website: Apply CSpell corrections. (#20189)

* website: Apply CSpell corrections. * Lint/spelling fix --------- Co-authored-by: dewi-tik <dewi@goauthentik.io>
2026-06-17 19:09:11 +03:00 · 2026-02-11 21:57:36 +01:00
parent 858a040dfb
commit 8aeedb6380
54 changed files with 79 additions and 75 deletions
@@ -1,6 +1,8 @@
 /// <reference types="docusaurus-theme-openapi-docs" />
 /// <reference types="docusaurus-plugin-openapi-docs" />

+// cspell:ignore persistence
+
 declare module "@docusaurus/plugin-content-docs/src/sidebars/types" {
    export * from "@docusaurus/plugin-content-docs/src/sidebars/types.ts";
 }
@@ -105,7 +105,7 @@ For example, you can create a binding for a specific group, and then [bind that
 Flow-stage bindings can have policy bindings bound to them; this can be used to conditionally run or skip stages within a flow. There are two settings in a flow-stage binding that configure _when_ these policies are executed:

 - **Evaluate when flow is planned**
-  Policies are evaluated when authentik creates a flow plan that contains a reference to all of the stages that the user will need to go through to complete the flow. In this case,user-specific attributes are only available if the user is already authentiticated before beginning the flow.
+  Policies are evaluated when authentik creates a flow plan that contains a reference to all of the stages that the user will need to go through to complete the flow. In this case,user-specific attributes are only available if the user is already authenticated before beginning the flow.

 - **Evaluate when the stage is run**
  Policies bound to a flow-stage binding are evaluated before the stage is run (i.e after the flow has started but before the stage is reached in the flow). Therefore the context with which policy bindings to the flow-stage binding are evaluated reflects the current state of the flow.
@@ -12,7 +12,7 @@ The Mutual TLS stage enables authentik to use client certificates to enroll and

 For mTLS, note that you should NOT use a globally known CA.

-Using private PKI certificates that are trusted by the end-device is best practise. For example, using a Verisign certificate as a "known CA" means that ANYONE who has a certificate signed by them can authenticate via mTLS, and in addition you should implement [custom validation](../../flow/context/index.mdx#auth_method-string) to prevent unauthorized access.
+Using private PKI certificates that are trusted by the end-device is best practice. For example, using a Verisign certificate as a "known CA" means that ANYONE who has a certificate signed by them can authenticate via mTLS, and in addition you should implement [custom validation](../../flow/context/index.mdx#auth_method-string) to prevent unauthorized access.
 :::

 ## Reverse-proxy configuration
@@ -17,4 +17,4 @@ When the user reaches this stage, they are redirected to a static URL.

 When the user reaches this stage, they are redirected to a specified flow, retaining all [flow context](../../flow/context/index.mdx).

-Optionally, untoggle the "Keep flow context" switch. If this is untoggled, all flow context is cleared with the exception of the [is_redirected](../../flow/context#is_redirected-flow-object) key.
+Optionally, toggle the "Keep flow context" switch to "off". When this control is set to "off", all flow context is cleared with the exception of the [is_redirected](../../flow/context#is_redirected-flow-object) key.
@@ -43,7 +43,7 @@ The main steps to configure your Google Workspace organization are:
   A pop-up displays with the private key. The key can be saved to your computer as a JSON file. This key will be required when creating the Google Workspace provider in authentik.

    :::info Allow key creation
-    By default, the Google Cloud organization policy `iam.disableSerivceAccountKeyCreation` prevents creating service account keys. To allow key creation:
+    By default, the Google Cloud organization policy `iam.disableServiceAccountKeyCreation` prevents creating service account keys. To allow key creation:
    1. Navigate to **IAM & Admin** > **Organization Policies** and select the **Disable service account key creation** policy.
    2. Click **Manage policy** and disable the policy.
    3. Click **Set policy** to save your changes.
@@ -76,7 +76,7 @@ We do not recommend using an administrator account for the Delegated Subject use

 The Delagated Subject user requires the following permissions:

-##### Admin console privilieges
+##### Admin console privileges

 - Users
 - Groups
@@ -23,7 +23,7 @@ OAuth 2.0 is an authorization protocol that allows an application (the RP) to de
 1. An authorization request is prepared by the RP and contains parameters for its implementation of OAuth and which data it requires, and then the User's browser is redirected to that URL.
 2. The RP sends a request to authentik in the background to exchange the access code for an access token (and optionally a refresh token).

-In detail, with OAuth2 when a user accesses the application (the RP) via their browser, the RP then prepares a URL with parameters for the OpenID Provider (OP), which the users's browser is redirected to. The OP authenticates the user and generates an authorization code. The OP then redirects the client (the user's browser) back to the RP, along with that authorization code. In the background, the RP then sends that same authorization code in a request authenticated by the `client_id` and `client_secret` to the OP. Finally, the OP responds by sending an Access Token saying this user has been authorised (the RP is recommended to validate this token using cryptography) and optionally a Refresh Token.
+In detail, with OAuth2 when a user accesses the application (the RP) via their browser, the RP then prepares a URL with parameters for the OpenID Provider (OP), which the users's browser is redirected to. The OP authenticates the user and generates an authorization code. The OP then redirects the client (the user's browser) back to the RP, along with that authorization code. In the background, the RP then sends that same authorization code in a request authenticated by the `client_id` and `client_secret` to the OP. Finally, the OP responds by sending an Access Token saying this user has been authorized (the RP is recommended to validate this token using cryptography) and optionally a Refresh Token.

