From 83854281d0a1f3eae34887a23253e3010d437ed0 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 8 Jun 2026 14:37:29 +0200
Subject: [PATCH 01/68] ci: bump github/codeql-action from 4.36.1 to 4.36.2
 (#22921)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.36.1 to 4.36.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/87557b9c84dde89fdd9b10e88954ac2f4248e463...8aad20d150bbac5944a9f9d289da16a4b0d87c1e)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/qa-codeql.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/qa-codeql.yml b/.github/workflows/qa-codeql.yml
index 726c696413..8edacbf92f 100644
--- a/.github/workflows/qa-codeql.yml
+++ b/.github/workflows/qa-codeql.yml
@@ -28,10 +28,10 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
         with:
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
+        uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2

From 668f363ae766a3b7075c40cb5bb7eaeccc1ceaa2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 8 Jun 2026 14:37:46 +0200
Subject: [PATCH 02/68] ci: bump getsentry/action-release from 3.6.1 to 3.7.0
 (#22917)

Bumps [getsentry/action-release](https://github.com/getsentry/action-release) from 3.6.1 to 3.7.0.
- [Release notes](https://github.com/getsentry/action-release/releases)
- [Changelog](https://github.com/getsentry/action-release/blob/master/CHANGELOG.md)
- [Commits](https://github.com/getsentry/action-release/compare/f71adb49d4b2aeeda98052d3de234bbb0f3e03ab...ff07929a6537bac57790c3451cf4d364aca38528)

---
updated-dependencies:
- dependency-name: getsentry/action-release
  dependency-version: 3.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/release-publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
index 736b9bd149..58914cc19c 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -228,7 +228,7 @@ jobs:
           container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
-        uses: getsentry/action-release@f71adb49d4b2aeeda98052d3de234bbb0f3e03ab # v3
+        uses: getsentry/action-release@ff07929a6537bac57790c3451cf4d364aca38528 # v3
         continue-on-error: true
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

From 2176cadb4c8ecf4a4e37d5558208d98a0210e1a9 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 8 Jun 2026 14:38:01 +0200
Subject: [PATCH 03/68] core: bump ruff from 0.15.15 to 0.15.16 (#22918)

Bumps [ruff](https://github.com/astral-sh/ruff) from 0.15.15 to 0.15.16.
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/0.15.15...0.15.16)

---
updated-dependencies:
- dependency-name: ruff
  dependency-version: 0.15.16
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pyproject.toml |  2 +-
 uv.lock        | 40 ++++++++++++++++++++--------------------
 2 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 90502505af..955a7dfc78 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -101,7 +101,7 @@ dev = [
   "pytest-timeout==2.4.0",
   "pytest==9.0.3",
   "requests-mock==1.12.1",
-  "ruff==0.15.15",
+  "ruff==0.15.16",
   "selenium==4.44.0",
   "types-channels==4.3.0.20260518",
   "types-docker==7.1.0.20260518",
diff --git a/uv.lock b/uv.lock
index 48bbddddcf..b6bb5b2cfc 100644
--- a/uv.lock
+++ b/uv.lock
@@ -457,7 +457,7 @@ dev = [
     { name = "pytest-randomly", specifier = "==4.1.0" },
     { name = "pytest-timeout", specifier = "==2.4.0" },
     { name = "requests-mock", specifier = "==1.12.1" },
-    { name = "ruff", specifier = "==0.15.15" },
+    { name = "ruff", specifier = "==0.15.16" },
     { name = "selenium", specifier = "==4.44.0" },
     { name = "types-channels", specifier = "==4.3.0.20260518" },
     { name = "types-docker", specifier = "==7.1.0.20260518" },
@@ -3314,27 +3314,27 @@ wheels = [
 
