websites/integrations: specify redirect uri of type authorization or post logout (#22981)

* docs/integrations: Update docs to specify redirect uri of type authorization or post logout * bold redirect uri * improve wording * update docs * add banner for warning of redirect uri's * Update website/integrations/_redirect-uri-2026-5-note.mdx Signed-off-by: Dewi Roberts <dewi@goauthentik.io> --------- Signed-off-by: Connor Peshek <connor@connorpeshek.me> Signed-off-by: Dewi Roberts <dewi@goauthentik.io> Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
2026-06-17 19:09:11 +03:00 · 2026-06-11 11:58:23 -05:00
parent ab1f8a0692
commit 783859d3c8
126 changed files with 627 additions and 148 deletions
@@ -102,7 +102,7 @@ Every application that you add to authentik requires a provider, which is used t
          authorization, etc.
    - **Protocol settings**: provide the following required configurations:
        - Note the **Client ID**, **Client Secret**, and **Slug** values because they will be required later when you configure Grafana to use authentik.
-        - Set the **Redirect URI** as a `Strict` redirect to `https://grafana.company/login/generic_oauth`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://grafana.company/login/generic_oauth`.
            - <strong className="tip">TIP</strong>: The Redirect URI is where a user is directed to,
              as soon as authentik's authorization flow is successfully completed.
    - **Grant Types** (required): Select at least one [grant type](../../add-secure-apps/providers/oauth2/#oauth-20-flows-and-grant-types) that the provider can use.
@@ -0,0 +1,3 @@
+:::info Redirect URI changes in authentik 2026.5
+In authentik versions earlier than 2026.5, all **Redirect URIs** are automatically treated as `Authorization` type. If you are using one of these older authentik versions, add only the `Authorization` URL to your **Redirect URIs** and do not configure a `Post Logout` URI.
+:::
@@ -4,6 +4,8 @@ sidebar_label: AFFiNE
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is AFFiNE?

 > AFFiNE is an open-source, self-hostable workspace for documents, whiteboards, and databases.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of AFFiNE with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of AFFiNE with authentik, you need to create an appli
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Add one `Strict` redirect URI and set it to `https://affine.company/oauth/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://affine.company/oauth/callback`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,7 @@ sidebar_label: ChatGPT
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
@@ -38,6 +39,8 @@ You can configure ChatGPT to use either OIDC or SAML; this guide explains both o

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of ChatGPT with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -48,7 +51,7 @@ To support the integration of ChatGPT with authentik, you need to create an appl
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Temporarily set a `Strict` redirect URI to `https://temp.temp`.
+        - Temporarily add a **Redirect URI** of type `Strict` `Authorization` as `https://temp.temp`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -77,7 +80,7 @@ ChatGPT only enables the **Manage SSO** wizard after you verify ownership of you

 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Providers** and click the **Edit** icon of the newly created ChatGPT provider.
-3. Under **Protocol settings**, set the **Redirect URIs** to the **Login redirect URI** from ChatGPT.
+3. Under **Protocol settings**, add a **Redirect URI** of type `Strict` `Authorization` as the **Login redirect URI** value from ChatGPT.
 4. Click **Update**.

 </TabItem>
@@ -4,6 +4,8 @@ sidebar_label: EspoCRM
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is EspoCRM?

 > EspoCRM is a CRM (customer relationship management) web application that allows users to store, visualize, and analyze their company's business-related relationships such as opportunities, people, businesses, and projects.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of EspoCRM with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -37,7 +41,7 @@ To support the integration of EspoCRM with authentik, you need to create an appl
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://espocrm.company/oauth-callback.php`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://espocrm.company/oauth-callback.php`.
        - Select any available signing key.
        - Under **Advanced protocol settings**, set **Subject mode** to **Based on the User's username**.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
@@ -4,6 +4,8 @@ sidebar_label: grommunio
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 <!-- spellchecker:ignore gromox -->

 ## What is grommunio?
@@ -25,6 +27,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To integrate authentik with grommunio, you will need to create an application and provider pair in authentik.

 :::info Keycloak-compatible endpoints
@@ -39,7 +43,7 @@ grommunio-web expects Keycloak-compatible OIDC endpoints. Because authentik does
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name, the authorization flow to use, and the following required configurations.
        - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://grommunio.company/web`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://grommunio.company/web`.
        - Set **Signing Key** to an available RSA key.
        - Under **Advanced protocol settings**:
            - Add the `authentik default OAuth Mapping: OpenID 'offline_access'` scope to **Selected Scopes**.
@@ -4,6 +4,8 @@ sidebar_label: HedgeDoc
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is HedgeDoc?

 > HedgeDoc lets you create real-time collaborative markdown notes.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of HedgeDoc with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of HedgeDoc with authentik, you need to create an app
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://hedgedoc.company/auth/oauth2/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://hedgedoc.company/auth/oauth2/callback`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 3. Click **Submit** to save the new application and provider.
@@ -4,6 +4,8 @@ sidebar_label: Kanboard
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Kanboard?

 > Kanboard is a free and open source Kanban project management software.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Kanboard with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Kanboard with authentik, you need to create an app
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://kanboard.company/oauth/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://kanboard.company/oauth/callback`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: mailcow Logs Viewer
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is mailcow Logs Viewer?

 > A modern, self-hosted dashboard for monitoring, analyzing, and managing your mailcow mail server. Track email delivery, investigate spam, manage quarantine, detect bounce-based abuse, and validate DNS configurations, all from a single interface.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of mailcow Logs Viewer with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of mailcow Logs Viewer with authentik, you need to cr
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **application slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://mailcow-logs-viewer.company/api/auth/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://mailcow-logs-viewer.company/api/auth/callback`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: mailcow
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is mailcow?

 > mailcow is a Dockerized, open-source groupware and email suite based on Docker. It relies on many well-known and long-used components, which, when combined, result in a comprehensive email server solution.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of mailcow with authentik, you need to create a property mapping, set the `email_verified` attribute on required users, and create an application/provider pair in authentik.

 ### Create a property mapping
@@ -56,7 +60,7 @@ Repeat these steps for all users that need to use the Mailcow integration.
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://mailcow.company`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://mailcow.company`.
        - Select any available signing key.
        - Under **Advanced protocol settings**:
            - Remove the `authentik default OAuth Mapping: OpenID 'email'` scope from **Selected Scopes**.
@@ -4,6 +4,8 @@ sidebar_label: Mastodon
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Mastodon?

 > Mastodon is free and open-source software for running self-hosted social networking services. It has microblogging features similar to Twitter
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Mastodon with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Mastodon with authentik, you need to create an app
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://mastodon.company/auth/auth/openid_connect/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://mastodon.company/auth/auth/openid_connect/callback`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Matrix Synapse
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Matrix Synapse?

 > Matrix is an open source project that publishes the Matrix open standard for secure, decentralized, real-time communication, and its Apache licensed reference implementations.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Matrix Synapse with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Matrix Synapse with authentik, you need to create
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://matrix.company/_synapse/client/oidc/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://matrix.company/_synapse/client/oidc/callback`.
    - Select any available RSA signing key. Matrix Synapse doesn't support ECC keys.
    - Do not set an encryption key because this is not supported by Matrix Synapse.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
@@ -4,6 +4,7 @@ sidebar_label: Mattermost Team Edition
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
@@ -45,6 +46,8 @@ Once configured, Mattermost will display a login button with the GitLab icon, bu

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Mattermost Team Edition with authentik, you need to create property mappings and an application/provider pair in authentik.