 The image below shows a typical authorization code flow.

@@ -102,7 +102,7 @@ The flows and grant types used in this case are those used for a typical authori

 The authorization code is for environments with both a Client and a application server, where the back and forth happens between the client and an app server (the logic lives on app server). The RP needs to authorise itself to the OP. Client ID (public, identifies which app is talking to it) and client secret (the password) that the RP uses to authenticate.

-If you configure authentik to use "Offline access" then during the initial auth the OP sends two tokens, an access token (short-lived, hours, can be customised) and a refresh token (typically longer validity, days or infinite). The RP (the app) saves both tokens. When the access token is about to expire, the RP sends the saved refresh token back to the OP, and requests a new access token. When the refresh token itself is about to expire, the RP can also ask for a new refresh token. This can all happen without user interaction if you configured the offline access.
+If you configure authentik to use "Offline access" then during the initial auth the OP sends two tokens, an access token (short-lived, hours, can be customized) and a refresh token (typically longer validity, days or infinite). The RP (the app) saves both tokens. When the access token is about to expire, the RP sends the saved refresh token back to the OP, and requests a new access token. When the refresh token itself is about to expire, the RP can also ask for a new refresh token. This can all happen without user interaction if you configured the offline access.

 :::info
 Starting with authentik 2024.2, applications only receive an access token. To receive a refresh token, both applications and authentik must be configured to request the `offline_access` scope. In authentik this can be done by selecting the `offline_access` Scope mapping in the provider settings.
@@ -51,7 +51,7 @@ A new connection is created every time an endpoint is selected in the [User Inte

 Additionally, it is possible to modify the connection settings through the authorization flow. Configuration set in `connection_settings` in the flow plan context will be merged with other settings as shown above.

-The RAC provider utilises [Apache Guacamole](https://guacamole.apache.org/) for establishing SSH, RDP and VNC connections. RAC supports the use of Apache Guacamole connection configurations.
+The RAC provider utilizes [Apache Guacamole](https://guacamole.apache.org/) for establishing SSH, RDP and VNC connections. RAC supports the use of Apache Guacamole connection configurations.

 For a full list of possible connection configurations, see the [Apache Guacamole connection configuration documentation](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#configuring-connections).

@@ -42,7 +42,7 @@ The RADIUS provider supports EAP-TLS and [PAP](https://en.wikipedia.org/wiki/Pas
 <details>
  <summary>RADIUS compatibility matrix for password-based authentication:</summary>

-This table represents the password-hash compatibillity with various RADIUS protocols.
+This table represents the password-hash compatibility with various RADIUS protocols.

 <HashSupport />
 </details>
@@ -61,7 +61,7 @@ For certificates, ensure that you use a client certificate and a server certific

 For EAP-TLS, note that you should NOT use a globally known CA.

-Using private PKI certificates that are trusted by the end-device is best practise. For example, using a Verisign certificate as a "known CA" means that ANYONE who has a certificate signed by them can authenticate via EAP-TLS, and in addition you should implement [custom validation](../../flows-stages/flow/context/index.mdx#auth_method-string) to prevent unauthorized access.
+Using private PKI certificates that are trusted by the end-device is best practice. For example, using a Verisign certificate as a "known CA" means that ANYONE who has a certificate signed by them can authenticate via EAP-TLS, and in addition you should implement [custom validation](../../flows-stages/flow/context/index.mdx#auth_method-string) to prevent unauthorized access.
 :::

 ### RADIUS attributes
@@ -8,7 +8,7 @@ To migrate existing configurations to blueprints, run `ak export_blueprint` with

 Exported blueprints don't use any of the YAML Tags, they just contain a list of entries as they are in the database.

-Note that fields which are write-only (for example, OAuth Provider's Secret Key) will not be added to the blueprint, as the serialisation logic from the API is used for blueprints.
+Note that fields which are write-only (for example, OAuth Provider's Secret Key) will not be added to the blueprint, as the serialization logic from the API is used for blueprints.

 Additionally, default values will be skipped and not added to the blueprint.

@@ -81,7 +81,7 @@ Every application that you add to authentik requires a provider, which is used t
 - **Configure the Application**:
    - **Name**: provide a descriptive name (such as Grafana).
        - **Group**: select an optional group for the application; groups are used to visually separate applications. For example, you can choose to group applications that you use for coding from those you use for internal communication.
-    - **Policy engine mode**: select **Any** for this tutorial; the mode determnes how strictly policies are adhered to.
+    - **Policy engine mode**: select **Any** for this tutorial; the mode determines how strictly policies are adhered to.
        - <strong className="tip">TIP</strong>: in authentik,
          [policies](../../customize/policies/working_with_policies.md) are used in authentik to
          fine-tune access to applications, flows, stages and many other authentik components. It is
@@ -134,7 +134,7 @@ A huge shoutout to all the people that contributed, helped test and also transla
 - core: add API for all user-source connections
 - core: add API to list all authenticator devices
 - core: add created field to source connection
- flows: optimise stage user_settings API
+- flows: optimize stage user_settings API
 - outposts: separate websocket re-connection logic to decrease requests on reconnect
 - root: pin node images to v16
 - root: update golang ldap server package
@@ -120,7 +120,7 @@ This release does not have any headline features, and mostly fixes bugs.
 - outposts/ldap: fix searches with mixed casing
 - outposts/proxy: use filesystem storage for non-embedded outposts
 - policies: don't always clear application cache on post_save
- stagse/authenticator_webauthn: remove pydantic import
+- stages/authenticator_webauthn: remove pydantic import
 - web: fix borders of sidebars in dark mode