 [[package]]
 name = "ruff"
-version = "0.15.15"
+version = "0.15.16"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/84/6f/a76f7d96e5c962f5b69cee865e49c15c1116897c01990faa8a57edb62e7f/ruff-0.15.15.tar.gz", hash = "sha256:b8dff018130b46d8e5bf0f926ef6b60cf871d6d5ae45fc9334e09632daa741d6", size = 4706985, upload-time = "2026-05-28T14:16:57.784Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/a6/bd/5f7ec371001337d8fa61701c186ff8b613ecac1651848c5950f4c4d5f2e9/ruff-0.15.16.tar.gz", hash = "sha256:d05e78d38c78caf020b03789e25106c93017db5a0cb6e2819885018c61343b78", size = 4714267, upload-time = "2026-06-04T16:33:09.974Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/fa/9d/3a45c05b8ab04b4705989de70a79008e27c8003296a0feaee9edc18dd7e9/ruff-0.15.15-py3-none-linux_armv6l.whl", hash = "sha256:cf93e5388f412e1b108b1f8b34a6e036b70fe8aff89393befad96fe48670311b", size = 10710652, upload-time = "2026-05-28T14:16:06.701Z" },
-    { url = "https://files.pythonhosted.org/packages/05/66/da974431624bf3b49f6ee1f9543c02d929ff1cba78b0d5a79c38cf21f744/ruff-0.15.15-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:ac5a646d1f6a7dadd5d50842dae2c1f9862ac887ef5d1b1375e02def791fde6e", size = 11096615, upload-time = "2026-05-28T14:16:23.313Z" },
-    { url = "https://files.pythonhosted.org/packages/8c/09/7443452e5d290230a712103f2fdceeef7184f3ec99a2bd01c8be78aaceb5/ruff-0.15.15-py3-none-macosx_11_0_arm64.whl", hash = "sha256:77d955a431430c66f72dd94e379ad38a16daea3d25094872ac4edf9e797be530", size = 10436683, upload-time = "2026-05-28T14:16:40.974Z" },
-    { url = "https://files.pythonhosted.org/packages/53/01/d330c26a57fa4f3943a14424904027428315b700fe4d14a84bb123a649e5/ruff-0.15.15-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7614ee79c69788cf6cedd568069ade9cecc22a1ad20494efe8d0c9ebb4b622d4", size = 10769064, upload-time = "2026-05-28T14:16:28.905Z" },
-    { url = "https://files.pythonhosted.org/packages/1d/85/cc8770f8bdff541b1da8392d1634141fe4a0e3f4ee596605959b7906c27f/ruff-0.15.15-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:3cdb1679e06a1f6b47bc384714ae96f6e2fb65ca441eb78c43d2ca554176ce1f", size = 10511987, upload-time = "2026-05-28T14:16:43.732Z" },
-    { url = "https://files.pythonhosted.org/packages/7c/29/8c190c1472b63013583ba391f3342036e02010544c1270455ed8e519bdf3/ruff-0.15.15-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2728b93d7b23a603ea2c0ac6eb73d760bd38ec9de35f35fb41e18f7a3fee7622", size = 11275100, upload-time = "2026-05-28T14:16:55.244Z" },
-    { url = "https://files.pythonhosted.org/packages/9f/6b/7e145ce2cc8e63d6834eca03d83a0e18d121def5c69f91b4cf4011ed4879/ruff-0.15.15-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:be582fcc0db438902c7792b08d6ddf6c9b9e21addaa10092c2c741cfb09e5a45", size = 12176903, upload-time = "2026-05-28T14:16:14.368Z" },
-    { url = "https://files.pythonhosted.org/packages/80/a3/d5974637f68e451f7fadf015cf3101d1cd7d8ba5027cffe0b9e3826ebe6b/ruff-0.15.15-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:7aa77465b8ecaf1a27bea098d696f7fed5e1eccbd10b321b682d6de586ae5627", size = 11404550, upload-time = "2026-05-28T14:16:20.138Z" },
-    { url = "https://files.pythonhosted.org/packages/fe/1c/e6e5e568f22be4fb05d6244234aba384c06b451252453b821e1a529263cf/ruff-0.15.15-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:48decfa11d740de4889de623be1463308346312f2409a56e24aa280c86162dc4", size = 11382027, upload-time = "2026-05-28T14:16:46.615Z" },
-    { url = "https://files.pythonhosted.org/packages/1d/01/170921b49fcd2e8858825593f91cf7146c3e40a5c3e6df763e4bb0484dde/ruff-0.15.15-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:a5015088452ca0081387063649ec67f06d3d1d6b8b936a1f836b5e9657ecd48c", size = 11366041, upload-time = "2026-05-28T14:16:26.247Z" },
-    { url = "https://files.pythonhosted.org/packages/87/54/a7bad711d7de93254e15e06a4c375b89a03d18de45d3e5dcc86a4472fb1a/ruff-0.15.15-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:f5294aab6356c81600fcdea3a62bb1b924dfd5e91767c12318d3f68f86af57cd", size = 10741795, upload-time = "2026-05-28T14:16:17.11Z" },
-    { url = "https://files.pythonhosted.org/packages/c9/31/38c075963668f8b41c6914ee0f6f318727fbe30ab9145cb29e6df464c5fa/ruff-0.15.15-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:db5bd4d802415cca656dc1616070b725952d6ae95eb5d4831e49fbd94a38f75f", size = 10511117, upload-time = "2026-05-28T14:16:31.767Z" },
-    { url = "https://files.pythonhosted.org/packages/9d/96/6ff689e1f7e375d1d97075eca022f74c2bab59554a432fe4d2e6f091986a/ruff-0.15.15-py3-none-musllinux_1_2_i686.whl", hash = "sha256:587a6278ed42059191c1a466e490bd7930fb50bd2e255398bc29616c895a61cb", size = 10994867, upload-time = "2026-05-28T14:16:35.149Z" },
-    { url = "https://files.pythonhosted.org/packages/c3/c2/5dce0ab9f92a8d534fa62b9bf9caca3eddb8c1a81b616f5e195ada4f0d6e/ruff-0.15.15-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:df0c1c084f5f4be9812f61518a45c440d3c30d69ce4bf6c5270e66d38338f02a", size = 11482101, upload-time = "2026-05-28T14:16:49.598Z" },
-    { url = "https://files.pythonhosted.org/packages/b1/c0/1003b60edd697c649faf61f1a34094b1abb38fb3d1181e3f895781250a08/ruff-0.15.15-py3-none-win32.whl", hash = "sha256:29428ea79694afbe756d45fd59b36f22b6b020dc0443cf7de0173046236964b9", size = 10716774, upload-time = "2026-05-28T14:16:52.337Z" },
-    { url = "https://files.pythonhosted.org/packages/02/a8/1269eddd6945a06c23f055ef7848886e37cf9d6a8bebb386a3115f01470c/ruff-0.15.15-py3-none-win_amd64.whl", hash = "sha256:8df0323902e15e24bc4bf246da830573d3cf3352bd0b9a164eab335d111ff4a4", size = 11868463, upload-time = "2026-05-28T14:16:11.333Z" },
-    { url = "https://files.pythonhosted.org/packages/4e/b2/920464c907b191e37469d477a1aa8bc048b8f36c4c1610dfa4ab87b39e18/ruff-0.15.15-py3-none-win_arm64.whl", hash = "sha256:3c8ceca6792f38196b8f589bc92eccd03eef286602da92e5dc05cc42ef6441b7", size = 11138498, upload-time = "2026-05-28T14:16:38.425Z" },
+    { url = "https://files.pythonhosted.org/packages/0c/42/53ef1c3953f157956db9bf7861e3bc50b9b887ce93300aa48cdba8336fe6/ruff-0.15.16-py3-none-linux_armv6l.whl", hash = "sha256:6ac3c0b3969cc6cf6b158c4e2f8f682acb58e7d700d8a44b65ecdc72d66ab0b2", size = 10709025, upload-time = "2026-06-04T16:32:51.935Z" },
+    { url = "https://files.pythonhosted.org/packages/93/9a/a79159346f19134a956607754e57d8d128f7a4c00f4ad2f7514d224c172c/ruff-0.15.16-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:197c207ed75ffba54a0dec23db4aa939a27a3053073e085e0042433cbdc58e4a", size = 11063550, upload-time = "2026-06-04T16:32:42.24Z" },
+    { url = "https://files.pythonhosted.org/packages/bc/72/3ce2ac000a5299ec238e01f51397b3b653c93b077d9b1bfe8715bb895f20/ruff-0.15.16-py3-none-macosx_11_0_arm64.whl", hash = "sha256:3a39fec45ab316cc23e7558f23fea4a70403ddb5648ea9a4a3854a16973d0071", size = 10421345, upload-time = "2026-06-04T16:32:37.251Z" },
+    { url = "https://files.pythonhosted.org/packages/b0/c2/cc7fad3ec9169373f5b6a18f1917b91080feec40c3f9658334a1d28e2f03/ruff-0.15.16-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ba93191d79003116b95128c9d306e045200fdbd0bccb782b110f3cd1d4abc5cf", size = 10757217, upload-time = "2026-06-04T16:32:54.722Z" },
+    { url = "https://files.pythonhosted.org/packages/69/d2/3474009eaa0a65b31fa7152a2fad5e2f050c640ceb1e6b02ee6922e94c82/ruff-0.15.16-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:c6ee4b90520630120ef032aa5cc10db483852dff950e78b1d717e2993a61ac8d", size = 10507035, upload-time = "2026-06-04T16:33:05.343Z" },
+    { url = "https://files.pythonhosted.org/packages/ca/81/b7ae6ccbd11f0c8dc3d5d67fc4be9b57ff57ca86ba56152021378e1277f2/ruff-0.15.16-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4e4215bc938bc3c8215c1472c1aa437e310fee20cd427335fec9d7e609563628", size = 11255291, upload-time = "2026-06-04T16:32:49.49Z" },
+    { url = "https://files.pythonhosted.org/packages/d9/e1/46e526f1a7cc90857ce6ddf25fbb77eb6568651ac38d71b033af07076dd5/ruff-0.15.16-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:7c8d26be963b090f10e29abc8b3e74a2a321f6fa34e02424e30b5af89350ecbb", size = 12124922, upload-time = "2026-06-04T16:33:07.821Z" },
+    { url = "https://files.pythonhosted.org/packages/1a/da/5c791b088b596b24d0deb967fa28ae02ad751a140c0b9ea81c5ab915d6c0/ruff-0.15.16-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f198cf4123602a2280ed46c307bcbafe41758d6fee5b456b6b6058ca1514b3b4", size = 11332186, upload-time = "2026-06-04T16:33:02.971Z" },
+    { url = "https://files.pythonhosted.org/packages/72/11/5da87abe20047c8962361473923ebb2f62b595250126aadfad8c20649c1e/ruff-0.15.16-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bb27515fa6240fb586ae82b901a59e67d24acff86f2190b433dc542fe0435aeb", size = 11373541, upload-time = "2026-06-04T16:32:47.007Z" },
+    { url = "https://files.pythonhosted.org/packages/fe/2a/8554754c23a854ae3fd6b507e36ad61ddb121e298c6d5d617dec94ed0f14/ruff-0.15.16-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:a267c46ba1593fc26b8eecbea050b39d40c0b6bb7781ee11c90a02cd10032951", size = 11353014, upload-time = "2026-06-04T16:32:34.795Z" },
+    { url = "https://files.pythonhosted.org/packages/62/25/62ea41529ec89f742ea3fed9cb1059c72877ec7cf9b9e99ac9cf3294d1d9/ruff-0.15.16-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:528c68f39a91498a8d50e91ff5985df3d105782bab49cc378e73ac26bff083e8", size = 10737467, upload-time = "2026-06-04T16:32:26.348Z" },
+    { url = "https://files.pythonhosted.org/packages/90/17/334d3ad9de4d40f9dd58fdd09e35ce64553bb501e2f19a839e2fb6be14fc/ruff-0.15.16-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:7ed55c58950df60589a9a7a5d2f8fa5f54ebd287163be805adfe6ee95a9de123", size = 10521910, upload-time = "2026-06-04T16:32:32.54Z" },
+    { url = "https://files.pythonhosted.org/packages/4d/bd/3ac7c6ae77a885c1004b3dda2446ea401768d24f851c14b4ad4b24f6639c/ruff-0.15.16-py3-none-musllinux_1_2_i686.whl", hash = "sha256:d482feaf51512b50f9790ceb417a56a61dd1e9d9bf967662b9ed27c01b34f53a", size = 10979190, upload-time = "2026-06-04T16:32:57.492Z" },
+    { url = "https://files.pythonhosted.org/packages/33/d7/609546e6a413c3f216fbf2a50c928f97c80939154f6a0503114094a86191/ruff-0.15.16-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:1e15bc8c94513dae2a40cc9ef07c94fdd4ecc9e29dabebeebe170f952322c9e3", size = 11477014, upload-time = "2026-06-04T16:32:44.687Z" },
+    { url = "https://files.pythonhosted.org/packages/74/0d/f2cd247ad32633a5c36e97141a2c21b11c6279f7957bc2ff360b1e08fddd/ruff-0.15.16-py3-none-win32.whl", hash = "sha256:580378f7bd4aa25f72e74aa54948a9622f142b1e509521dd10902e886681cc1e", size = 10735541, upload-time = "2026-06-04T16:32:30.145Z" },
+    { url = "https://files.pythonhosted.org/packages/8b/9e/02e845ef151b1dee585e55c4739f8e1734ae1d9f1221dff65761c162208b/ruff-0.15.16-py3-none-win_amd64.whl", hash = "sha256:408256017284eddf98fff77b29aa4fb30f586042d535b2d9befc6512f400aaec", size = 11843403, upload-time = "2026-06-04T16:32:39.76Z" },
+    { url = "https://files.pythonhosted.org/packages/15/19/016553f86f207450aebebc2b2b5088d086b901cc8186c02ac4284db3bd88/ruff-0.15.16-py3-none-win_arm64.whl", hash = "sha256:8cd61783afb39638a7133ef0d2dfb1e91277593962f81b5a8423eb0b888a6121", size = 11134555, upload-time = "2026-06-04T16:33:00.136Z" },
 ]
 