 ### Create property mappings
@@ -84,7 +87,7 @@ The following `id` property mapping is optional. If omitted, Mattermost will gen
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://mattermost.company/signup/gitlab/complete`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://mattermost.company/signup/gitlab/complete`.
        - Select any available signing key.
        - Under **Advanced protocol settings**, add the scopes you just created to the list of selected scopes.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
@@ -4,6 +4,8 @@ sidebar_label: Mobilizon
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Mobilizon?

 > Gather, organize and mobilize yourselves with a convivial, ethical, and emancipating tool. https://joinmobilizon.org
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Mobilizon with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Mobilizon with authentik, you need to create an ap
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://mobilizon.company/auth/keycloak/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://mobilizon.company/auth/keycloak/callback`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,7 @@ sidebar_label: Nextcloud
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx";

 ## What is Nextcloud?
@@ -116,6 +117,8 @@ To connect to an existing Nextcloud user, set the `nextcloud_user_id` attribute

 ## Create an application and provider in authentik

+<RedirectURI20265Note />
+
 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **New Application** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
@@ -4,6 +4,7 @@ sidebar_label: OpenCloud
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";

@@ -35,6 +36,8 @@ Choose your setup below. The **Web only** tab logs in through the browser. The *

 ## authentik configuration

+<RedirectURI20265Note />
+
 1. Log in to authentik as an administrator and open the Admin interface.
 2. Navigate to **Applications** > **Applications** and click **New Application**.
    - **Application**: provide a name and note the **slug**.
@@ -43,9 +46,9 @@ Choose your setup below. The **Web only** tab logs in through the browser. The *
        - **Client type**: `Public`
        - **Client ID**: `web`
        - **Redirect URIs**:
-            - Strict: `https://opencloud.company/oidc-callback.html`
-            - Strict: `https://opencloud.company/oidc-silent-redirect.html`
-            - Strict: `https://opencloud.company/`
+            - `Strict` `Authorization`: `https://opencloud.company/oidc-callback.html`
+            - `Strict` `Authorization`: `https://opencloud.company/oidc-silent-redirect.html`
+            - `Strict` `Authorization`: `https://opencloud.company/`
        - **Signing Key**: select any available key.
        - **Scopes**: `openid`, `profile`, `email`.
 3. Click **Submit**.
@@ -112,12 +115,12 @@ With GLOBAL issuer mode enabled, tokens use an issuer of `iss = https://authenti

 Repeat these steps for **each** of the four clients (Web, Desktop, Android, and iOS), using the per-client values from the table below.

-| Client  | Client ID          | Redirect URIs                                                                               |
-| ------- | ------------------ | ------------------------------------------------------------------------------------------- |
-| Web     | `web`              | Strict: `https://opencloud.company/oidc-callback.html`, `…/oidc-silent-redirect.html`, `…/` |
-| Desktop | `OpenCloudDesktop` | Regex: `http://127.0.0.1(:[0-9]+)?(/.*)?` and `http://localhost(:[0-9]+)?(/.*)?`            |
-| Android | `OpenCloudAndroid` | Strict: `oc://android.opencloud.eu`                                                         |
-| iOS     | `OpenCloudIOS`     | Strict: `oc://ios.opencloud.eu`                                                             |
+| Client  | Client ID          | Redirect URIs                                                                                                 |
+| ------- | ------------------ | ------------------------------------------------------------------------------------------------------------- |
+| Web     | `web`              | `Strict` `Authorization`: `https://opencloud.company/oidc-callback.html`, `…/oidc-silent-redirect.html`, `…/` |
+| Desktop | `OpenCloudDesktop` | `Regex` `Authorization`: `http://127.0.0.1(:[0-9]+)?(/.*)?` and `http://localhost(:[0-9]+)?(/.*)?`            |
+| Android | `OpenCloudAndroid` | `Strict` `Authorization`: `oc://android.opencloud.eu`                                                         |
+| iOS     | `OpenCloudIOS`     | `Strict` `Authorization`: `oc://ios.opencloud.eu`                                                             |

 1. Log in to authentik as an administrator and open the Admin interface.
 2. Navigate to **Applications** > **Applications** and click **New Application**.
@@ -4,6 +4,8 @@ sidebar_label: OpenProject
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is OpenProject?

 > OpenProject is a web-based project management software. Use OpenProject to manage your projects, tasks and goals. Collaborate via work packages and link them to your pull requests on GitHub.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of OpenProject with authentik, you need to create a property mapping and an application/provider pair in authentik.

 ### Create a scope mapping
@@ -61,7 +65,7 @@ OpenProject requires a first and last name for each user. By default authentik o
    - **Protocol settings**:
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
        - **Redirect URI**:
-            - Strict: `https://openproject.company/auth/oidc-authentik/callback`
+            - `Strict` `Authorization`: `https://openproject.company/auth/oidc-authentik/callback`
        - **Signing key**: select any available signing key.
    - **Advanced protocol settings**:
        - **Scopes**:
@@ -4,6 +4,8 @@ sidebar_label: ownCloud
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is ownCloud?

 > ownCloud is a free and open-source software project for content collaboration and sharing and syncing of files.
@@ -23,6 +25,8 @@ This guide focuses on deploying ownCloud installations using Docker. If you depl

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of ownCloud with authentik, you need to create multiple application/provider pairs in authentik. A different pair is required for the Web UI, Desktop application, Android application, and iOS application.

 The configuration for each application is nearly identical, except for the **Client ID**, **Client Secret**, and the **Redirect URI** values, which are [predefined](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-ids-secrets-and-redirect-uris) by ownCloud for the Desktop, Android, and iOS applications.
@@ -43,29 +47,29 @@ The configuration for each application is nearly identical, except for the **Cli
        - **Client ID**: Use the value generated by authentik.
        - **Client Secret**: Use the value generated by authentik.
        - **Redirect URIs**:
-            - Strict: `https://owncloud.company/apps/openidconnect/redirect`
+            - `Strict` `Authorization`: `https://owncloud.company/apps/openidconnect/redirect`

        **Desktop Application**
        - **Signing Key**: Select any available signing key.
        - **Client ID**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-id).
        - **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret).
        - **Redirect URIs**:
-            - Regex: `http://localhost:\d+`
-            - Regex: `http://127.0.0.1:\d+`
+            - `Regex` `Authorization`: `http://localhost:\d+`
+            - `Regex` `Authorization`: `http://127.0.0.1:\d+`

        **Android Application**
        - **Signing Key**: Select any available signing key.
        - **Client ID**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-id).
        - **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret).
        - **Redirect URI**:
-            - Strict: `oc://android.owncloud.com`
+            - `Strict` `Authorization`: `oc://android.owncloud.com`

        **iOS Application**
        - **Signing Key**: Select any available signing key.
        - **Client ID**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-id).
        - **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret).
        - **Redirect URI**:
-            - Strict: `oc://ios.owncloud.com`
+            - `Strict` `Authorization`: `oc://ios.owncloud.com`

    - **Advanced protocol settings:**
        - **Scopes**: Select the following scopes for each of the four application/provider pairs: `email`, `offline_access`, `openid`, `profile`.
@@ -4,6 +4,8 @@ sidebar_label: Planka
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Planka?

 > Planka is an open-source, Trello-like application with a Kanban board system, used for project management.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Planka with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Planka with authentik, you need to create an appli
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://planka.company/oidc-callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://planka.company/oidc-callback`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Rocket.chat
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Rocket.chat?

 > Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript for organizations with high standards of data protection. It is licensed under the MIT License with some other licenses mixed in. See [Rocket.chat GitHub](https://github.com/RocketChat/Rocket.Chat/blob/develop/LICENSE) for licensing information.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Rocket.chat with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Rocket.chat with authentik, you need to create an
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://rocket.company/\_oauth/authentik`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://rocket.company/\_oauth/authentik`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Roundcube
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Roundcube?