 ## Fixed in 2021.12.1-rc5
@@ -44,7 +44,7 @@ slug: "/releases/2021.7"
 - outposts: save certificate fingerprint and check before re-fetching to cleanup logs
 - outposts/ldap: add tracing for LDAP bind and search
 - outposts/ldap: improve parsing of LDAP filters
- outposts/ldap: optimise backend Search API requests
+- outposts/ldap: optimize backend Search API requests
 - outposts/proxy: add X-Auth-Groups header to pass groups
 - providers/oauth2: handler PropertyMapping exceptions and create event
 - providers/saml: improve error handling for property mappings
@@ -34,7 +34,7 @@ slug: "/releases/2021.9"
 - \*: use common user agent for all outgoing requests
 - admin: migrate to new update check, add option to disable update check
 - api: add additional filters for ldap and proxy providers
- core: optimise groups api by removing member superuser status
+- core: optimize groups api by removing member superuser status
 - core: remove ?v from static files
 - events: add mark_all_seen
 - events: allow setting a mapping for webhook transport to customise request payloads
@@ -52,7 +52,7 @@ slug: "/releases/2021.9"
 - sources/oauth: prevent potentially confidential data from being logged
 - stages/authenticator_duo: add API to "import" devices from duo
 - stages/identification: fix empty user_fields query returning first user
- tenants: optimise db queries in middleware
+- tenants: optimize db queries in middleware
 - web: allow duplicate messages
 - web: ignore network error
 - web/admin: fix notification clear all not triggering render
@@ -90,7 +90,7 @@ slug: "/releases/2021.9"
 - web/user: add missing stop impersonation button
 - web/user: fix edit button for applications
 - web/user: fix final redirect after stage setup
- web/user: optimise load, fix unread status for notifications
+- web/user: optimize load, fix unread status for notifications

 ## Fixed in 2021.9.1

@@ -49,7 +49,7 @@ This release mostly removes legacy fields and features that have been deprecated
 - outposts/proxyv2: fix before-redirect url not being saved in proxy mode
 - outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost
 - providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard
- root: allow customisation of ports in compose without override
+- root: allow customization of ports in compose without override
 - root: decrease to 10 backup history
 - root: fix backups running every minute instead of once
 - stages/authenticator_webauthn: make more WebAuthn options configurable
@@ -57,7 +57,7 @@ This release mostly removes legacy fields and features that have been deprecated
 - web: directly read csrf token before injecting into request
 - web: fix double plural in label
 - web/admin: also set embedded outpost host when it doesn't include scheme
- web/admin: fix missing configure flow setting on webuahtn setup stage form
+- web/admin: fix missing configure flow setting on webauthn setup stage form
 - web/flows: remove node directly instead of using removeChild()

 ## Fixed in 2022.1.2
@@ -23,7 +23,7 @@ slug: "/releases/2022.10"
    This also allows for mapping fields from SAML Source to users.

 - Twitch OAuth Source has been added
- Optimised loading speed of Flows & Stages
+- Optimized loading speed of Flows & Stages

    This affects listing Flows & Stages in the admin interface, as well as loading prompts within forms. Also the flow planning has been improved to use less queries.

@@ -3353,7 +3353,7 @@ Changed response : **200 OK**
 ## Minor changes/fixes

 - \*: improve error handling in ldap outpost, ignore additional errors
- admin: add authorisations metric (#3811)
+- admin: add authorizations metric (#3811)
 - blueprints: fix error when exporting objects with lazily translated strings
 - core: fallback to empty user object for PropertyMappingEvaluator
 - core: fix messages not being shown when no client is connected
@@ -3363,7 +3363,7 @@ Changed response : **200 OK**
 - crypto: make certificate parsing optional for crypto api (#3711)
 - flows: always show flow inspector in debug mode, don't require admin in debug (#3786)
 - flows: improved import (show logs, improve UI) (#3807)
- flows: optimise queries for flow and stage API endpoints
+- flows: optimize queries for flow and stage API endpoints
 - internal: limit body size
 - outposts/ldap: increase compatibility with different types in user and group attributes
 - providers/oauth2: add all hardcoded claims to claims_supported list
@@ -79,7 +79,7 @@ image:
 - policies/password: Always add generic message to failing zxcvbn check (#4100)
 - providers: add preview for mappings (#4254)
 - providers/ldap: improve mapping of LDAP filters to authentik queries
- providers/oauth2: optimise and cache signing key, prevent key being loaded multiple times
+- providers/oauth2: optimize and cache signing key, prevent key being loaded multiple times
 - providers/oauth2: set amr values based on login event
 - providers/proxy: correctly set id_token_hint if possible
 - providers/saml: set AuthnContextClassRef based on login event
@@ -30,7 +30,7 @@ In an authenticator validation stage you can now configure multiple configuratio