 [[package]]

From 24157caaf6ec56482a8f6e2a49be5930c7fab835 Mon Sep 17 00:00:00 2001
From: Emil Burzo <emil@goauthentik.io>
Date: Mon, 8 Jun 2026 14:48:43 +0200
Subject: [PATCH 04/68] ci: remove redundant if in cherry-pick action (#22859)

---
 .github/actions/cherry-pick/action.yml | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/.github/actions/cherry-pick/action.yml b/.github/actions/cherry-pick/action.yml
index 5c6318677b..0511da8eaf 100644
--- a/.github/actions/cherry-pick/action.yml
+++ b/.github/actions/cherry-pick/action.yml
@@ -134,12 +134,7 @@ runs:
 
         # Determine which labels to process
         if [ "${REASON}" = "label_added_to_merged_pr" ]; then
-          # Only process the specific label that was just added
-          if [ "$EVENT_NAME" = "issues" ]; then
-            LABEL_NAME="$LABEL_NAME_CTX"
-          else
-            LABEL_NAME="$LABEL_NAME_CTX"
-          fi
+          LABEL_NAME="$LABEL_NAME_CTX"
 
           if [[ "$LABEL_NAME" =~ ^backport/(.+)$ ]]; then
             echo "labels=$LABEL_NAME" >> $GITHUB_OUTPUT

From 54595de4b9f10311b5e3db28e18a6501effbd987 Mon Sep 17 00:00:00 2001
From: Dominic R <dominic@goauthentik.io>
Date: Mon, 8 Jun 2026 08:52:01 -0400
Subject: [PATCH 05/68] website/integrations: add Notion integration (#22887)

Agent-thread: https://sdko.org/internal/thr/ak/019e97d4-d2aa-7560-8db1-d175217cb9ac