 > Roundcube is a browser-based multilingual IMAP client with an application-like user interface. It provides the full functionality you expect from an email client, including MIME support, address book, folder manipulation, message searching and spell checking.
@@ -29,6 +31,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Roundcube with authentik, you need to create an application/provider pair in authentik.

 ### Create property mappings
@@ -59,7 +63,7 @@ To support the integration of Roundcube with authentik, you need to create an ap
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://roundcube.company/index.php?\_task=settings&\_action=plugin.oauth_redirect`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://roundcube.company/index.php?\_task=settings&\_action=plugin.oauth_redirect`.
    - Select any available signing key.
    - Under **Advanced protocol settings**:
        - Under **Scopes**, add `dovecotprofile` and `authentik default OAuth Mapping: OpenID 'offline_access'` to the list of selected scopes.
@@ -4,6 +4,8 @@ sidebar_label: SharePoint Server SE
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Microsoft SharePoint?

 > SharePoint is a proprietary, web-based collaborative platform that integrates natively with Microsoft 365.
@@ -66,6 +68,8 @@ These guidelines use the following placeholders for the overall setup:

 ## authentik configuration

+<RedirectURI20265Note />
+
 ### Step 1: Create authentik OpenID property mappings

 SharePoint requires additional properties within the OpenID and profile scopes in order to operate OIDC properly and map incoming authentik OID claims with Microsoft claims.
@@ -140,7 +144,7 @@ From the authentik Admin Dashboard:
      :::info
      use the explicit flow if user consents are required
      :::
-    - **Redirect URIs / Origins**: `auth.providerRedirectURI`
+    - **Redirect URIs / Origins** (`Strict` `Authorization`): `auth.providerRedirectURI`
    - **Signing Key**: authentik Self-signed Certificate
      :::info
      The certificate is used for signing JWT tokens; if you change it after the integration do not forget to update your SharePoint Trusted Certificate.
@@ -4,6 +4,7 @@ sidebar_label: Vikunja
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";

@@ -31,6 +32,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Vikunja with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -41,8 +44,8 @@ To support the integration of Vikunja with authentik, you need to create an appl
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - For web login, set a `Strict` redirect URI to `https://vikunja.company/auth/openid/authentik`.
-        - If using the Vikunja desktop client, add a `Regex` redirect URI such as `^http://127\\.0\\.0\\.1:[0-9]+/auth/openid/authentik$` to allow loopback redirects to `127.0.0.1`.
+        - For web login, add a **Redirect URI** of type `Strict` `Authorization` as `https://vikunja.company/auth/openid/authentik`.
+        - If using the Vikunja desktop client, add a **Redirect URI** of type `Regex` `Authorization` such as `^http://127\\.0\\.0\\.1:[0-9]+/auth/openid/authentik$` to allow loopback redirects to `127.0.0.1`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 3. Click **Submit** to save the new application and provider.
@@ -4,6 +4,8 @@ sidebar_label: Wekan
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Wekan?

 > Wekan is an open-source kanban board which allows a card-based task and to-do management.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Wekan with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Wekan with authentik, you need to create an applic
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://wekan.company/_oauth/oidc`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://wekan.company/_oauth/oidc`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Writefreely
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Writefreely?

 > An open source platform for building a writing space on the web.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Writefreely with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Writefreely with authentik, you need to create an
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://writefreely.company/oauth/callback/generic`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://writefreely.company/oauth/callback/generic`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,7 @@ sidebar_label: Amazon Web Services (Classic IAM)
 support_level: authentik
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
@@ -44,6 +45,8 @@ SCIM Provisioning is only supported in conjunction with [IAM Identity Center](..

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of AWS with authentik via the Classic IAM method, you need to create two property mappings, an application/provider pair, and application entitlements for the AWS roles that users can assume.

 ### Create property mappings
@@ -273,7 +276,7 @@ To support the integration of AWS with authentik using OIDC, you need to create
    - **Choose a Provider type**: Select OAuth2/OpenID Provider as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID** and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to match the AWS resource that you want to access via OIDC.
+        - Add a **Redirect URI** of type `Strict` `Authorization` that matches the AWS resource that you want to access via OIDC.
        - Select any available signing key.
        - Under **Advanced protocol settings** > **Selected Scopes**, add `authentik default OAuth Mapping: OpenID 'entitlements'`.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
@@ -4,6 +4,8 @@ sidebar_label: DigitalOcean
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is DigitalOcean?

 > DigitalOcean is a cloud infrastructure provider that offers developers simple, scalable virtual servers (droplets), managed databases, and other cloud services to deploy and manage applications efficiently.
@@ -22,6 +24,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of DigitalOcean with authentik, you need to create a scope mapping, an application/provider pair, and application entitlements for the DigitalOcean roles that users should receive.

 ### Create a scope mapping
@@ -72,7 +76,7 @@ To support the integration of DigitalOcean with authentik, you need to create a
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://cloud.digitalocean.com/sessions/sso/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://cloud.digitalocean.com/sessions/sso/callback`.
        - Select any available signing key.
        - Under **Advanced protocol settings**:
            - Add the `profile` scope created in the previous section. Do not remove authentik’s `authentik default OAuth Mapping: OpenID 'profile'`, as claims such as `name` are required by DigitalOcean.
@@ -4,6 +4,8 @@ sidebar_label: Oracle Cloud
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Oracle Cloud?

 > Oracle Cloud is the first public cloud built from the ground up to be a better cloud for every application. By rethinking core engineering and systems design for cloud computing, we created innovations that accelerate migrations, deliver better reliability and performance for all applications, and offer the complete services customers need to build innovative cloud applications.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Oracle Cloud with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -35,7 +39,7 @@ To support the integration of Oracle Cloud with authentik, you need to create an
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://tenant.identity.oraclecloud.com/oauth2/v1/social/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://tenant.identity.oraclecloud.com/oauth2/v1/social/callback`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Dashy
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Dashy?

 > Dashy is a self-hostable personal dashboard built for you. Includes status-checking, widgets, themes, icon packs, a UI editor and tons more.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Dashy with authentik, you need to create an application/provider pair in authentik.

 If you want to manage Dashy administrator access through authentik, create or choose a group for Dashy administrators and add the appropriate users to it. Note the exact group name because it will be required later.
@@ -36,7 +40,7 @@ If you want to manage Dashy administrator access through authentik, create or ch
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID** and **slug** values because they will be required later.
        - Set the **Client type** to `Public`. Dashy runs entirely in the browser and does not store a client secret.
-        - Create two `Strict` redirect URIs:
+        - Add two **Redirect URIs** of type `Strict` `Authorization`:
            - `https://dashy.company`
            - `https://dashy.company/`
        - Select any available signing key.
@@ -4,6 +4,8 @@ sidebar_label: Homarr
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Homarr?

 > A sleek, modern dashboard that puts all of your apps and services at your fingertips. Control everything in one convenient location. Seamlessly integrates with the apps you've added, providing you with valuable information.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Homarr with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Homarr with authentik, you need to create an appli
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Create two `Strict` redirect URIs: `https://homarr.company/api/auth/callback/oidc` and `http://localhost:50575/api/auth/callback/oidc`.
+    - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://homarr.company/api/auth/callback/oidc` and `http://localhost:50575/api/auth/callback/oidc`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Linkwarden
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Linkwarden?

 > Linkwarden is an open-source collaborative bookmark manager used to collect, organize, and preserve webpages.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Linkwarden with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Linkwarden with authentik, you need to create an a
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://linkwarden.company/api/v1/auth/callback/authentik`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://linkwarden.company/api/v1/auth/callback/authentik`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Coder
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Coder?