 ## Minor changes/fixes

- \*: add placeholder custom.css to easily allow user customisation
+- \*: add placeholder custom.css to easily allow user customization
 - \*: rename akprox to outpost.goauthentik.io (#2266)
 - internal: don't attempt to lookup SNI Certificate if no SNI is sent
 - internal: improve error handling for internal reverse proxy
@@ -50,7 +50,7 @@ To simplify the release process we don't publish explicitly tagged release-candi

 ## Fixed in 2022.3.3

- core: fix provider launch URL being prioritised over manually configured launch URL
+- core: fix provider launch URL being prioritized over manually configured launch URL
 - crypto: open files in read-only mode for importing (#2536)
 - outposts/ldap: prevent operations error from nil dereference (#2447)
 - outposts/proxy: use Prefix in ingress for k8s
@@ -26,7 +26,7 @@ slug: "/releases/2022.5"

    You can now configure any [Authenticator Validation Stage](../../add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx) stage to not ask for MFA validation if the user has previously authenticated themselves with an MFA device (of any of the selected classes) in the `Last validation threshold`.

- Optimise bundling of web assets
+- Optimize bundling of web assets

    Previous versions had the entire frontend bundled in a single file (per interface). This has been revamped to produce smaller bundle sizes for each interface to improve the loading times.

@@ -67,7 +67,7 @@ slug: "/releases/2022.6"
 - internal: skip tracing for go healthcheck and metrics endpoints
 - lifecycle: run bootstrap tasks inline when using automated install
 - policies: consolidate log user and application
- providers/oauth2: add test to ensure capitalised redirect_uri isn't changed
+- providers/oauth2: add test to ensure capitalized redirect_uri isn't changed
 - providers/oauth2: dont lowercase URL for token requests (#3114)
 - providers/oauth2: if a redirect_uri cannot be parsed as regex, compare strict (#3070)
 - providers/proxy: only send misconfiguration event once
@@ -16,7 +16,7 @@ slug: "/releases/2022.7"

 - Change in context behaviour for policies executed within flows

-    In previous versions, the policy context would be set to a reference to the currently active flow plan context. This makes it so any changes to `context` wre directly reflected in the flow context. The context has been changed to only include the values, and as such updates like this won't be reflected in the flow. Instead, `context['flow_plan']` is now set, which contains a full reference to the flow Plan, allowing for more customisability than previously. Context changes can be mad by modifying `context['flow_plan'].context`.
+    In previous versions, the policy context would be set to a reference to the currently active flow plan context. This makes it so any changes to `context` wre directly reflected in the flow context. The context has been changed to only include the values, and as such updates like this won't be reflected in the flow. Instead, `context['flow_plan']` is now set, which contains a full reference to the flow Plan, allowing for more customizability than previously. Context changes can be mad by modifying `context['flow_plan'].context`.

 ## New features

@@ -36,7 +36,7 @@ slug: "/releases/2022.8"
 - internal: fix outposts not reacting to signals while starting
 - internal: fix race conditions when accessing settings before bootstrap
 - internal: walk config in go, check, parse and load from scheme like in python
- lifecycle: optimise container lifecycle and process signals (#3332)
+- lifecycle: optimize container lifecycle and process signals (#3332)
 - providers/oauth2: don't separate scopes by comma-space in created events
 - providers/oauth2: fix scopes without descriptions not being saved in consent
 - providers/proxy: add caddy endpoint (#3330)
@@ -223,7 +223,7 @@ Changed response : **200 OK**
 - flows: fix incorrect diagram for policies bound to flows
 - flows: migrate FlowExecutor error handler to native challenge instead of shell
 - internal: fix outposts not logging flow execution errors correctly
- internal: optimise outpost's flow executor to use less requests
+- internal: optimize outpost's flow executor to use less requests
 - internal: use config system for workers/threads, document the settings (#3626)
 - outposts: fix oauth state when using signature routing (#3616)
 - outposts/proxy: fix redirect path when external host is a subdirectory (#3628)
@@ -52,7 +52,7 @@ image:
 - core: fix missing uniqueness validator on user api
 - core: fix token's set_key accessing data incorrectly
 - events: dont log oauth temporary model creation
- events: improve sanitising for tuples and sets
+- events: improve sanitizing for tuples and sets
 - events: prevent error when request fails without response
 - internal: better error message when outpost API controller couldn't fetch outposts
 - internal: fix cache-control header
@@ -62,7 +62,7 @@ image:
 - providers/oauth2: add user id as "sub" mode
 - providers/oauth2: don't use policy cache for token requests
 - providers/oauth2: only set auth_time in ID token when a login event is stored in the session
- providers/oauth2: optimise client credentials JWT database lookup (#4606)
+- providers/oauth2: optimize client credentials JWT database lookup (#4606)
 - providers/oauth2: rework OAuth2 Provider (#4652)
 - providers/proxy: add token support for basic auth
 - providers/proxy: different cookie name based on hashed client id (#4666)
@@ -87,7 +87,7 @@ image:
 - providers/scim: improve compatibility (#5425)
 - providers/scim: patch group name (#5564)
 - root: Change docker-compose HTTP and HTTPS port variables (#5335)
- root: optimise healthchecks (#5337)
+- root: optimize healthchecks (#5337)
 - sources/oauth: add patreon type (#5452)
 - sources/oauth: fix reddit (#5557)
 - stages/prompt: Add initial_data prompt field and ability to select a default choice for choice fields (#5095)
@@ -59,7 +59,7 @@ image:
 ## Minor changes/fixes