A7k-product: product

A7k-product-repo: 1

Co-authored-by: Agent <agent@svc.sdko.net>
---
 .../documentation/notion/index.md             | 203 ++++++++++++++++++
 1 file changed, 203 insertions(+)
 create mode 100644 website/integrations/documentation/notion/index.md

diff --git a/website/integrations/documentation/notion/index.md b/website/integrations/documentation/notion/index.md
new file mode 100644
index 0000000000..9607dc8a4f
--- /dev/null
+++ b/website/integrations/documentation/notion/index.md
@@ -0,0 +1,203 @@
+---
+title: Integrate with Notion
+sidebar_label: Notion
+support_level: community
+---
+
+## What is Notion?
+
+> Notion is a workspace for notes, docs, projects, wikis, and collaboration.
+>
+> -- https://www.notion.com
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `authentik.company` is the FQDN of the authentik installation.
+
+:::info
+This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
+:::
+
+:::info Notion requirements
+SAML SSO requires a Notion Business or Enterprise plan. SCIM provisioning requires a Notion Enterprise plan. Notion requires domain verification before SAML SSO can be enabled; domain verification is outside the scope of this guide.
+:::
+
+## authentik configuration
+
+To support the integration of Notion with authentik, you need to create property mappings and an application/provider pair in authentik.
+
+### Create property mappings
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Customization** > **Property Mappings** and click **Create**.
+3. Create four **SAML Provider Property Mapping**s with the following settings:
+    - **Email mapping**:
+        - **Name**: `Notion email`
+        - **SAML Attribute Name**: `email`
+        - **Expression**:
+
+            ```python
+            return request.user.email
+            ```
+
+    - **First name mapping**:
+        - **Name**: `Notion firstName`
+        - **SAML Attribute Name**: `firstName`
+        - **Expression**:
+
+            ```python
+            return request.user.name
+            ```
+
+    - **Last name mapping**:
+        - **Name**: `Notion lastName`
+        - **SAML Attribute Name**: `lastName`
+        - **Expression**:
+
+            ```python
+            return ""
+            ```
+
+    - **Profile photo mapping**:
+        - **Name**: `Notion profilePhoto`
+        - **SAML Attribute Name**: `profilePhoto`
+        - **Expression**:
+
+            ```python
+            avatar = request.user.avatar
+            if "://" not in avatar:
+                return ""
+            return avatar
+            ```
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **Slug** as it will be required later.
+    - **Choose a Provider type**: select **SAML Provider** as the provider type.
+    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+        - Set **ACS URL** to `https://temp.temp`. You will replace this after completing the Notion configuration.
+        - Set **Audience** to `https://www.notion.so/sso/saml`.
+        - Under **Advanced protocol settings**:
+            - Select an available **Signing Certificate**.
+            - Set **NameID Property Mapping** to `authentik default SAML Mapping: Email`.
+            - Add the four property mappings that you created in the previous section.
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
+3. Click **Submit** to save the new application and provider.
+
+## Notion configuration
+
+### Configure SAML SSO
+
+1. Log in to Notion as a workspace owner.
+2. Open the SAML SSO settings:
+    - **Business Plan**: navigate to **Settings** > **General**. If you want access controlled through SAML or SCIM, remove all entries from **Allowed email domains**; otherwise, users with those domains can still join outside IdP provisioning. Then, open **Settings** > **Identity**.
+    - **Enterprise Plan**: open the workspace switcher, select **Manage organization**, and open the **General** tab.
+3. Enable **SAML SSO**.
+4. In the SAML SSO configuration modal, under **Identity Provider Details**, select **Identity Provider URL** and enter `https://authentik.company/application/saml/<application_slug>/metadata/`.
+5. Copy the **Assertion Consumer Service (ACS) URL** from Notion.
+6. Save the SAML SSO configuration.
+
+## Reconfigure authentik provider
+
+1. In authentik, navigate to **Applications** > **Providers**.
+2. Edit the SAML provider that you created for Notion.
+3. Set **ACS URL** to the **Assertion Consumer Service (ACS) URL** that you copied from Notion.
+4. Click **Update**.
+
+## SCIM provisioning _(optional)_
+
+You can configure SCIM provisioning to sync users and groups from authentik to Notion. Notion requires one SCIM API token per workspace. If you add the SCIM provider as a backchannel provider later, only users who can view this application are synchronized.
+
+### Notion configuration
+
+#### Create a SCIM API token
+
+1. Log in to Notion as an Enterprise Plan organization owner.
+2. Open the workspace switcher and select **Manage organization**.
+3. In the **General** tab, select **SCIM provisioning**.
+4. Copy an existing token or click **Add token** to create a new token.
+
+### authentik configuration
+
+#### Create a SCIM property mapping
+
+Notion requires the SCIM `userName` field to contain the user's email address.
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Customization** > **Property Mappings** and click **Create**.
+3. Select **SCIM Provider Mapping** and click **Next**.
+4. Enter the following values:
+    - **Name**: `Notion SCIM user`
+    - **Expression**:
+
+        ```python
+        given_name, family_name = request.user.name, " "
+        formatted = request.user.name + " "
+        if " " in request.user.name:
+            given_name, _, family_name = request.user.name.partition(" ")
+            formatted = request.user.name
+
+        avatar = request.user.avatar
+        photos = None
+        if "://" in avatar:
+            photos = [{"value": avatar, "type": "photo"}]
+
+        emails = []
+        if request.user.email != "":
+            emails = [{
+                "value": request.user.email,
+                "type": "work",
+                "primary": True,
+            }]
+        return {
+            "userName": request.user.email,
+            "name": {
+                "formatted": formatted,
+                "givenName": given_name,
+                "familyName": family_name,
+            },
+            "displayName": request.user.name,
+            "photos": photos,
+            "active": request.user.is_active,
+            "emails": emails,
+        }
+        ```
+
+5. Click **Finish**.
+
+#### Create a SCIM provider in authentik
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Providers** and click **Create**.
+    - **Choose a Provider type**: select **SCIM Provider** as the provider type.
+    - **Configure the Provider**: provide a name for the provider, and the following required configurations.
+        - **URL**: `https://api.notion.com/scim/v2`
+        - **Token**: paste the SCIM API token from Notion.
+        - Under **Attribute mapping**:
+            - Remove `authentik default SCIM Mapping: User` from **Selected User Property Mappings** and add `Notion SCIM user`.
+            - Under **Selected Group Property Mappings**, add `authentik default SCIM Mapping: Group`.
+3. Click **Finish** to save the provider.
+
+#### Set the SCIM provider as a backchannel provider
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click the name of your Notion application.
+3. Click the plus (+) icon next to **Backchannel Providers** and select the SCIM provider that you created.
+4. Click **Save Changes**.
+
+## Configuration verification
+
+To confirm that authentik is properly configured with Notion, open Notion and log in with SAML SSO.
+
+To confirm that SCIM is properly configured, open the Notion SCIM provider in authentik and click the run button on the **Full sync for SCIM provider** task. After the sync completes, verify that users with access to the Notion application are provisioned in Notion.
+
+## Resources
+
+- [Notion Help Center - SAML SSO](https://www.notion.com/help/saml-sso-configuration)
+- [Notion Help Center - Set up Identity Provider (IdP) for SAML SSO](https://www.notion.com/help/set-up-identity-provider-for-saml-sso)
+- [Notion Help Center - Provision users & groups with SCIM](https://www.notion.com/help/provision-users-and-groups-with-scim)
+- [Notion Help Center - Set up Identity Provider (IdP) for SCIM](https://www.notion.com/help/set-up-identity-provider-for-scim)

From 5727ae4271967ba394cfd0c5a30ce000005d6744 Mon Sep 17 00:00:00 2001
From: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Date: Mon, 8 Jun 2026 14:55:31 +0200
Subject: [PATCH 06/68] core, internal, packages: fix British spellings flagged
 by cspell (#22819)

* core, internal, packages: fix British spellings flagged by cspell

Apply American spellings in Python docstrings/comments, Go log messages, a Rust doc comment, and a template comment (behaviour->behavior, initialise->initialize, finalise->finalize, etc.). Part of enabling cspell's British-spelling rule; the rule itself lands in a separate PR once all areas are clean.

Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>

* gen

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
---
 authentik/core/templates/base/skeleton.html            | 2 +-
 authentik/flows/views/executor.py                      | 2 +-
 authentik/lib/avatars.py                               | 2 +-
 authentik/providers/ldap/api.py                        | 2 +-
 authentik/rbac/permissions.py                          | 2 +-
 authentik/sources/oauth/types/github.py                | 2 +-
 authentik/stages/authenticator/models.py               | 2 +-
 authentik/stages/authenticator_sms/tests.py            | 2 +-
 authentik/stages/invitation/stage.py                   | 2 +-
 authentik/stages/user_delete/stage.py                  | 2 +-
 authentik/stages/user_login/stage.py                   | 2 +-
 authentik/stages/user_write/stage.py                   | 2 +-
 internal/outpost/ak/api.go                             | 2 +-
 internal/outpost/ak/global.go                          | 2 +-
 internal/outpost/ldap/bind/direct/direct.go            | 2 +-
 internal/outpost/ldap/bind/memory/memory.go            | 4 ++--
 internal/outpost/ldap/search/memory/memory.go          | 4 ++--
 packages/ak-common/src/arbiter.rs                      | 4 ++--
 packages/client-go/model_ldap_outpost_config.go        | 2 +-
 packages/client-rust/src/models/ldap_outpost_config.rs | 2 +-
 packages/client-ts/src/models/LDAPOutpostConfig.ts     | 2 +-
 schema.yml                                             | 2 +-
 22 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/authentik/core/templates/base/skeleton.html b/authentik/core/templates/base/skeleton.html
index 89cc7a4c9e..f6bbec300b 100644
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@@ -12,7 +12,7 @@
     <head>
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
-        {# Darkreader breaks the site regardless of theme as its not compatible with webcomponents, and we default to a dark theme based on preferred colour-scheme #}
+        {# Darkreader breaks the site regardless of theme as its not compatible with webcomponents, and we default to a dark theme based on preferred color-scheme #}
         <meta name="darkreader-lock">
         <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
         <link rel="icon" href="{{ brand.branding_favicon_url }}">
diff --git a/authentik/flows/views/executor.py b/authentik/flows/views/executor.py
index 0b2ebdefdb..2aa4779b1f 100644
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@@ -196,7 +196,7 @@ class FlowExecutorView(APIView):
                     return self.handle_invalid_flow(exc)
                 except EmptyFlowException as exc:
                     self._logger.warning("f(exec): Flow is empty", exc=exc)
-                    # To match behaviour with loading an empty flow plan from cache,
+                    # To match behavior with loading an empty flow plan from cache,
                     # we don't show an error message here, but rather call _flow_done()
                     return self._flow_done()
             # We don't save the Plan after getting the next stage
diff --git a/authentik/lib/avatars.py b/authentik/lib/avatars.py
index 735ef99626..74851d6eaf 100644
--- a/authentik/lib/avatars.py
+++ b/authentik/lib/avatars.py
@@ -59,7 +59,7 @@ def avatar_mode_gravatar(user: User, mode: str) -> str | None:
 
 
 def generate_colors(text: str) -> tuple[str, str]:
-    """Generate colours based on `text`"""
+    """Generate colors based on `text`"""
     color = (
         int(md5(text.lower().encode("utf-8"), usedforsecurity=False).hexdigest(), 16) % 0xFFFFFF
     )  # nosec
diff --git a/authentik/providers/ldap/api.py b/authentik/providers/ldap/api.py
index 228a2b729e..5bcff04bc4 100644
--- a/authentik/providers/ldap/api.py
+++ b/authentik/providers/ldap/api.py
@@ -91,7 +91,7 @@ class LDAPOutpostConfigSerializer(ModelSerializer):
     unbind_flow_slug = SerializerMethodField()
 
     def get_application_slug(self, instance: LDAPProvider) -> str:
-        """Prioritise backchannel slug over direct application slug"""
+        """Prioritize backchannel slug over direct application slug"""
         if instance.backchannel_application:
             return instance.backchannel_application.slug
         return instance.application.slug
diff --git a/authentik/rbac/permissions.py b/authentik/rbac/permissions.py
index e86f9897a2..2e1cb905e2 100644
--- a/authentik/rbac/permissions.py
+++ b/authentik/rbac/permissions.py
@@ -22,7 +22,7 @@ class ObjectPermissions(DjangoObjectPermissions):
         lookup = getattr(view, "lookup_url_kwarg", None) or getattr(view, "lookup_field", None)
         if lookup and lookup in view.kwargs:
             return True
-        # Legacy behaviour:
+        # Legacy behavior:
         # Allow creation of objects even without explicit permission
         queryset = self._queryset(view)
         required_perms = self.get_required_permissions(request.method, queryset.model)
diff --git a/authentik/sources/oauth/types/github.py b/authentik/sources/oauth/types/github.py
index 92b32fdb12..3c951f7925 100644
--- a/authentik/sources/oauth/types/github.py
+++ b/authentik/sources/oauth/types/github.py
@@ -76,7 +76,7 @@ class GitHubType(SourceType):
         chosen_email = info.get("email")
         if not chosen_email:
             # The GitHub Userprofile API only returns an email address if the profile
-            # has a public email address set (despite us asking for user:email, this behaviour
+            # has a public email address set (despite us asking for user:email, this behavior
             # doesn't change.). So we fetch all the user's email addresses
             emails = client.get_github_emails(token)
             for email in emails:
diff --git a/authentik/stages/authenticator/models.py b/authentik/stages/authenticator/models.py
index 428623f4f0..ef4f4b34b0 100644
--- a/authentik/stages/authenticator/models.py
+++ b/authentik/stages/authenticator/models.py
@@ -291,7 +291,7 @@ class VerifyNotAllowed:
 
 class ThrottlingMixin(models.Model):
     """
-    Mixin class for models that want throttling behaviour.
+    Mixin class for models that want throttling behavior.
 
