) - Added property `distance_tolerance_km` (integer) - Added property `history_login_count` (integer) - Added property `check_impossible_travel` (boolean) - Added property `impossible_tolerance_km` (integer) ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `check_history_distance` (boolean) - Added property `history_max_distance_km` (integer) - Added property `distance_tolerance_km` (integer) - Added property `history_login_count` (integer) - Added property `check_impossible_travel` (boolean) - Added property `impossible_tolerance_km` (integer) ##### `POST` /rbac/permissions/assigned_by_roles/{uuid}/assign/ ###### Request: Changed content type : `application/json` - Changed property `model` (string) Added enum values: - `authentik_stages_authenticator_email.authenticatoremailstage` - `authentik_stages_authenticator_email.emaildevice` - `authentik_providers_ssf.ssfprovider` ##### `PATCH` /rbac/permissions/assigned_by_roles/{uuid}/unassign/ ###### Request: Changed content type : `application/json` - Changed property `model` (string) Added enum values: - `authentik_stages_authenticator_email.authenticatoremailstage` - `authentik_stages_authenticator_email.emaildevice` - `authentik_providers_ssf.ssfprovider` ##### `POST` /rbac/permissions/assigned_by_users/{id}/assign/ ###### Request: Changed content type : `application/json` - Changed property `model` (string) Added enum values: - `authentik_stages_authenticator_email.authenticatoremailstage` - `authentik_stages_authenticator_email.emaildevice` - `authentik_providers_ssf.ssfprovider` ##### `PATCH` /rbac/permissions/assigned_by_users/{id}/unassign/ ###### Request: Changed content type : `application/json` - Changed property `model` (string) Added enum values: - `authentik_stages_authenticator_email.authenticatoremailstage` - `authentik_stages_authenticator_email.emaildevice` - `authentik_providers_ssf.ssfprovider` ##### `GET` /sources/scim/{slug}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `token_obj` (object) > Token Serializer - Changed property `user_obj` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `PUT` /sources/scim/{slug}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `token_obj` (object) > Token Serializer - Changed property `user_obj` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `PATCH` /sources/scim/{slug}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `token_obj` (object) > Token Serializer - Changed property `user_obj` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `POST` /authenticators/admin/static/ ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/admin/static/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for static authenticator devices New required properties: - `user` * Added property `user` (object) ##### `GET` /authenticators/static/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for static authenticator devices New required properties: - `user` * Added property `user` (object) ##### `POST` /core/tokens/ ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `user_obj` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `GET` /core/tokens/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Token Serializer - Changed property `user_obj` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `GET` /core/user_consent/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `POST` /core/users/ ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `GET` /core/users/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `GET` /flows/bindings/{fsb_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `re_evaluate_policies` (boolean) > Evaluate policies when the Stage is presented to the user. ##### `PUT` /flows/bindings/{fsb_uuid}/ ###### Request: Changed content type : `application/json` - Changed property `re_evaluate_policies` (boolean) > Evaluate policies when the Stage is presented to the user. ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `re_evaluate_policies` (boolean) > Evaluate policies when the Stage is presented to the user. ##### `PATCH` /flows/bindings/{fsb_uuid}/ ###### Request: Changed content type : `application/json` - Changed property `re_evaluate_policies` (boolean) > Evaluate policies when the Stage is presented to the user. ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `re_evaluate_policies` (boolean) > Evaluate policies when the Stage is presented to the user. ##### `POST` /policies/bindings/ ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `user_obj` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `GET` /policies/bindings/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > PolicyBinding Serializer - Changed property `user_obj` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `POST` /policies/geoip/ ###### Request: Changed content type : `application/json` - Added property `check_history_distance` (boolean) - Added property `history_max_distance_km` (integer) - Added property `distance_tolerance_km` (integer) - Added property `history_login_count` (integer) - Added property `check_impossible_travel` (boolean) - Added property `impossible_tolerance_km` (integer) ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Added property `check_history_distance` (boolean) - Added property `history_max_distance_km` (integer) - Added property `distance_tolerance_km` (integer) - Added property `history_login_count` (integer) - Added property `check_impossible_travel` (boolean) - Added property `impossible_tolerance_km` (integer) ##### `GET` /policies/geoip/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > GeoIP Policy Serializer - Added property `check_history_distance` (boolean) - Added property `history_max_distance_km` (integer) - Added property `distance_tolerance_km` (integer) - Added property `history_login_count` (integer) - Added property `check_impossible_travel` (boolean) - Added property `impossible_tolerance_km` (integer) ##### `GET` /rbac/permissions/assigned_by_roles/ ###### Parameters: Changed: `model` in `query` ##### `GET` /rbac/permissions/assigned_by_users/ ###### Parameters: Changed: `model` in `query` ##### `GET` /sources/all/ ###### Parameters: Added: `pbm_uuid` in `query` ##### `GET` /sources/kerberos/ ###### Parameters: Added: `pbm_uuid` in `query` ##### `GET` /sources/ldap/ ###### Parameters: Added: `pbm_uuid` in `query` ##### `GET` /sources/oauth/ ###### Parameters: Added: `pbm_uuid` in `query` ##### `GET` /sources/plex/ ###### Parameters: Added: `pbm_uuid` in `query` ##### `GET` /sources/saml/ ###### Parameters: Added: `pbm_uuid` in `query` ##### `POST` /sources/scim/ ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `token_obj` (object) > Token Serializer - Changed property `user_obj` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `GET` /sources/scim/ ###### Parameters: Added: `pbm_uuid` in `query` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > SCIMSource Serializer - Changed property `token_obj` (object) > Token Serializer - Changed property `user_obj` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `GET` /stages/authenticator/validate/{stage_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `device_classes` (array) > Device classes which can be used to authenticate Changed items (string): Added enum value: - `email` ##### `PUT` /stages/authenticator/validate/{stage_uuid}/ ###### Request: Changed content type : `application/json` - Changed property `device_classes` (array) > Device classes which can be used to authenticate Changed items (string): Added enum value: - `email` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `device_classes` (array) > Device classes which can be used to authenticate Changed items (string): Added enum value: - `email` ##### `PATCH` /stages/authenticator/validate/{stage_uuid}/ ###### Request: Changed content type : `application/json` - Changed property `device_classes` (array) > Device classes which can be used to authenticate Changed items (string): Added enum value: - `email` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `device_classes` (array) > Device classes which can be used to authenticate Changed items (string): Added enum value: - `email` ##### `GET` /core/user_consent/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > UserConsent Serializer - Changed property `user` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `POST` /flows/bindings/ ###### Request: Changed content type : `application/json` - Changed property `re_evaluate_policies` (boolean) > Evaluate policies when the Stage is presented to the user. ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `re_evaluate_policies` (boolean) > Evaluate policies when the Stage is presented to the user. ##### `GET` /flows/bindings/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > FlowStageBinding Serializer - Changed property `re_evaluate_policies` (boolean) > Evaluate policies when the Stage is presented to the user. ##### `GET` /flows/executor/{flow_slug}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` Added 'ak-stage-authenticator-email' component: - Property `flow_info` (object) > Contextual flow information for a challenge - Property `title` (string) - Property `background` (string) - Property `cancel_url` (string) - Property `layout` (string) Enum values: - `stacked` - `content_left` - `content_right` - `sidebar_left` - `sidebar_right` - Property `component` (string) - Property `response_errors` (object) - Property `pending_user` (string) - Property `pending_user_avatar` (string) - Property `email` (string) - Property `email_required` (boolean) ##### `POST` /flows/executor/{flow_slug}/ ###### Request: Changed content type : `application/json` Added 'ak-stage-authenticator-email' component: - Property `component` (string) - Property `code` (integer) - Property `email` (string) ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` Added 'ak-stage-authenticator-email' component: ##### `GET` /flows/inspector/{flow_slug}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `plans` (array) Changed items (object): > Serializer for an active FlowPlan - Changed property `next_planned_stage` (object) > FlowStageBinding Serializer - Changed property `re_evaluate_policies` (boolean) > Evaluate policies when the Stage is presented to the user. - Changed property `current_stage` (object) > FlowStageBinding Serializer - Changed property `re_evaluate_policies` (boolean) > Evaluate policies when the Stage is presented to the user. ##### `GET` /oauth2/access_tokens/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `GET` /oauth2/authorization_codes/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `GET` /oauth2/refresh_tokens/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `POST` /stages/authenticator/validate/ ###### Request: Changed content type : `application/json` - Changed property `device_classes` (array) > Device classes which can be used to authenticate Changed items (string): Added enum value: - `email` ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `device_classes` (array) > Device classes which can be used to authenticate Changed items (string): Added enum value: - `email` ##### `GET` /stages/authenticator/validate/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > AuthenticatorValidateStage Serializer - Changed property `device_classes` (array) > Device classes which can be used to authenticate Changed items (string): Added enum value: - `email` ##### `PUT` /core/transactional/applications/ ###### Request: Changed content type : `application/json` - Changed property `provider_model` (string) Added enum value: - `authentik_providers_ssf.ssfprovider` - Changed property `provider` (object) Added 'authentik_providers_ssf.ssfprovider' provider_model: - Property `name` (string) - Property `signing_key` (string) > Key used to sign the SSF Events. - Property `oidc_auth_providers` (array) Items (integer): - Property `event_retention` (string) ##### `GET` /oauth2/access_tokens/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for BaseGrantModel and RefreshToken - Changed property `user` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `GET` /oauth2/authorization_codes/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant - Changed property `user` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string) ##### `GET` /oauth2/refresh_tokens/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for BaseGrantModel and RefreshToken - Changed property `user` (object) > User Serializer New required properties: - `password_change_date` * Added property `password_change_date` (string)