 - \*: fix api errors raised in general validate() to specify a field (#6663)
- api: optimise pagination in API schema (#6478)
+- api: optimize pagination in API schema (#6478)
 - blueprints: fix blueprint importer logging potentially sensitive data (#6567)
 - blueprints: fix tag values not resolved correctly (#6653)
 - blueprints: prevent duplicate password stage in default flow when using combined identification stage (#6432)
@@ -85,7 +85,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.10
 - enterprise: fix incorrect comparison for latest validity date (#11109)
 - enterprise: show specific error if Install ID is invalid in license (#11317)
 - events: always use expiry from current tenant for events, not only when creating from HTTP request (#11415)
- events: optimise marking events as seen (#11297)
+- events: optimize marking events as seen (#11297)
 - fix: proxy provider - docker traefik label (#11460)
 - flows: include Outpost instance in flow context and save in login event (#11318)
 - flows: provider invalidation (#5048)
@@ -199,7 +199,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.2
 - core: fix PropertyMapping context not being available in request context
 - core: fix pagination in applications list being ignored (#8512)
 - core: fix worker beat toggle inverted (#7508)
- core: optimise user list endpoint (#8353)
+- core: optimize user list endpoint (#8353)
 - core: show all applications a user can access in admin interface (#8343)
 - core: use correct .evaluate implementation for testing PropertyMappings (#8459)
 - core: use correct .evaluate implementation for testing PropertyMappings (#8459)
@@ -3,6 +3,8 @@ title: Release 2024.4
 slug: /releases/2024.4
 ---

+<!-- cSpell:ignore moar -->
+
 ## Highlights

 - **OAuth/SAML as authentication factor** :ak-enterprise Use an external provider as part of an MFA authentication flow, including custom implementations
@@ -119,7 +119,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.6
 - enterprise/providers: import user/group data when manually linking objects (#10089)
 - enterprise/stages/source: fix error when creating source stage from blueprint (#9810)
 - events: ensure all models' **str** can be called without any further lookups (#9480)
- events: fix geoip enrich context not converting to json-seriazable data (#9885)
+- events: fix geoip enrich context not converting to json-serializable data (#9885)
 - flows: fix execute API endpoint (#9478)
 - lib/providers/sync: improve outgoing sync (#9835)
 - lib/providers/sync: multiple minor fixes (#9667)
@@ -268,7 +268,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.8
 - core: fix permission check for scoped impersonation (cherry-pick #11315) (#11316)
 - enterprise: fix API mixin license validity check (cherry-pick #11331) (#11342)
 - enterprise: show specific error if Install ID is invalid in license (cherry-pick #11317) (#11319)
- events: optimise marking events as seen (cherry-pick #11297) (#11299)
+- events: optimize marking events as seen (cherry-pick #11297) (#11299)
 - providers/proxy: fix URL path getting lost when partial URL is given to rd= (cherry-pick #11354) (#11355)
 - root: fix ensure `outpost_connection_discovery` runs on worker startup (cherry-pick #11260) (#11270)
 - sources/ldap: fix missing search attribute (cherry-pick #11125) (#11340)
@@ -127,7 +127,7 @@ If you had persistence for Redis configured, you can delete the PVC and PV after
 - \*/bindings: order by pk (#17027)
 - api: Clean schema up more (#17055)
 - api: Fix locale propagation from ?locale parameter in frontend (#16857)
- api: optimise schemas' common query parameters (#16884)
+- api: optimize schemas' common query parameters (#16884)
 - blueprints: ensure tasks retry on database errors (#17333)
 - blueprints: exclude exporting UserConsent (#16640)
 - blueprints: fix email address verified by default (#16206)
@@ -153,7 +153,7 @@ If you had persistence for Redis configured, you can delete the PVC and PV after
 - core: Normalize NPM script arguments. (#16725)
 - core: update_attributes: only update the model if attributes changed (#16322)
 - core: use email backend for test_email management command (#16311)
- core/api: Better naming for partial user/group serializer, optimise bindings (#17022)
+- core/api: Better naming for partial user/group serializer, optimize bindings (#17022)
 - enterprise/providers/gws+entra: fix group integrity error during discovery (#17355)
 - enterprise/providers/gws+entra: fix integrity error during discovery (#17341)
 - enterprise/providers/radius: add EAP-TLS support (#15702)
@@ -279,7 +279,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.12
 - stages/mtls: always include cert in flow plan (#18657)
 - stages/prompt: fix choices with labels causing error on submit (#18183)
 - stages/prompt: set allow_blank for \_read_only fields (#18297)
- stages/user_write: Fix user attributes are not sanitized under certains conditions (#17890)
+- stages/user_write: Fix user attributes are not sanitized under certain conditions (#17890)
 - tasks/schedules: fix rel obj not being associated or updated (#17934)
 - tasks: delay startup signals (#17769)
 - tasks: sanitize log attributes (#17833)
@@ -397,7 +397,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.12
 - web/elements: stabilize dual-select status height (cherry-pick #19734 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/19776
 - providers/scim: fix email validation mismatch (cherry-pick #19848 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/19853
 - sources/saml: properly catch InvalidSignature exception (cherry-pick #19641 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/19650
- sources/oauth: Fix an issue where wechat may crash duing login. (cherry-pick #18973 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/19854
+- sources/oauth: Fix an issue where wechat may crash during login. (cherry-pick #18973 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/19854
 - admin/files: add centralized theme variable support for file URLs (cherry-pick #19657 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/19793
 - web/table: align row action icons and tooltip color (cherry-pick #19736 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/19773
 - web/admin: fix file upload not preserving extension for custom names with dots (cherry-pick #19548 to version-2025.12) by @authentik-automation[bot] in https://github.com/goauthentik/authentik/pull/19685
@@ -59,7 +59,7 @@ slug: "/releases/2025.2"

    Setting the **Is superuser** toggle on a group now requires a separate permission, making it much easier to allow for delegated management of groups without risking the ability for users to self-elevate permissions. For details, refer to our [documentation](../../users-sources/groups/manage_groups.mdx#modify-a-group).