     This implements exponential back-off for verifying tokens. Subclasses must
     implement :meth:`get_throttle_factor`, and must use the
diff --git a/authentik/stages/authenticator_sms/tests.py b/authentik/stages/authenticator_sms/tests.py
index b7c944e31f..15d2c7e4a6 100644
--- a/authentik/stages/authenticator_sms/tests.py
+++ b/authentik/stages/authenticator_sms/tests.py
@@ -362,7 +362,7 @@ class AuthenticatorSMSStageTests(FlowTestCase):
 
 
 class TestSMSDeviceThrottling(ThrottlingTestMixin, TestCase):
-    """Test ThrottlingMixin behaviour on SMSDevice.verify_token"""
+    """Test ThrottlingMixin behavior on SMSDevice.verify_token"""
 
     def setUp(self):
         super().setUp()
diff --git a/authentik/stages/invitation/stage.py b/authentik/stages/invitation/stage.py
index 451840bd3a..fc1bf082ef 100644
--- a/authentik/stages/invitation/stage.py
+++ b/authentik/stages/invitation/stage.py
@@ -18,7 +18,7 @@ PLAN_CONTEXT_INVITATION = "invitation"
 
 
 class InvitationStageView(StageView):
-    """Finalise Authentication flow by logging the user in"""
+    """Finalize Authentication flow by logging the user in"""
 
     def get_token(self) -> str | None:
         """Get token from saved get-arguments or prompt_data"""
diff --git a/authentik/stages/user_delete/stage.py b/authentik/stages/user_delete/stage.py
index 3ea73f1268..5feb96c422 100644
--- a/authentik/stages/user_delete/stage.py
+++ b/authentik/stages/user_delete/stage.py
@@ -10,7 +10,7 @@ from authentik.flows.stage import StageView
 
 
 class UserDeleteStageView(StageView):
-    """Finalise unenrollment flow by deleting the user object."""
+    """Finalize unenrollment flow by deleting the user object."""
 
     def dispatch(self, request: HttpRequest) -> HttpResponse:
         """Delete currently pending user"""
diff --git a/authentik/stages/user_login/stage.py b/authentik/stages/user_login/stage.py
index f379bbc594..4fa7b6dc72 100644
--- a/authentik/stages/user_login/stage.py
+++ b/authentik/stages/user_login/stage.py
@@ -50,7 +50,7 @@ class UserLoginChallengeResponse(ChallengeResponse):
 
 
 class UserLoginStageView(ChallengeStageView):
-    """Finalise Authentication flow by logging the user in"""
+    """Finalize Authentication flow by logging the user in"""
 
     response_class = UserLoginChallengeResponse
 
diff --git a/authentik/stages/user_write/stage.py b/authentik/stages/user_write/stage.py
index c21a85cf5f..04d718a6b0 100644
--- a/authentik/stages/user_write/stage.py
+++ b/authentik/stages/user_write/stage.py
@@ -30,7 +30,7 @@ PLAN_CONTEXT_USER_PATH = "user_path"
 
 
 class UserWriteStageView(StageView):
-    """Finalise Enrollment flow by creating a user object."""
+    """Finalize Enrollment flow by creating a user object."""
 
     def __init__(self, executor: FlowExecutorView, **kwargs):
         super().__init__(executor, **kwargs)
diff --git a/internal/outpost/ak/api.go b/internal/outpost/ak/api.go
index 083fd66c9c..fd3aed15a2 100644
--- a/internal/outpost/ak/api.go
+++ b/internal/outpost/ak/api.go
@@ -55,7 +55,7 @@ type APIController struct {
 	instanceUUID uuid.UUID
 }
 
-// NewAPIController initialise new API Controller instance from URL and API token
+// NewAPIController initialize new API Controller instance from URL and API token
 func NewAPIController(akURL url.URL, token string) *APIController {
 	rsp := sentry.StartSpan(context.Background(), "authentik.outposts.init")
 	log := log.WithField("logger", "authentik.outpost.ak-api-controller")
diff --git a/internal/outpost/ak/global.go b/internal/outpost/ak/global.go
index 0e211c412d..e3d7dcfae7 100644
--- a/internal/outpost/ak/global.go
+++ b/internal/outpost/ak/global.go
@@ -60,7 +60,7 @@ func doGlobalSetup(outpost api.Outpost, globalConfig *api.Config) {
 				},
 			})
 			if err != nil {
-				l.WithField("env", globalConfig.ErrorReporting.Environment).WithError(err).Warning("Failed to initialise sentry")
+				l.WithField("env", globalConfig.ErrorReporting.Environment).WithError(err).Warning("Failed to initialize sentry")
 			}
 		}
 	}
diff --git a/internal/outpost/ldap/bind/direct/direct.go b/internal/outpost/ldap/bind/direct/direct.go
index e678df4bba..1e2022c649 100644
--- a/internal/outpost/ldap/bind/direct/direct.go
+++ b/internal/outpost/ldap/bind/direct/direct.go
@@ -24,7 +24,7 @@ func NewDirectBinder(si server.LDAPServerInstance) *DirectBinder {
 		si:  si,
 		log: log.WithField("logger", "authentik.outpost.ldap.binder.direct"),
 	}
-	db.log.Info("initialised direct binder")
+	db.log.Info("initialized direct binder")
 	return db
 }
 
diff --git a/internal/outpost/ldap/bind/memory/memory.go b/internal/outpost/ldap/bind/memory/memory.go
index ef8b691d2b..8a8208d3ed 100644
--- a/internal/outpost/ldap/bind/memory/memory.go
+++ b/internal/outpost/ldap/bind/memory/memory.go
@@ -32,14 +32,14 @@ func NewSessionBinder(si server.LDAPServerInstance, oldBinder bind.Binder) *Sess
 		if oldSb, ok := oldBinder.(*SessionBinder); ok {
 			sb.DirectBinder = oldSb.DirectBinder
 			sb.sessions = oldSb.sessions
-			sb.log.Debug("re-initialised session binder")
+			sb.log.Debug("re-initialized session binder")
 			return sb
 		}
 	}
 	sb.sessions = ttlcache.New(ttlcache.WithDisableTouchOnHit[Credentials, ldap.LDAPResultCode]())
 	sb.DirectBinder = *direct.NewDirectBinder(si)
 	go sb.sessions.Start()
-	sb.log.Debug("initialised session binder")
+	sb.log.Debug("initialized session binder")
 	return sb
 }
 