 > Coder is an open-source platform that provides browser-based cloud development environments, enabling developers and teams to securely write, edit, and manage code remotely without the need for local setup.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Coder with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Coder with authentik, you need to create an applic
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://coder.company/api/v2/users/oidc/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://coder.company/api/v2/users/oidc/callback`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: engomo
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is engomo?

 > engomo is a low-code app development platform to create enterprise apps for smartphones and tablets based on Android, iOS, or iPadOS.
@@ -25,6 +27,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Engomo with authentik, you need to create an application/provider pair in authentik.

 ### Create property mappings
@@ -46,7 +50,7 @@ To support the integration of Engomo with authentik, you need to create an appli
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID** and **slug** values because they will be required later.
    - Set the **Client type** to `Public`.
-    - Add two `Strict` redirect URIs and set them to `https://engomo.company/auth` and `com.engomo.engomo://callback/`.
+    - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://engomo.company/auth` and `com.engomo.engomo://callback/`.
    - Select any available signing key.
    - Under **Advanced protocol settings**, add the scope you just created to the list of available scopes.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
@@ -4,6 +4,8 @@ sidebar_label: Forgejo
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Forgejo?

 > Forgejo is a lightweight, self‑hosted alternative to GitHub/GitLab, with a strong emphasis on community governance and open development.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Forgejo with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Forgejo with authentik, you need to create an appl
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://<forgejo.company>/user/oauth2/authentik/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://<forgejo.company>/user/oauth2/authentik/callback`.
        - Select any available signing key.
        - Under **Advanced protocol settings** > **Selected Scopes**, add `authentik default OAuth Mapping: OpenID 'entitlements'`.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
@@ -4,6 +4,8 @@ sidebar_label: Frappe
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 :::info
 These instructions apply to all projects in the Frappe Family, including ERPNext.
 :::
@@ -28,6 +30,8 @@ This documentation only lists the settings that have been changed from their def

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Frappe with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -39,7 +43,7 @@ To support the integration of Frappe with authentik, you need to create an appli
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://frappe.company/api/method/frappe.integrations.oauth2_logins.custom/<provider-name>`. Replace `<provider-name>` with the name of the provider in Frappe.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://frappe.company/api/method/frappe.integrations.oauth2_logins.custom/<provider-name>`. Replace `<provider-name>` with the name of the provider in Frappe.
    - Select any available signing key.
    - Under **Advanced protocol settings**, set **Subject mode** to be `Based on the Users's username`.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
@@ -4,6 +4,8 @@ sidebar_label: Gitea
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Gitea?

 > Gitea is a community managed lightweight code hosting solution written in Go. It is published under the MIT license.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Gitea with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Gitea with authentik, you need to create an applic
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://<gitea.company>/user/oauth2/authentik/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://<gitea.company>/user/oauth2/authentik/callback`.
    - Select any available signing key.
    - Under **Advanced protocol settings** > **Selected Scopes**, add `authentik default OAuth Mapping: OpenID 'entitlements'`.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
@@ -4,6 +4,8 @@ sidebar_label: GitLab
 support_level: authentik
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is GitLab?

 > GitLab is a complete DevOps platform with features for version control, CI/CD, issue tracking, and collaboration, facilitating efficient software development and deployment workflows.
@@ -43,6 +45,8 @@ import Tabs from "@theme/Tabs";

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of GitLab with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -110,7 +114,7 @@ To support the integration of GitLab with authentik, you need to create an appli
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://gitlab.company/users/auth/openid_connect/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://gitlab.company/users/auth/openid_connect/callback`.
    - Select any available signing key.
    - Under **Advanced protocol settings**, set the **Subject mode** to `Based on the User's Email`.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
@@ -4,6 +4,8 @@ sidebar_label: Gravitee
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Gravitee?

 > Gravitee.io API Management is a flexible, lightweight and blazing-fast Open Source solution that helps your organization control who, when and how users access your APIs.
@@ -25,6 +27,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Gravitee with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -36,7 +40,7 @@ To support the integration of Gravitee with authentik, you need to create an app
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Add two `Strict` redirect URI and set them to `https://gravitee.company/user/login` and `https://gravitee.company/console/`. Ensure a trailing slash is present at the end of the second redirect URI.
+    - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://gravitee.company/user/login` and `https://gravitee.company/console/`. Ensure a trailing slash is present at the end of the second redirect URI.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Jenkins
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Jenkins?

 > The leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Jenkins with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Jenkins with authentik, you need to create an appl
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://jenkins.company/securityRealm/finishLogin`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://jenkins.company/securityRealm/finishLogin`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Node-RED
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Node-RED?

 > Node-RED is a programming tool for wiring together hardware devices, APIs and online services in new and interesting ways.
@@ -29,6 +31,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Node-RED with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -40,7 +44,7 @@ To support the integration of Node-RED with authentik, you need to create an app
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://nodered.company/auth/strategy/callback/`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://nodered.company/auth/strategy/callback/`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -13,6 +13,8 @@ authentik_enterprise: true
 authentik_preview: true
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Apple Business Manager?

 > Apple Business Manager is a web-based portal for IT administrators, managers, and procurement professionals to manage devices and automate device enrollment.
@@ -71,6 +73,8 @@ Be aware that Apple Business Manager imposes the following restrictions on feder

 ## authentik configuration

+<RedirectURI20265Note />
+
 The workflow to configure authentik as an identity provider for Apple Business Manager involves creating scope mappings, signing keys, a Shared Signals Framework provider, and an OIDC provider/application pair.

 Together, these components will handle the authentication flow and backchannel communication between authentik and Apple Business Manager.
@@ -160,7 +164,7 @@ You will need to create an [OAuth2/OpenID Provider](/docs/add-secure-apps/provid
    - **Choose a Provider type**: select **OAuth2/OpenID Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://gsa-ws.apple.com/grandslam/GsService2/acs`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://gsa-ws.apple.com/grandslam/GsService2/acs`.
        - Select any available signing key.
        - Under **Advanced protocol settings**, in addition to the default scopes, add the four following **Selected Scopes** to the provider.
            - `Apple Business Manager ssf.manage`
@@ -4,6 +4,8 @@ sidebar_label: MeshCentral
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is MeshCentral?

 > MeshCentral is a free, open source, web-based platform for remote device management.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of MeshCentral with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of MeshCentral with authentik, you need to create an
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://meshcentral.company/auth-oidc-callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://meshcentral.company/auth-oidc-callback`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Omnissa Workspace ONE Access
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Omnissa Workspace ONE Access?

 > Omnissa Workspace ONE Access, now Omnissa Access, is the identity and access service for the Omnissa Workspace ONE platform. It provides single sign-on, access policies, and identity federation for applications and devices, and can delegate authentication to external identity providers such as authentik.
@@ -31,6 +33,8 @@ You can leave the form open in another browser tab while configuring authentik.

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Omnissa Workspace ONE Access with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -43,8 +47,8 @@ To support the integration of Omnissa Workspace ONE Access with authentik, you n
        - Note the **Client ID** and **Client Secret** values because they will be required later.
        - **Protocol Settings**:
            - **Redirect URI**:
-                - Strict: the redirect URI you noted in the Omnissa Workspace ONE Access pre-configuration step.
-                - Strict: `awgb://oauth2`. This URI is used by the Workspace ONE mobile applications.
+                - `Strict` `Authorization`: the redirect URI you noted in the Omnissa Workspace ONE Access pre-configuration step.
+                - `Strict` `Authorization`: `awgb://oauth2`. This URI is used by the Workspace ONE mobile applications.
            - **Signing Key**: select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,7 @@ sidebar_label: BookStack
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";

@@ -38,6 +39,8 @@ You can configure Bookstack to use either OIDC or SAML, and this guide explains

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of BookStack with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -48,7 +51,7 @@ To support the integration of BookStack with authentik, you need to create an ap
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://bookstack.company/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://bookstack.company/oidc/callback`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: DokuWiki
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is DokuWiki?

