Release 2025.6
Highlights
-
mTLS Stage: Enterprise The Mutual TLS stage provides support for mTLS, a standard protocol that uses certificates for mutual authentication between a client and a server.
-
Email verification compatibility with link scanners: We have improved compatibility for environments that have automated scanning software that inadvertently invalidated one-time links sent by authentik.
-
LDAP source sync forward deletions: This option synchronizes the deletion of users and groups from LDAP sources to authentik.
Breaking changes
-
Helm chart dependencies upgrades:
- The PostgreSQL chart has been updated to version 16.7.4. The PostgreSQL image is no longer pinned in authentik's default values and has been upgraded from version 15 to 17. Follow our PostgreSQL upgrade instructions to update to the latest PostgreSQL version.
- The Redis chart has been updated to version 21.1.6. There are no breaking changes and Redis has been upgraded from version 7 to 8.
-
Deprecated and frozen
:latestcontainer image tag after 2025.2Using the
:latesttag with container images is not recommended as it can lead to unintentional updates and potentially broken setups. The tag will not be removed, however it will also not be updated past 2025.2. We strongly recommended the use of a specific version tag for authentik instances' container images, such as:2025.6. -
CSS: We’ve made some improvements to our theming system. If your authentik instance uses custom CSS, you might need to review flow and user interfaces for any visual changes.
New features and improvements
- mTLS stage: Enterprise The Mutual TLS stage enables authentik to use client certificates to enroll and authenticate users. These certificates can be local to the device or available via PIV Smart Cards, Yubikeys, etc. For environments where certificates are already rolled out, this can make authentication a lot more seamless. Refer to our technical documentation for more information.
- Email verification compatibility with link scanners: We have improved compatibility for environments with automated scanning software that inadvertently invalidated one-time links sent by authentik.
- LDAP source sync forward deletions: With this option enabled, users or groups created in authentik via LDAP sources will also be removed from authentik if they are deleted from the LDAP source. For more information, please refer to our LDAP source documentation.
- Provider sync performance: We have implemented parallel scheduling for outgoing syncs to provide faster synchronization.
- Branding: Custom branding should now be more consistent on initial load, without flickering.
- Remote Access Control (RAC) improved documentation: Added content about how to authenticate using a public key and improved the wording and formatting throughout the topic.
New integration guides
An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added to our documentation:
- Atlassian Cloud (Jira, Confluence, etc)
- Coder
- FileRise
- Komodo
- Pangolin
- Push Security
- Stripe
- Tailscale
- YouTrack
Upgrading
This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our Upgrade documentation.
When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance.
Docker Compose
To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
wget -O docker-compose.yml https://goauthentik.io/version/2025.6/docker-compose.yml
docker compose up -d
The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.
Kubernetes
Upgrade the Helm Chart to the new version, using the following commands:
helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.6
Minor changes/fixes
- brands: fix CSS Migration not updating brands (#14306)
- core: fix session migration when old session can't be loaded (#14466)
- core: fix unable to create group if no enable_group_superuser permission is given (#14510)
- core: Migrate permissions before deleting OldAuthenticatedSession (#14788)
- core: Publish web packages. (#14648)
- core: remove
OldAuthenticatedSessioncontent type (#14507) - enterprise: fix expired license's users being counted (#14451)
- enterprise/stages: Add MTLS stage (#14296)
- enterprise/stages/mtls: improve certificate validation (#14582)
- enterprise/stages/mtls: update go & web client, fix py client generation (#14576)
- lib/sync: fix static incorrect label of pages (#14851)
- lib/sync/outgoing: reduce number of db queries made (#14177)
- lib/sync/outgoing: sync in parallel (#14697)
- lifecycle: fix ak dump_config (#14445)
- lifecycle: fix test-all in docker (#14244)
- outposts: fix tmpdir in containers not being set (#14444)
- providers/ldap: retain binder and update users instead of re-creating (#14735)
- providers/proxy: kubernetes outpost: fix reconcile when ingress class name changed (#14612)
- providers/rac: apply ConnectionToken scoped-settings last (#14838)
- rbac: add