diff --git a/internal/outpost/ldap/search/memory/memory.go b/internal/outpost/ldap/search/memory/memory.go
index 7d46a66d9f..ee57fd9c7f 100644
--- a/internal/outpost/ldap/search/memory/memory.go
+++ b/internal/outpost/ldap/search/memory/memory.go
@@ -42,12 +42,12 @@ func NewMemorySearcher(si server.LDAPServerInstance, existing search.Searcher) *
 		if ems, ok := existing.(*MemorySearcher); ok {
 			ems.si = si
 			ems.fetch()
-			ems.log.Debug("re-initialised memory searcher")
+			ems.log.Debug("re-initialized memory searcher")
 			return ems
 		}
 	}
 	ms.fetch()
-	ms.log.Debug("initialised memory searcher")
+	ms.log.Debug("initialized memory searcher")
 	return ms
 }
 
diff --git a/packages/ak-common/src/arbiter.rs b/packages/ak-common/src/arbiter.rs
index 1e92e20dcf..9f4c0a4d6c 100644
--- a/packages/ak-common/src/arbiter.rs
+++ b/packages/ak-common/src/arbiter.rs
@@ -210,7 +210,7 @@ impl Arbiter {
     /// Consumers listening on this must also listen on [`Arbiter::graceful_shutdown`], as only one
     /// of those is set upon shutdown.
     ///
-    /// It is also possible to use [`Arbiter::shutdown`] when the behaviour is the same between a
+    /// It is also possible to use [`Arbiter::shutdown`] when the behavior is the same between a
     /// fast and a graceful shutdown.
     pub fn fast_shutdown(&self) -> WaitForCancellationFuture<'_> {
         self.fast_shutdown.cancelled()
@@ -221,7 +221,7 @@ impl Arbiter {
     /// Consumers listening on this must also listen on [`Arbiter::fast_shutdown`], as only one
     /// of those is set upon shutdown.
     ///
-    /// It is also possible to use [`Arbiter::shutdown`] when the behaviour is the same between a
+    /// It is also possible to use [`Arbiter::shutdown`] when the behavior is the same between a
     /// fast and a graceful shutdown.
     pub fn graceful_shutdown(&self) -> WaitForCancellationFuture<'_> {
         self.graceful_shutdown.cancelled()
diff --git a/packages/client-go/model_ldap_outpost_config.go b/packages/client-go/model_ldap_outpost_config.go
index 5999a1d89c..73eee24804 100644
--- a/packages/client-go/model_ldap_outpost_config.go
+++ b/packages/client-go/model_ldap_outpost_config.go
@@ -28,7 +28,7 @@ type LDAPOutpostConfig struct {
 	BindFlowSlug string  `json:"bind_flow_slug"`
 	// Get slug for unbind flow, defaulting to brand's default flow.
 	UnbindFlowSlug NullableString `json:"unbind_flow_slug"`
-	// Prioritise backchannel slug over direct application slug
+	// Prioritize backchannel slug over direct application slug
 	ApplicationSlug string         `json:"application_slug"`
 	Certificate     NullableString `json:"certificate,omitempty"`
 	TlsServerName   *string        `json:"tls_server_name,omitempty"`
diff --git a/packages/client-rust/src/models/ldap_outpost_config.rs b/packages/client-rust/src/models/ldap_outpost_config.rs
index cae97c78c7..b97e9f96ca 100644
--- a/packages/client-rust/src/models/ldap_outpost_config.rs
+++ b/packages/client-rust/src/models/ldap_outpost_config.rs
@@ -25,7 +25,7 @@ pub struct LdapOutpostConfig {
     /// Get slug for unbind flow, defaulting to brand's default flow.
     #[serde(rename = "unbind_flow_slug", deserialize_with = "Option::deserialize")]
     pub unbind_flow_slug: Option<String>,
-    /// Prioritise backchannel slug over direct application slug
+    /// Prioritize backchannel slug over direct application slug
     #[serde(rename = "application_slug")]
     pub application_slug: String,
     #[serde(
diff --git a/packages/client-ts/src/models/LDAPOutpostConfig.ts b/packages/client-ts/src/models/LDAPOutpostConfig.ts
index 0ca156ee92..3cb967deeb 100644
--- a/packages/client-ts/src/models/LDAPOutpostConfig.ts
+++ b/packages/client-ts/src/models/LDAPOutpostConfig.ts
@@ -52,7 +52,7 @@ export interface LDAPOutpostConfig {
      */
     readonly unbindFlowSlug: string | null;
     /**
-     * Prioritise backchannel slug over direct application slug
+     * Prioritize backchannel slug over direct application slug
      * @type {string}
      * @memberof LDAPOutpostConfig
      */
diff --git a/schema.yml b/schema.yml
index e024c64ea8..37e0cf251f 100644
--- a/schema.yml
+++ b/schema.yml
@@ -41922,7 +41922,7 @@ components:
           readOnly: true
         application_slug:
           type: string
-          description: Prioritise backchannel slug over direct application slug
+          description: Prioritize backchannel slug over direct application slug
           readOnly: true
         certificate:
           type: string

From 519a4d73c4160a95ea594fcb5e0a81a6045e459b Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Mon, 8 Jun 2026 15:24:22 +0200
Subject: [PATCH 07/68] blueprints: handle integrity exception when applying
 blueprints (#22599)

this can happen when the server/worker are starting and you also try to apply blueprints with `ak apply_blueprint`, as seen in https://github.com/goauthentik/action-setup-authentik
---
 authentik/blueprints/v1/importer.py | 40 ++++++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/authentik/blueprints/v1/importer.py b/authentik/blueprints/v1/importer.py
index 4e66d7d293..26e46d0791 100644
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@@ -323,6 +323,42 @@ class Importer:
             serializer.instance = model_instance
         return serializer
 
+    def _save_with_retry(
+        self, serializer: BaseSerializer, entry: BlueprintEntry, raise_errors: bool
+    ) -> Model | None:
+        """Save a serializer, retrying once on IntegrityError by re-fetching the existing instance.
+
+        Returns the saved instance, or None when recovery failed and raise_errors is False.
+        Raises EntryInvalidError / IntegrityError when raise_errors is True and recovery
+        is not possible.
+        """
+        try:
+            with atomic():
+                return serializer.save()
+        except IntegrityError:
+            self.logger.debug(
+                "Integrity error during save, retrying after re-fetching instance",
+                entry=entry,
+            )
+            # Race condition: another process committed the same object between our
+            # SELECT and INSERT. Re-validate so we pick up the now-existing instance.
+            try:
+                retry_serializer = self._validate_single(entry)
+            except EntryInvalidError as exc:
+                self.logger.warning(f"Entry invalid on retry: {exc}", entry=entry, error=exc)
+                if raise_errors:
+                    raise exc
+                return None
+            if not retry_serializer:
+                return None
+            try:
+                return retry_serializer.save()
+            except IntegrityError:
+                self.logger.warning("Integrity error persists on retry", entry=entry)
+                if raise_errors:
+                    raise
+                return None
+
     def _apply_permissions(self, instance: Model, entry: BlueprintEntry):
         """Apply object-level permissions for an entry"""
         for perm in entry.get_permissions(self._import):
@@ -393,7 +429,9 @@ class Importer:
                         pk=instance.pk,
                     )
                 else:
-                    instance = serializer.save()
+                    instance = self._save_with_retry(serializer, entry, raise_errors)
+                    if instance is None:
+                        return False
                     self.logger.debug("Updated model", model=instance)
                 if "pk" in entry.identifiers:
                     self.__pk_map[entry.identifiers["pk"]] = instance.pk