 > DokuWiki is an open source wiki application licensed under GPLv2 and written in the PHP programming language. It works on plain text files and thus does not need a database. Its syntax is similar to the one used by MediaWiki and it is often recommended as a more lightweight, easier to customize alternative to MediaWiki.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of DokuWiki with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -4,6 +4,8 @@ sidebar_label: Karakeep
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Karakeep?

 > A self-hostable bookmark-everything app (links, notes and images) with AI-based automatic tagging and full-text search.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Karakeep with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Karakeep with authentik, you need to create an app
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://karakeep.company/api/auth/callback/custom`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://karakeep.company/api/auth/callback/custom`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: KitchenOwl
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is KitchenOwl?

 > KitchenOwl is a smart self-hosted grocery list and recipe manager. Easily add items to your shopping list before you go shopping. You can also create recipes and set up meal plans to help you organize your cooking.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of KitchenOwl with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of KitchenOwl with authentik, you need to create an a
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret** values because they will be required later.
-        - Create two `Strict` redirect URIs and set them to `https://kitchenowl.company/signin/redirect` and `kitchenowl:/signin/redirect`.
+        - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://kitchenowl.company/signin/redirect` and `kitchenowl:/signin/redirect`.

 3. Click **Submit** to save the new application and provider.

@@ -4,6 +4,8 @@ sidebar_label: Mealie
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Mealie?

 > Mealie is a self-hosted recipe manager and meal planner. Easily add recipes by providing the URL and Mealie will automatically import the relevant data or add a family recipe with the UI editor.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Mealie with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Mealie with authentik, you need to create an appli
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, , and **slug** values because they will be required later.
-    - Create two `Strict` redirect URIs and set to `https://mealie.company/login` and `https://mealie.company/login?direct=1`.
+    - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://mealie.company/login` and `https://mealie.company/login?direct=1`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: NetBox
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is NetBox?

 > NetBox is the leading solution for modeling and documenting modern networks.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of NetBox with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of NetBox with authentik, you need to create an appli
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://netbox.company/oauth/complete/oidc/`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://netbox.company/oauth/complete/oidc/`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Outline
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Outline?

 > Your team's knowledge base.
@@ -24,6 +26,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Outline with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -35,7 +39,7 @@ To support the integration of Outline with authentik, you need to create an appl
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://outline.company/auth/oidc.callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://outline.company/auth/oidc.callback`.
    - Select any available signing key.
    - Under **Advanced protocol settings**, set the **Subject Mode** to **Based on the User's username**.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
@@ -4,6 +4,8 @@ sidebar_label: Paperless-ngx
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Paperless-ngx?

 > Paperless-ngx is an application that indexes your scanned documents and allows you to easily search for documents and store metadata alongside your documents. It was a fork from Paperless-ng, in turn a fork from the original Paperless, neither of which are maintained any longer.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Paperless-ngx with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Paperless-ngx with authentik, you need to create a
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://paperless.company/accounts/oidc/authentik/login/callback/`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://paperless.company/accounts/oidc/authentik/login/callback/`.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
    - **Advanced protocol settings**:
        - **Selected Scopes**: Add the following
@@ -4,6 +4,8 @@ sidebar_label: Papra
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Papra?

 > An open-source document management platform designed to help you organize, secure, and archive your files effortlessly.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Papra with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Papra with authentik, you need to create an applic
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **Slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://papra.company/api/auth/oauth2/callback/authentik`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://papra.company/api/auth/oauth2/callback/authentik`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Tandoor
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Tandoor?

 > Application for managing recipes, planning meals and building shopping lists.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Tandoor with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Tandoor with authentik, you need to create an appl
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://tandoor.company/accounts/oidc/authentik/login/callback/`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://tandoor.company/accounts/oidc/authentik/login/callback/`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Wiki.js
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Wiki.js?

 > Wiki.js is a wiki engine running on Node.js and written in JavaScript. It is free software released under the Affero GNU General Public License. It is available as a self-hosted solution or using "single-click" install on the DigitalOcean and AWS marketplace.
@@ -33,6 +35,8 @@ Add a _Generic OpenID Connect / OAuth2_ strategy and take note of the _Callback

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Wiki.js with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -44,7 +48,7 @@ To support the integration of Wiki.js with authentik, you need to create an appl
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://wiki.company/login/id-from-wiki/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://wiki.company/login/id-from-wiki/callback`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Arcane
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Arcane?

 > Modern Docker Management, Designed for Everyone.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Arcane with authentik, you need to create an application/provider pair in authentik.

 ### Create custom scope mapping
@@ -53,7 +57,7 @@ Arcane either requires the email scope to return a `true` value for whether the
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://arcane.company/auth/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://arcane.company/auth/oidc/callback`.
        - Select any available signing key.
        - Under **Advanced protocol settings**:
            - Remove the `authentik default OAuth Mapping: OpenID 'email'` scope, and add the custom scope mapping you created above.
@@ -4,6 +4,8 @@ sidebar_label: Portainer
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Portainer?

 > Portainer is a powerful, GUI-based Container-as-a-Service solution that helps organizations manage and deploy cloud-native applications easily and securely.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Portainer with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Portainer with authentik, you need to create an ap
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations:
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://portainer.company/`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://portainer.company/`.
    - Select any available signing key.
    - Under **Advanced protocol settings** > **Selected Scopes**, add `authentik default OAuth Mapping: OpenID 'entitlements'`.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
@@ -4,6 +4,8 @@ sidebar_label: Proxmox VE
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Proxmox VE?

 > Proxmox Virtual Environment is an open source server virtualization management solution based on QEMU/KVM and LXC. You can manage virtual machines, containers, highly available clusters, storage, and networks with an integrated, easy-to-use web interface or via CLI. Proxmox VE code is licensed under the GNU Affero General Public License, version 3. The project is developed and maintained by Proxmox Server Solutions GmbH.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Proxmox with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Proxmox with authentik, you need to create an appl
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://proxmox.company:8006`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://proxmox.company:8006`.
    - Select any available signing key.
    - Ensure that encryption is disabled.
    - Under **Advanced protocol settings**:
@@ -4,6 +4,8 @@ sidebar_label: VMware Cloud Director
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is VMware Cloud Director?

 > VMware Cloud Director is a platform that enables service providers and enterprises to create multi-tenant virtual data centers (VDCs) from underlying VMware vSphere infrastructure. It supports self-service resource provisioning, secure tenant isolation, and management of compute, storage, and networking via web portals and APIs.
@@ -21,6 +23,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of VMware Cloud Director with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -31,7 +35,7 @@ To support the integration of VMware Cloud Director with authentik, you need to
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://clouddirector.company/login/oauth?service=provider`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://clouddirector.company/login/oauth?service=provider`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: VMware vCenter
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is vCenter?

 > vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location. VMware vMotion and svMotion require the use of vCenter and ESXi hosts.
@@ -25,6 +27,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of vCenter with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -36,7 +40,7 @@ To support the integration of vCenter with authentik, you need to create an appl
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://vcenter.company/ui/login/oauth2/authcode`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://vcenter.company/ui/login/oauth2/authcode`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Xen Orchestra
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Xen Orchestra?