- **Improved debugging experienc**e
+- **Improved debugging experience**

    For people developing authentik or building very complex, custom integrations, how to configure debugging in authentik is documented [here](../../developer-docs/setup/debugging.md).

@@ -11,7 +11,7 @@ This is helpful to confirm that certain required Headers are correctly forwarded

 ### When using the embedded outpost

-When using the [embedded outpost](../add-secure-apps/outposts/embedded/embedded.mdx), the logs output identically to all other authenik logs. Refer to the [Capturing authentik logs](./logs/logs.mdx) documentation for instructions on how to enable `trace` logging.
+When using the [embedded outpost](../add-secure-apps/outposts/embedded/embedded.mdx), the logs output identically to all other authentik logs. Refer to the [Capturing authentik logs](./logs/logs.mdx) documentation for instructions on how to enable `trace` logging.

 ### When using a standalone outpost

@@ -27,7 +27,7 @@ If you have the provider metadata, you should be able to extract all values you
 | SLO URL                    | https://saml.company/logout/saml | The URL that is called when a user logs out of authentik, can be used to automatically log the user out of the SAML IDP after logging out of Authentik. Not supported by all IDPs, and not always wanted behaviour.                                                            |
 | Issuer/Entity ID           | https://authentik.company        | The identifier for the authentik instance in the SAML federation, can be chosen freely. This is used to identify the SP on the IDP side, it usually makes sense to configure this to the URL of the SP or the path corresponding to the SP (e.g. `/source/saml/<source-slug>/` |
 | Binding Type               | HTTP-POST                        | How authentik communicates with the SSO URL (302 redirect or POST request). This will depend on what the provider supports.                                                                                                                                                    |
-| Allow IDP-Initiated Logins | False                            | Whether to allow the IDP to log users into authentik without any interaction. Activating this may constitute a security risk since this request is not verified, and could be utilised by an attacker to authenticate a user without interaction on their side.                |
+| Allow IDP-Initiated Logins | False                            | Whether to allow the IDP to log users into authentik without any interaction. Activating this may constitute a security risk since this request is not verified, and could be utilized by an attacker to authenticate a user without interaction on their side.                |
 | NameID Policy              | Persistent                       | Depending on what the IDP sends as persistent ID, some IDPs use the username or email address while others will use a random string/hashed value. If the user in authentik receives a random string as a username, try using Email address or Windows                          |
 | Flow settings              | Default                          | If there are custom flows in your instance for external authentication, change to use them here                                                                                                                                                                                |

@@ -81,7 +81,7 @@ access_token = connection.access_token
 # We also access the user info authentik already retrieved, to get the correct username
 github_username = context["oauth_userinfo"]

-# Github does not include Organisations in the userinfo endpoint, so we have to call another URL
+# Github does not include Organizations in the userinfo endpoint, so we have to call another URL
 orgs_response = requests.get(
    "https://api.github.com/user/orgs",
    auth=(github_username["login"], access_token),
@@ -6,7 +6,7 @@ support_level: community

 ## What is Matrix Synapse

-> Matrix is an open source project that publishes the Matrix open standard for secure, decentralised, real-time communication, and its Apache licensed reference implementations.
+> Matrix is an open source project that publishes the Matrix open standard for secure, decentralized, real-time communication, and its Apache licensed reference implementations.
 >
 > -- https://matrix.org/

@@ -233,7 +233,7 @@ To configure group quotas you will need to create groups in authentik for each q

 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Directory** > **Groups** and click **Create**.
-3. Set a name for the group (e.g. `nextlcloud-15GB`), assign a custom attribute (e.g., `nextcloud_quota`), and click **Create**.
+3. Set a name for the group (e.g. `nextcloud-15GB`), assign a custom attribute (e.g., `nextcloud_quota`), and click **Create**.
 4. Click the name of the newly created group and navigate to the **Users** tab.
 5. Click **Add existing user**, select the users that require this storage quota and click **Add**.

@@ -15,7 +15,7 @@ support_level: community
 The following placeholders are used in this guide:

 - `authentik.company` is the FQDN of the authentik installation.
- `roudcube.company` is the FQDN of the Roundcube installation.
+- `roundcube.company` is the FQDN of the Roundcube installation.

 :::info
 Roundcube is often used alongside Postfix and Dovecot. Postfix sends/receives email (SMTP), Dovecot stores/retrieves mail (IMAP/POP3), and Roundcube acts as a webmail client.
@@ -124,4 +124,4 @@ Create a new SCIM provider with the following parameters:

 Go back to your GitHub EMU Application created in the first step and add your new SCIM provider in the _Backchannel Providers_ field, then click the _Update_ button.