nameto Permissions search (#14269) - rbac: fix RoleObjectPermissionTable not showing
add_user_to_group(#14312) - root: backport SFE Build fix (#14495)
- root: do not use /bin/bash directly (#14698)
- root: improve sentry distributed tracing (#14468)
- root: move forked dependencies to goauthentik org (#14590)
- root: pin package version in pyproject for dependabot (#14469)
- root: readme: use right contribution guide link (#14250)
- root: replace raw.githubusercontent.com by checking out repo (#14567)
- root: temporarily deactivate database pool option (#14443)
- sources/kerberos: resolve logger warnings (#14540)
- sources/ldap: add forward deletion option (#14718)
- stages/email: fix email scanner voiding token (#14325)
- tests/e2e: Add E2E tests for Flow SFE (#14484)
- tests/e2e: add test for authentication flow in compatibility mode (#14392)
- tests/e2e: fix flaky SAML Source test (#14708)
- web, website: update browserslist (#14386)
- web: Add specific Storybook dependency. (#14719)
- web: Clean up browser-only module imports that crash WebDriverIO. (#14330)
- web: cleanup/loading attribute always true (#14288)
- web: Controller refinements, error handling (#14700)
- Web: Controllers cleanup (#14616)
- web: fix bug that was causing charts to be too tall (#14253)
- web: fix description for signing responses in SAML provider (#14573)
- web: Fix issue where dual select type is not specific. (#14783)
- web: Fix issue where Storybook cannot resolve styles. (#14553)
- web: Fix missing Enterprise sidebar entries. (#14615)
- web: fix regression in subpath support (#14646)
- web: NPM workspaces (#14274)
- web: Type Tidy (#14647)
- web: Use engine available on Github Actions. (#14699)
- web: Use monorepo package utilities to build packages (#14159)
- web/admin: Dual select state management, custom event dispatching. (#14490)
- web/admin: fix enterprise menu display (#14447)
- web/admin: fix permissions modal button missing for PolicyBindings and FlowStageBindings (#14619)
- web/admin: Fix sidebar toggle synchronization. (#14487)
- web/admin: prevent default logo flashing in admin interface (#13960)
- web/flows: update default flow background (#14769)
- web/flows/sfe: fix global background image not being loaded (#14442)
Fixed in 2025.6.1
- providers/proxy: add option to override host header with property mappings (cherry-pick #14927) (#14945)
- tenants: fix tenant aware celery scheduler (cherry-pick #14921)
- web/user: fix user settings flow not loading (cherry-pick #14911) (#14930)
Fixed in 2025.6.2
- brands: fix custom_css being escaped (cherry-pick #14994) (#14996)
- core: bump django from 5.1.10 to 5.1.11 (cherry-pick #14997) (#15010)
- core: bump django from 5.1.9 to 5.1.10 (cherry-pick #14951) (#15008)
- internal/outpost: fix incorrect usage of golang SHA API (cherry-pick #14981) (#14982)
- providers/rac: fixes prompt data not being merged with connection_settings (cherry-pick #15037) (#15038)
- stages/email: Only attach logo to email if used (cherry-pick #14835) (#14969)
- web/elements: fix dual select without sortBy (cherry-pick #14977) (#14979)
- web/elements: fix typo in localeComparator (cherry-pick #15054) (#15055)
API Changes
What's New
GET /stages/mtls/
POST /stages/mtls/
GET /stages/mtls/{stage_uuid}/
PUT /stages/mtls/{stage_uuid}/
DELETE /stages/mtls/{stage_uuid}/
PATCH /stages/mtls/{stage_uuid}/
GET /stages/mtls/{stage_uuid}/used_by/
What's Changed
GET /core/brands/{brand_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json-
Added property
client_certificates(array)Certificates used for client authentication.
Items (string):
-
PUT /core/brands/{brand_uuid}/
Request:
Changed content type : application/json
- Added property
client_certificates(array)Certificates used for client authentication.
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json- Added property
client_certificates(array)Certificates used for client authentication.
- Added property
PATCH /core/brands/{brand_uuid}/
Request:
Changed content type : application/json
- Added property
client_certificates(array)Certificates used for client authentication.
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json- Added property
client_certificates(array)Certificates used for client authentication.
- Added property
GET /policies/event_matcher/{policy_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json-
Changed property
app(string)Match events created by selected application. When left empty, all applications are matched.
Added enum value:
authentik.enterprise.stages.mtls
-
Changed property
model(string)Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
Added enum value:
authentik_stages_mtls.mutualtlsstage
-
PUT /policies/event_matcher/{policy_uuid}/
Request:
Changed content type : application/json
-
Changed property
app(string)Match events created by selected application. When left empty, all applications are matched.