 > Xen Orchestra provides a user friendly web interface for every Xen based hypervisor (XenServer, xcp-ng, etc.).
@@ -28,6 +30,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Xen Orchestra with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -39,7 +43,7 @@ To support the integration of Xen Orchestra with authentik, you need to create a
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://xenorchestra.company/signin/oidc/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://xenorchestra.company/signin/oidc/callback`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,7 @@ sidebar_label: Apache Guacamole
 support_level: authentik
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";

@@ -26,6 +27,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Apache Guacamole with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -37,7 +40,7 @@ To support the integration of Apache Guacamole with authentik, you need to creat
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://guacamole.company/`. If you have configured [Apache Tomcat](https://tomcat.apache.org/) to run Apache Guacamole on a subpath, you will need to update this value accordingly.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://guacamole.company/`. If you have configured [Apache Tomcat](https://tomcat.apache.org/) to run Apache Guacamole on a subpath, you will need to update this value accordingly.
    - Select any available signing key.
    - Note that Apache Guacamole does not support session tokens longer than 300 minutes (5 hours).
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
@@ -4,6 +4,8 @@ sidebar_label: ArgoCD
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is ArgoCD?

 > Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of ArgoCD with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of ArgoCD with authentik, you need to create an appli
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Add two `Strict` redirect URI and set them to `https://argocd.company/api/dex/callback` and `https://localhost:8085/auth/callback`.
+        - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://argocd.company/api/dex/callback` and `https://localhost:8085/auth/callback`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Harbor
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Harbor?

 > Harbor is an open source container image registry that secures images with role-based access control, scans images for vulnerabilities, and signs images as trusted. A CNCF Graduated project, Harbor delivers compliance, performance, and interoperability to help you consistently and securely manage images across cloud native compute platforms like Kubernetes and Docker.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Harbor with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -35,7 +39,7 @@ To support the integration of Harbor with authentik, you need to create an appli
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - **Protocol Settings**:
        - **Redirect URI**:
-            - Strict: `https://harbor.company/c/oidc/callback`.
+            - `Strict` `Authorization`: `https://harbor.company/c/oidc/callback`.
        - **Signing Key**: select any available signing key.
    - **Advanced Protocol Settings**:
        - **Scopes**: add `authentik default OAuth Mapping: OpenID 'offline_access'` to **Selected Scopes**.
@@ -4,6 +4,7 @@ sidebar_label: Keycloak
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
@@ -39,6 +40,8 @@ Keycloak can be configured to use either OIDC or SAML for federated login source

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Keycloak with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -49,7 +52,7 @@ To support the integration of Keycloak with authentik, you need to create an app
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://keycloak.company/access/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://keycloak.company/access/oidc/callback`.
        - Set the **Logout URI** to `https://keycloak.company/realms/<keycloak-realm-name>/protocol/openid-connect/logout/backchannel-logout`.
        - Set the **Logout Method** to `Back-channel`.
        - Select any available signing key.
@@ -4,6 +4,8 @@ sidebar_label: Komodo
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Komodo?

 > Komodo is a web-based application designed to organize and streamline the management of servers, builds, deployments, and automated tasks.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Komodo with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Komodo with authentik, you need to create an appli
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://komodo.company/auth/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://komodo.company/auth/oidc/callback`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
    - **Configure Launch URL** _(optional)_: set to `https://komodo.company/auth/oidc/login`.
@@ -4,6 +4,7 @@ sidebar_label: MinIO
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";

@@ -30,6 +31,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of MinIO with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -40,7 +43,7 @@ To support the integration of MinIO with authentik, you need to create an applic
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://minio.company/oauth_callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://minio.company/oauth_callback`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Nexterm
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Nexterm?

 > Nexterm is an open-source server management platform for SSH, VNC, and RDP.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Nexterm with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Nexterm with authentik, you need to create an appl
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://nexterm.company/api/auth/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://nexterm.company/api/auth/oidc/callback`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: osTicket
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is osTicket?

 > osTicket is a web-based, open source user support/ticketing solution.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of osTicket with authentik, you need to create an application/provider pair in authentik.

 1. Log in to authentik as an administrator and open the authentik Admin interface.
@@ -31,7 +35,7 @@ To support the integration of osTicket with authentik, you need to create an app
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret** and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://osticket.company/osticket/api/auth/oauth2`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://osticket.company/osticket/api/auth/oauth2`.
        - Select any available signing key.
        - Under **Advanced protocol settings**:
            - **Subject Mode**: `Based on the User's Email`
@@ -4,6 +4,8 @@ sidebar_label: pgAdmin
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is pgAdmin?

 > pgAdmin is a management tool for PostgreSQL and derivative relational databases such as EnterpriseDB's EDB Advanced Server. It may be run either as a web or desktop application.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of pgAdmin with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -37,7 +41,7 @@ To support the integration of pgAdmin with authentik, you need to create an appl
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://pgadmin.company/oauth2/authorize`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://pgadmin.company/oauth2/authorize`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Plesk
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Plesk?

 > Plesk is a web hosting platform with a control panel that helps manage servers, applications, and websites through a comprehensive graphical user interface. It provides tools for web professionals, IT administrators, and hosting companies to simplify the process of hosting and managing websites.
@@ -27,6 +29,8 @@ Replace these placeholders in the guide with your values:

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Plesk with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Plesk with authentik, you need to create an applic
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://plesk.company/modules/oauth/public/login.php`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://plesk.company/modules/oauth/public/login.php`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,7 @@ sidebar_label: RabbitMQ
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";

@@ -28,6 +29,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of RabbitMQ with authentik, you need to create a property mapping, two user groups, and an application/provider pair.

 ### Create a property mapping
@@ -66,7 +69,7 @@ After creating the groups, select a group, navigate to the **Users** tab, and ma
        - Set **Client Type** to **Public**.
        - Note the **Client ID** and **slug** values because they will be required later.
        - Under **Grant Types**, select **Authorization Code** and **Client credentials**.
-        - Set a `Strict` redirect URI to `https://rabbitmq.company:15672/js/oidc-oauth/login-callback.html`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://rabbitmq.company:15672/js/oidc-oauth/login-callback.html`.
        - Select any available signing key.
        - Under **Advanced protocol settings**:
            - Add the `RabbitMQ claims` scope that you created in the previous section to **Selected Scopes**.
@@ -4,6 +4,8 @@ sidebar_label: RustDesk Server Pro
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is RustDesk Server Pro?

 > RustDesk Server Pro is a premium self-hosted solution for managing remote desktop connections securely and efficiently.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Rustdesk Server Pro with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Rustdesk Server Pro with authentik, you need to cr
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://rustdesk.company/api/oidc/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://rustdesk.company/api/oidc/callback`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Semaphore
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Semaphore UI?

 > Semaphore UI is a modern web interface for managing popular DevOps tools.
@@ -25,6 +27,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Semaphore with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -35,7 +39,7 @@ To support the integration of Semaphore with authentik, you need to create an ap
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://semaphore.company/api/auth/oidc/authentik/redirect`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://semaphore.company/api/auth/oidc/authentik/redirect`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Synology DSM (DiskStation Manager)
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Synology DSM?

 > Synology Inc. is a Taiwanese corporation that specializes in network-attached storage (NAS) appliances. Synology's line of NAS is known as the DiskStation for desktop models, FlashStation for all-flash models, and RackStation for rack-mount models. Synology's products are distributed worldwide and localized in several languages.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Synology DSM with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Synology DSM with authentik, you need to create an
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://synology.company`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://synology.company`.
    - Select any available signing key.
    - Under **Advanced protocol settings**, set the **subject mode** to be based on the user's email.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
@@ -4,6 +4,8 @@ sidebar_label: Termix
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Termix?

 > Termix is a clientless web-based server management platform with SSH terminal, tunneling, and file editing capabilities.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Termix with authentik, you need to create an application/provider pair in authentik.