-You should now be ready to assign users to your _GitHub Users_ and _GitHub Admins_ groups, which will be provisioend by the SCIM provisioner. If you do not see your users being provisioned, go to your SCIM provider and click the _Run sync again_ option. A few seconds later, you should see results of the SCIM sync.
+You should now be ready to assign users to your _GitHub Users_ and _GitHub Admins_ groups, which will be provisioned by the SCIM provisioner. If you do not see your users being provisioned, go to your SCIM provider and click the _Run sync again_ option. A few seconds later, you should see results of the SCIM sync.
@@ -78,7 +78,7 @@ Once the appliance has saved the settings and reloaded the services, you should

 This section only applies if you have taken the steps prior to prepare the instance for SCIM enablement.

-After enabling SAML, log into your initial administrator account again. Click the user portrait in tee top right, click _Enterprise settings_, click _Settigs_ in the left-hand sidebar, click _Authentication security_. On this page you have to check _Enable SCIM configuration_ and press _Save_. After which you should get a message reading _SCIM Enabled_.
+After enabling SAML, log into your initial administrator account again. Click the user portrait in tee top right, click _Enterprise settings_, click _Settings_ in the left-hand sidebar, click _Authentication security_. On this page you have to check _Enable SCIM configuration_ and press _Save_. After which you should get a message reading _SCIM Enabled_.

 Before we create a SCIM provider, we have to create a new Property Mapping. In authentik, go to _Customization_, then _Property Mappings_. Here, click _Create_, select _SCIM Provider Mapping_. Name the mapping something memorable and paste the following code in the _Expression_ field:

@@ -111,4 +111,4 @@ Create a new SCIM provider with the following parameters:

 Go back to your GitHub Enterprise Server Application created in the first step and add your new SCIM provider in the _Backchannel Providers_ field, then click the _Update_ button.

-You should now be ready to assign users to your _GitHub Users_ and _GitHub Admins_ groups, which will be provisioend by the SCIM provisioner. If you do not see your users being provisioned, go to your SCIM provider and click the _Run sync again_ option. A few seconds later, you should see results of the SCIM sync.
+You should now be ready to assign users to your _GitHub Users_ and _GitHub Admins_ groups, which will be provisioned by the SCIM provisioner. If you do not see your users being provisioned, go to your SCIM provider and click the _Run sync again_ option. A few seconds later, you should see results of the SCIM sync.
@@ -163,7 +163,7 @@ Alternatively, you can use an existing key if you have one available.
 2. Click **Create** and use the following values:
    - **Name**: `apple-business-manager`
    - **Certificate**: Paste in your certificate
-    - **Private Key**: _[optional]_ Pastein your private key
+    - **Private Key**: _[optional]_ Paste in your private key

 3. Click **Create** and confirm that the new key is listed in the **Certificates** overview.

@@ -53,7 +53,7 @@ The JSON needs to be inline (single line) because various `.env` parsers, such a

 ## Configuration verification

-To verify the integration with Papra, log out and attempt to log back in using the **Log in with authentik** button. You should be redirected to the authenik login page. Once authenticated, you should be redirected to the Papra dashboard.
+To verify the integration with Papra, log out and attempt to log back in using the **Log in with authentik** button. You should be redirected to the authentik login page. Once authenticated, you should be redirected to the Papra dashboard.

 ## Resources

@@ -73,13 +73,13 @@ Configure Snipe-IT LDAP settings by going to settings (the gear icon), and selec

 Change the following fields

- LDAP Integration: **ticked**
- LDAP Password Sync: **ticked**
- Active Directory : **unticked**
+- LDAP Integration: **Checked**
+- LDAP Password Sync: **Checked**
+- Active Directory : **Unchecked**
 - LDAP Client-Side TLS Key: (taken from authentik)
 - LDAP Server: `ldap://authentik.company`
- Use TLS : **unticked**
- LDAP SSL certificate validation : **ticked**
+- Use TLS : **Unchecked**
+- LDAP SSL certificate validation : **Checked**
 - Bind credentials:
    - LDAP Bind Username: `cn=snipeit-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
    - LDAP Bind Password: `<snipeit-user password from step 2>`
@@ -92,7 +92,7 @@ Change the following fields
  :::info
  Setting the Username field to mail is recommended in order to ensure the username is unique. See https://snipe-it.readme.io/docs/ldap-sync-login
  :::
- Allow unauthenticated bind: **unticked**
+- Allow unauthenticated bind: **Unchecked**
 - Last Name: sn
 - LDAP First Name: givenname
 - LDAP Authentication query: cn=
@@ -144,12 +144,12 @@ Either copy the information under SAML Metadata, or click the Download button un

 Configure Snipe-IT SAML settings by going to settings (the gear icon), and selecting `SAML`

- SAML enabled: **ticked**
+- SAML enabled: **Checked**
 - SAML IdP Metadata: (paste information copied in Step 2 above -or-
 - Click `Select File` and select the file you downloaded in Step 2
 - Attribute Mapping - Username: mail
- SAML Force Login: **ticked**
- SAML Single Log Out: **ticked**
+- SAML Force Login: **Checked**
+- SAML Single Log Out: **Checked**

 All other field can be left blank.

@@ -65,5 +65,5 @@ All of the URLs mentioned below can be copied & pasted from authentik (**Applica
 5. You should be able to login with OIDC.