Added enum value:
authentik.enterprise.stages.mtls
-
Changed property
model(string)Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
Added enum value:
authentik_stages_mtls.mutualtlsstage
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json-
Changed property
app(string)Match events created by selected application. When left empty, all applications are matched.
Added enum value:
authentik.enterprise.stages.mtls
-
Changed property
model(string)Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
Added enum value:
authentik_stages_mtls.mutualtlsstage
-
PATCH /policies/event_matcher/{policy_uuid}/
Request:
Changed content type : application/json
-
Changed property
app(string)Match events created by selected application. When left empty, all applications are matched.
Added enum value:
authentik.enterprise.stages.mtls
-
Changed property
model(string)Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
Added enum value:
authentik_stages_mtls.mutualtlsstage
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json-
Changed property
app(string)Match events created by selected application. When left empty, all applications are matched.
Added enum value:
authentik.enterprise.stages.mtls
-
Changed property
model(string)Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
Added enum value:
authentik_stages_mtls.mutualtlsstage
-
POST /core/brands/
Request:
Changed content type : application/json
- Added property
client_certificates(array)Certificates used for client authentication.
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json- Added property
client_certificates(array)Certificates used for client authentication.
- Added property
GET /core/brands/
Parameters:
Added: client_certificates in query
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json-
Changed property
results(array)Changed items (object): > Brand Serializer
- Added property
client_certificates(array)Certificates used for client authentication.
- Added property
-
POST /policies/event_matcher/
Request:
Changed content type : application/json
-
Changed property
app(string)Match events created by selected application. When left empty, all applications are matched.
Added enum value:
authentik.enterprise.stages.mtls
-
Changed property
model(string)Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
Added enum value:
authentik_stages_mtls.mutualtlsstage
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json-
Changed property
app(string)Match events created by selected application. When left empty, all applications are matched.
Added enum value:
authentik.enterprise.stages.mtls
-
Changed property
model(string)Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
Added enum value:
authentik_stages_mtls.mutualtlsstage
-
GET /policies/event_matcher/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json-
Changed property
results(array)Changed items (object): > Event Matcher Policy Serializer
-
Changed property
app(string)Match events created by selected application. When left empty, all applications are matched.
Added enum value:
authentik.enterprise.stages.mtls
-
Changed property
model(string)Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
Added enum value:
authentik_stages_mtls.mutualtlsstage
-
-
POST /rbac/permissions/assigned_by_roles/{uuid}/assign/
Request:
Changed content type : application/json
-
Changed property
model(string)Added enum value:
authentik_stages_mtls.mutualtlsstage
PATCH /rbac/permissions/assigned_by_roles/{uuid}/unassign/
Request:
Changed content type : application/json
-
Changed property
model(string)Added enum value:
authentik_stages_mtls.mutualtlsstage
POST /rbac/permissions/assigned_by_users/{id}/assign/
Request:
Changed content type : application/json
-
Changed property
model(string)Added enum value:
authentik_stages_mtls.mutualtlsstage
PATCH /rbac/permissions/assigned_by_users/{id}/unassign/
Request:
Changed content type : application/json
-
Changed property
model(string)Added enum value:
authentik_stages_mtls.mutualtlsstage
GET /sources/ldap/{slug}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json- Added property
delete_not_found_objects(boolean)Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
- Added property
PUT /sources/ldap/{slug}/
Request:
Changed content type : application/json
- Added property
delete_not_found_objects(boolean)Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json- Added property
delete_not_found_objects(boolean)Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
- Added property
PATCH /sources/ldap/{slug}/
Request:
Changed content type : application/json
- Added property
delete_not_found_objects(boolean)Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json- Added property
delete_not_found_objects(boolean)Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
- Added property
GET /rbac/permissions/assigned_by_roles/
Parameters:
Changed: model in query
GET /rbac/permissions/assigned_by_users/
Parameters:
Changed: model in query
POST /sources/ldap/
Request:
Changed content type : application/json
- Added property
delete_not_found_objects(boolean)Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json- Added property
delete_not_found_objects(boolean)Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
- Added property
GET /sources/ldap/
Parameters:
Added: delete_not_found_objects in query
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json-
Changed property
results(array)Changed items (object): > LDAP Source Serializer
- Added property
delete_not_found_objects(boolean)Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
- Added property
-