 1. Log in to authentik as an administrator and open the authentik Admin interface.
@@ -31,7 +35,7 @@ To support the integration of Termix with authentik, you need to create an appli
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://termix.company/users/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://termix.company/users/oidc/callback`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Terrakube
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Terrakube?

 > Terrakube is an open-source collaboration platform designed for managing remote Infrastructure-as-Code (IaC) operations with Terraform. It serves as an alternative to proprietary tools like Terraform Enterprise.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Terrakube with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Terrakube with authentik, you need to create an ap
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://terrakube-dex.company/dex/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://terrakube-dex.company/dex/callback`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,7 @@ sidebar_label: Zammad
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
 import SAMLProvider20265Warning from "../../\_saml-provider-2026-5-warning.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
@@ -40,6 +41,8 @@ values={[

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Zammad with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -102,7 +105,7 @@ To support the integration of Zammad with authentik, you need to create an appli
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set the **Client type** to `Public`.
        - Take note of the **Client ID** and **slug** values because they will be required later.
-        - Set the **Redirect URIs/Origins** to `Strict` / `https://zammad.company/auth/openid_connect/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://zammad.company/auth/openid_connect/callback`.
        - Select a **Signing Key**.
        - Under **Advanced protocol settings**, set **Subject mode** to **Based on the User's Email**.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
@@ -4,6 +4,7 @@ sidebar_label: Zendesk
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";

@@ -38,6 +39,8 @@ Zendesk can be configured to use either OIDC or SAML. This guide covers both met

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Zendesk with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -48,7 +51,7 @@ To support the integration of Zendesk with authentik, you need to create an appl
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://company.zendesk.com/access/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://company.zendesk.com/access/oidc/callback`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Zot
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Zot?

 > Zot is an OCI-native container registry for distributing container images and OCI artifacts.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Zot with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -35,11 +39,9 @@ To support the integration of Zot with authentik, you need to create an applicat
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - **Protocol Settings**:
        - **Redirect URI**:
-            - Strict: `https://zot.company/zot/auth/callback/oidc`.
+            - `Strict` `Authorization`: `https://zot.company/zot/auth/callback/oidc`.
        - **Signing Key**: select any available signing key.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://zot.company/zot/auth/callback/oidc`.
-    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

 3. Click **Submit** to save the new application and provider.
@@ -5,6 +5,7 @@ support_level: community
 authentik_version: 2026.5
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
@@ -39,6 +40,8 @@ values={[

 ## authentik configuration

+<RedirectURI20265Note />
+
 To integrate authentik with Absorb LMS via OIDC, you will need to create an application and provider pair in authentik.

 ### Create an application and provider in authentik
@@ -49,7 +52,7 @@ To integrate authentik with Absorb LMS via OIDC, you will need to create an appl
    - **Choose a Provider type**: select **OAuth2/OIDC Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Take note of the **Client ID** and **Client Secret** values as these will be required in the next section.
-        - Set a `Strict` Redirect URI to `https://company.myabsorb.com/account/openidconnect`
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://company.myabsorb.com/account/openidconnect`
        - Select any available **Signing key**.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications in a user's **Application Dashboard**.

@@ -4,6 +4,8 @@ sidebar_label: Audiobookshelf
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Audiobookshelf?

 > Audiobookshelf is a self-hosted audiobook and podcast server.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Audiobookshelf with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -4,6 +4,8 @@ sidebar_label: FreshRSS
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is FreshRSS?

 > FreshRSS is a self-hosted RSS feed aggregator.
@@ -23,6 +25,8 @@ This documentation only lists the settings that have been changed from their def

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of FreshRSS with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of FreshRSS with authentik, you need to create an app
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Add two `Strict` redirect URIs and set them to `https://freshrss.company/i/oidc/` and `https://freshrss.company:443/i/oidc/`. If FreshRSS is exposed on a port other than `443`, update the second redirect URI accordingly.
+    - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://freshrss.company/i/oidc/` and `https://freshrss.company:443/i/oidc/`. If FreshRSS is exposed on a port other than `443`, update the second redirect URI accordingly.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Immich
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Immich?

 > Immich is a self-hosted backup solution for photos and videos on mobile devices.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Immich with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Immich with authentik, you need to create an appli
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Add three `Strict` redirect URIs and set them to `app.immich:///oauth-callback`, `https://immich.company/auth/login`, and `https://immich.company/user-settings`.
+        - Add three **Redirect URIs** of type `Strict` `Authorization` as `app.immich:///oauth-callback`, `https://immich.company/auth/login`, and `https://immich.company/user-settings`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
    - **Configure Launch URL** _(optional)_: set the [Launch URL](/docs/add-secure-apps/applications/#appearance) to `https://immich.company/auth/login?autoLaunch=1` to allow automatic login to Immich when clicking the application from within authentik.
@@ -4,6 +4,8 @@ sidebar_label: Jellyfin
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Jellyfin?

 > Jellyfin is a free and open source media management and streaming platform for movies, TV shows, and music.
@@ -95,6 +97,8 @@ At this point, enter a username and click **Save Search Attribute Settings and Q

 ## OIDC configuration

+<RedirectURI20265Note />
+
 ### authentik configuration

 **Provider Settings**
@@ -102,7 +106,7 @@ At this point, enter a username and click **Save Search Attribute Settings and Q
 In authentik under **Providers**, create an OAuth2/OpenID Provider with these settings:

 - Name: `jellyfin`
- Redirect URI: `https://jellyfin.company/sso/OID/redirect/authentik`
+- **Redirect URI**: `Strict` `Authorization` `https://jellyfin.company/sso/OID/redirect/authentik`

 Everything else is up to you, just make sure to grab the client ID and the client secret!

@@ -4,6 +4,8 @@ sidebar_label: Komga
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Komga?

 > Komga is an open-source comic and manga server that lets users organize, read, and stream their digital comic collections with ease.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Komga with authentik, you need to create an application/provider pair in authentik.

 ### Create an email verification scope mapping in authentik
@@ -40,7 +44,7 @@ Refer to [Email scope verification](/docs/add-secure-apps/providers/oauth2/index
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://komga.company/login/oauth2/code/authentik`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://komga.company/login/oauth2/code/authentik`.
    - Select any available signing key.
    - **Advanced protocol settings** > **Scopes**:
        - Add `OAuth Mapping: OpenID 'email' with "email_verified"` to the **Selected Scopes**.
@@ -4,6 +4,8 @@ sidebar_label: Miniflux
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Miniflux?

 > Miniflux is a minimalist and opinionated RSS feed reader.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Miniflux with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Miniflux with authentik, you need to create an app
    - **Choose a Provider type**: Select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://miniflux.company/oauth2/oidc/callback`
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://miniflux.company/oauth2/oidc/callback`
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: PhotoPrism
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is PhotoPrism?

 > PhotoPrism is an AI-powered photos app that lets you browse, organize, and find photos and videos on a home server, private server, or in the cloud.
@@ -27,6 +29,8 @@ PhotoPrism requires HTTPS for OpenID Connect (OIDC). Make sure that the `PHOTOPR

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of PhotoPrism with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -37,7 +41,7 @@ To support the integration of PhotoPrism with authentik, you need to create an a
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Add one `Strict` redirect URI and set it to `https://photoprism.company/api/v1/oidc/redirect`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://photoprism.company/api/v1/oidc/redirect`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Seafile
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Seafile?