 :::info
-The first time a user signs in, Xen Orchesta will create a new user with the same username used in authentik. If you want to map the users by their e-mail-address instead of their username, you have to set the `Username field` to `email` in the Xen Orchestra plugin configuration.
+The first time a user signs in, Xen Orchestra will create a new user with the same username used in authentik. If you want to map the users by their e-mail-address instead of their username, you have to set the `Username field` to `email` in the Xen Orchestra plugin configuration.
 :::
@@ -169,7 +169,7 @@ This section depends on the operating system hosting Apache Guacamole.
 2. To import the certificate to the `/opt/java/openjdk/lib/security/cacerts` keystore on the Apache Guacamole host, use the following command:

    ```shell
-    keytool -importkeystore -srckeystore <CA_certificate>.p12 -srcstoretype PKCS12 -keystore /opt/java/openjdk/lib/security/cacerts -deststorepass <destination_store_password> -nopromt -srcstorepass <password>
+    keytool -importkeystore -srckeystore <CA_certificate>.p12 -srcstoretype PKCS12 -keystore /opt/java/openjdk/lib/security/cacerts -deststorepass <destination_store_password> -noprompt -srcstorepass <password>
    ```

 :::tip Older versions of Apache Guacamole (pre v1.6)
@@ -63,7 +63,7 @@ Komodo doesn't currently have a method to provision OIDC users, therefore OIDC a
 3. You will be redirected back to Komodo, and receive an error message saying "User Not Enabled".
 4. Log in to Komodo using a local administrator account.
 5. In the sidebar click **Settings**, and under the **Users** section, click the name of your authentik user. The **User type** should be **OIDC**.
-6. Click **Enable User**, and assign the desired pemissions.
+6. Click **Enable User**, and assign the desired permissions.

 ## Configuration verification

@@ -78,7 +78,7 @@ DefaultRoot /your/ftp/storage/dir
    # Replace this with the server-url:port of your LDAP outpost
    LDAPServer authentik.company:389
    # The LDAP Bind account must be specified here
-    LDAPBindDN cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io PASSWORDOFLDAPSERVICE
+    LDAPBindDN cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io PASSWORD_OF_LDAP_SERVICE
    # The second parameter is optional
    #  In this case I am restricting access to the group ftpusers
    #  Instead you could also create bind policies in your created authentik application
@@ -69,7 +69,7 @@ To support the integration of Terraform with authentik, you need to create an ap

 ## Configuration verification

-To verify that authentik is correctly integrated with Terraform Cloud, first log out of Terrafom Cloud. Open the [Terraform Cloud login page](https://app.terraform.io/) and click **Sign in with Terraform SSO**. Enter the name of your organization, click **Next**, and you'll be redirected to authentik. Once authenticated, you will be signed into Terraform Cloud.
+To verify that authentik is correctly integrated with Terraform Cloud, first log out of Terraform Cloud. Open the [Terraform Cloud login page](https://app.terraform.io/) and click **Sign in with Terraform SSO**. Enter the name of your organization, click **Next**, and you'll be redirected to authentik. Once authenticated, you will be signed into Terraform Cloud.

 ## Resources

@@ -54,7 +54,7 @@ To support the integration of FortiGate with authentik, you need to create an ap

 ## FortiGate Configuration

-To integrate Fortigate with authentik, nagiate to `https://fortigate.company/ng/system/certificate` and import the certificate you configured in the previous section.
+To integrate Fortigate with authentik, navigate to `https://fortigate.company/ng/system/certificate` and import the certificate you configured in the previous section.

 Once that is done, navigate to `https://fortigate.company/fabric-connector/edit/security-fabric-connection` and select **Single Sign-On** to configure SAML authentication. You should see, under **Mode**, a toggle named **Service Provider (SP)**, toggle it to enable this authentication method.

@@ -76,12 +76,12 @@ Change the following fields
 - Base DN: `DC=ldap,DC=goauthentik,DC=io`
 - Search Scope: Subtree
 - Authentication containers: `OU=users,DC=ldap,DC=goauthentik,DC=io`
- Bind anonymous: **unticked**
+- Bind anonymous: **Unchecked**
 - Bind credentials:
    - User DN: `cn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
    - Password: `<pfsense-user password from step 2>`
 - Group member attribute: `memberOf`
- Allow unauthenticated bind: **unticked**
+- Allow unauthenticated bind: **Unchecked**

 ## pfSense secure setup (with SSL)

@@ -135,12 +135,12 @@ Change the following fields
 - Base DN: `DC=ldap,DC=goauthentik,DC=io`
 - Search Scope: Subtree
 - Authentication containers: `OU=users,DC=ldap,DC=goauthentik,DC=io`
- Bind anonymous: **unticked**
+- Bind anonymous: **Unchecked**
 - Bind credentials:
    - User DN: `cn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
    - Password: `<pfsense-user password from step 2>`
 - Extended Query: &(objectClass=user)
- Allow unauthenticated bind: **unticked**
+- Allow unauthenticated bind: **Unchecked**

 ## Test your setup

@@ -21,7 +21,7 @@ This documentation lists only the settings that you need to change from their de
 :::

 :::warning
-IdP inititiated login does not work with Zoho. This is due to Zoho's non-standard requirement to set the format of the SAML `NameID` response which is currently not possible with authentik.
+IdP initiated login does not work with Zoho. This is due to Zoho's non-standard requirement to set the format of the SAML `NameID` response which is currently not possible with authentik.
 :::

 ## Download Zoho metadata file