 > Seafile is an open-source, cross-platform file-hosting software system. Files are stored on a central server and can be synchronized with personal computers and mobile devices through apps. Files on the Seafile server can also be accessed directly via the server's web interface.
@@ -22,6 +24,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Seafile with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -32,7 +36,7 @@ To support the integration of Seafile with authentik, you need to create an appl
    - **Choose a Provider type**: select OAuth2/OpenID Connect as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://seafile.company/oauth/callback/`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://seafile.company/oauth/callback/`.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

 3. Click **Submit** to save the new application and provider.
@@ -4,6 +4,8 @@ sidebar_label: Seerr
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Seerr?

 > Seerr (previously Jellyseerr) is a free and open source application for managing requests in your media library. It integrates with media servers like Jellyfin, Plex, and Emby, and services such as Sonarr and Radarr.
@@ -17,6 +19,8 @@ support_level: community

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Seerr with authentik, you need to create an application/provider pair in authentik.

 1. Log in to authentik as an administrator and open the authentik Admin interface.
@@ -25,7 +29,7 @@ To support the integration of Seerr with authentik, you need to create an applic
    - **Choose a Provider type**: OAuth2/OpenID
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and any required configurations.
        - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://seerr.company/login`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://seerr.company/login`.
        - Select any available signing key.
    - **Configure Bindings** _(optional):_ you can create a [binding](https://docs.goauthentik.io/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user’s **Application Dashboard** page.

@@ -4,6 +4,7 @@ sidebar_label: Actual Budget
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";

@@ -26,6 +27,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Actual Budget with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -36,7 +39,7 @@ To support the integration of Actual Budget with authentik, you need to create a
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://actual.company/openid/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://actual.company/openid/callback`.
        - Select any available signing key. Actual Budget only supports the RS256 algorithm. Be aware of this when choosing a signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: AdventureLog
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is AdventureLog?

 > AdventureLog is a self-hosted travel tracker and trip planner. AdventureLog is the ultimate travel companion for the modern-day explorer.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of AdventureLog with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of AdventureLog with authentik, you need to create an
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Regex` redirect URI to `^https://adventurelog.company/accounts/oidc/.\*$`.
+    - Add a **Redirect URI** of type `Regex` `Authorization` as `^https://adventurelog.company/accounts/oidc/.\*$`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,7 @@ sidebar_label: ezBookkeeping
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";

@@ -26,6 +27,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of ezBookkeeping with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -36,7 +39,7 @@ To support the integration of ezBookkeeping with authentik, you need to create a
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://ezbookkeeping.company/oauth2/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://ezbookkeeping.company/oauth2/callback`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: FileRise
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is FileRise?

 > Lightweight, self-hosted web-based file manager with multi-file upload, editing, and batch operations.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of FileRise with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of FileRise with authentik, you need to create an app
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set **Redirect URI** to `https://filerise.company/api/auth/auth.php?oidc=callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://filerise.company/api/auth/auth.php?oidc=callback`.
        - Select any available signing key.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Home Assistant
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 <!-- spellchecker:ignore christiaangoossens -->

 ## What is Home Assistant?
@@ -47,6 +49,8 @@ values={[

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Home Assistant with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -58,7 +62,7 @@ To support the integration of Home Assistant with authentik, you need to create
    - Choose a **Provider Type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://hass.company/auth/openid/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://hass.company/auth/openid/callback`.
        - Select any available signing key (to use the RS256 `id_token_signing_alg`)
    - Configure Bindings (optional): you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -109,7 +113,7 @@ To support the integration of Home Assistant with authentik, you need to create
    - Choose a **Provider Type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://hass.company/auth/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://hass.company/auth/oidc/callback`.
        - Select any available signing key (to use the RS256 `id_token_signing_alg`)
    - Configure Bindings (optional): you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Open WebUI
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Open WebUI?

 > Open WebUI is a simple, self-hosted AI platform that works entirely offline. It supports tools like Ollama and OpenAI-style APIs and has a built-in engine for RAG tasks.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Open WebUI with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Open WebUI with authentik, you need to create an a
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://openwebui.company/oauth/oidc/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://openwebui.company/oauth/oidc/callback`.
    - Select any available signing key.
    - Make sure to leave the **Encryption Key** field empty.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
@@ -4,6 +4,8 @@ sidebar_label: Wallos
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Wallos?

 > Wallos is a self-hosted subscription and budget planning application.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Wallos with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Wallos with authentik, you need to create an appli
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://wallos.company/index.php`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://wallos.company/index.php`.
        - Select any available signing key.
    - **Configure Bindings** (optional): you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Zipline
 support_level: community
 ---

+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Zipline?

 > Zipline is a self-hostable file upload server designed for easy file sharing, supporting tools like ShareX and Flameshot, with features such as simplified setup and extensive customization options.
@@ -27,6 +29,8 @@ This guide is compatible with Zipline [version `v4.0.0`](https://github.com/dice

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Zipline with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Zipline with authentik, you need to create an appl
 - **Choose a Provider type**: Select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: Provide a name (or accept the auto-provided name), choose the authorization flow for this provider, and configure the following required settings:
    - Note the **Client ID** and **Client Secret** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://zipline.company/api/auth/oauth/oidc`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://zipline.company/api/auth/oauth/oidc`.
    - Select any available signing key.
    - Under **Advanced protocol settings** > **Scopes**, add `authentik default OAuth Mapping: OpenID 'offline_access'` to the **Selected Scopes** list.
 - **Configure Bindings** _(optional)_: Create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
@@ -4,6 +4,8 @@ sidebar_label: Beszel
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Beszel?

 > Beszel is a lightweight server monitoring platform that provides Docker statistics, historical data, and configurable alerts.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 The steps to configure authentik include creating an email verification scope mapping, creating an application and provider pair in authentik, obtaining the Client ID and Client Secret values, setting the redirect URI, and selecting a signing key.

 ### Create an email verification scope mapping in authentik
@@ -44,7 +48,7 @@ Refer to [Email scope verification](/docs/add-secure-apps/providers/oauth2/index
 - **Choose a Provider type**: OAuth2/OpenID
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and any required configurations.
    - Note the **Client ID** and **Client Secret** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://beszel.company/api/oauth2-redirect`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://beszel.company/api/oauth2-redirect`.
    - Select any available signing key.
    - **Advanced protocol settings** > **Scopes**:
        - Add `OAuth Mapping: OpenID 'email' with "email_verified"` to the **Selected Scopes**.
@@ -3,6 +3,8 @@ title: Integrate with Chronograf
 sidebar_label: Chronograf
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Chronograf?

 > Chronograf lets you quickly visualize the data stored in InfluxDB, enabling you to build robust queries and alerts. It is simple to use and comes with templates and libraries for rapidly creating dashboards with real-time data visualizations.
@@ -22,6 +24,8 @@ This documentation lists only the settings that you need to change from their de

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Chronograf with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Chronograf with authentik, you need to create an a
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://chronograf.company/oauth/authentik/callback/`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://chronograf.company/oauth/authentik/callback/`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

@@ -4,6 +4,8 @@ sidebar_label: Gatus
 support_level: community
 ---

+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Gatus?

 > Gatus is a developer-oriented health dashboard that gives you the ability to monitor your services using HTTP, ICMP, TCP, and even DNS queries as well as evaluate the result of said queries by using a list of conditions on values like the status code, the response time, the certificate expiration, the body and many others. The icing on top is that each of these health checks can be paired with alerting via Slack, Teams, PagerDuty, Discord, Twilio and many more.
@@ -23,6 +25,8 @@ This documentation only lists the settings that have been changed from their def

 ## authentik configuration

+<RedirectURI20265Note />
+
 To support the integration of Gatus with authentik, you need to create an application/provider pair in authentik.

 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Gatus with authentik, you need to create an applic
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://gatus.company/authorization-code/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://gatus.company/authorization-code/callback`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

--- a/Show More
+++ b/Show More