From 7fc325fbf51e46172fa190b05928253b07dc9691 Mon Sep 17 00:00:00 2001
From: "authentik-automation[bot]"
 <135050075+authentik-automation[bot]@users.noreply.github.com>
Date: Mon, 8 Jun 2026 17:39:35 +0200
Subject: [PATCH 08/68] core, web: update translations (#22871)

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
---
 locale/fr_FR/LC_MESSAGES/django.mo | Bin 129061 -> 129791 bytes
 locale/hu_HU/LC_MESSAGES/django.mo | Bin 0 -> 131395 bytes
 2 files changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 locale/hu_HU/LC_MESSAGES/django.mo

diff --git a/locale/fr_FR/LC_MESSAGES/django.mo b/locale/fr_FR/LC_MESSAGES/django.mo
index 3ecd53392ffe5187e4924bfcdd3e867370675c1a..a5c785db04bebc6d6e45005928f9b59a16f79d78 100644
GIT binary patch
delta 24597
zcma*v1$0%%0`BpBNN@;l!A=MgBtUQr1b2eF1qf0+f)qKpmEtaiLUAonC=SI+(c-jF
zq)3tCP)ebF|8LK5Z`Xb6t@ZZ0!*6WQo;`L>0=FxkCI07iV&5-m{bxH|?fo4m8>R?$
zoQnw^=Y4hMI!?oOj&m9tVMp|~cbw5U67yif4vtd}3t|`Sij(mK=D?O69Va^u#MU?)
zKfz}>z;S#|n<&TWL&iC5ij_M#PHLQk%3p<DF=J=Psf5F@4emu6aI)}JFHXaX_%(*%
zGt7#)q8+CKR>Z<M1OsrboAx=*P9llP_znH=8LH>6Fb$^T>FQ7(<e5$>Oo<DyCa%U>
z_{>_io8z=4Jqpv~4a|tIFcT*4?l}1|7(;lzQ=dp64nRF{x^+3~!QWsJJZkgbpc+il
z!*Nn!PE@@jm=Ghd1lGW!I0Q@KdW^td@l(vrJot(eSwe*Abk1WHEY{NuZ9LW|{TRJi
zu9xEkVH-@2!!QL-#I!gE)8QIa`Cil;AIHpi3pFM0Fa>7p&HQH|65QKVEQ?u4H^PqC
z6V<Vkm<tQCAT-AfQ1^X~8j0noDcglP@hWQQ|Fro5eNBES<{`g6ro`C3jK6w5k_`2H
z7HSGsqaLse^?<Xe9^XeTzE`M`XxPtj>S7Eg#(h{AkD}i6HCDwm{T*jKHbb?09aG~=
z9}#uHKgKkW39FILiQ(7<Q{gg9i(60~J%ZX+S5b5R2PVP~$WC?qW6jicLanXMsF68=
zGw=~=N_@lP%p1=|^>__xD374t{0`>Bzc3hs<IT|4w6;Yx)E~>@BrJ%BF$q4i`G2B@
zy!ZgK{VF4C!{;<4QjCJ`sJU5)>G2?Dz)RQ&A7de`IFN0FJy9K+g)Q(~)YPON#LC8A
zsC_>ji{oij{RD$KV=ylU@_eT|5uJRaF)1!Zz42Nsh38N`Ps*Ors?LP9F&I^^H~Qmj
z48R4bj<3OVxF5B4&Li*O+(a$v7DF6oKF@cy6VZbj4&^OyJn}y$Vi;54VH;rt=?lXh
zrxRx2CbqCM2=yknF(>98Vb)4DREL|QI@Ad@0{u}Vy#lp%uAncF$QvS>t286c8wFw(
z(p69$Yl}J;W@1IWge5V<D0BAL#WJMFp{8O#mc~q@IsY*d^Wtjs!!xMoogdBkYe=t=
zp&|MWOW<qN8YnQvY@14$nDjAJ2hO10Bw(yrq?J+iTcU=zH)?9`U^u22XVyX;3?n@r
zd*jY=3|%%N`Nlg=GOUK`P$ag(HaHu<!9-Yhg6U{u)DU+-&2ev32S(cT9GhN?+Ex2e
z&-odP;#*9E`F#`3zAleypaE*}bjHLu7&GHYTfV@SZ$iD<5u5KfiF-+B#`@R|tKc^n
zgm1AS27boNVNa}vzTHH$z4W223XQQkF2@jjfO^BUpPP^0yqJr0SJWDrh+0F-Q6sbu
zo8b}E3uK*Q<~kVFP9e;Q5g4HT--1XAGP<IMKGvpv=tp`oYPC+o9Jmpa;VD%8D>na*
z&G(yX+6%B|wT7VDDQRuu%KY~yqM?|I>hT3kh}SR=-bO99B-6|RQXT_HcR<zagW7&^
z=*3y67y1TM;&+%7&!Rf~lP$l8nR&kR(iWtcZiXf^YKV(qYHW;cu`_1E1K0ttV0kPv
z!*nnXwOv=CI`|8w#osX%Iy237O^v#*F8Wk3o`@ba7j@%mRQ?Vug2!z6ADD)8l3C_J
z3d9nm+hAUthM~9v3*lWXh-ukETGSO$bKev-ay@4=|HX;)C!-v$umv}5#e0~Z{12!%
zNjt~PeIC?eD~iprG#0}tsG&cI>F_kF!?!U5zQT-{Y_1u}pt+2{=C~{wS{xm)Fb+fQ
z*Y&9FcO3O5x3LBW%roENnxS@y51Zg>{2Je*cE`r~=ELZF)C>NOVHmQ&aiXxbk4SYQ
zdr<o|!9q?wtd3={A8IPrpr&Xi`r{9%5jlf;)7z+B@dmZXJd4btOo_QkhoZ_GV`*%M
zoN114HWAHn_Qm$A5qe3-VjRvw&1upv948t}V}4wWn!{t*3{Rm}d+-u7B4L=1bZg9p
zqfk?@1T`h!ATQ=~juFwKyNsH<dsqTrqJ}(VsW~#6qK0}bYOXh;-uxD7jl8z$WM7(e
z4%DJ7j@s6(F$Z?S>^Ra*`{)r7HM9@a&^grH-N&5hS!PBg2!lvh!Ccq{)!=wky_Fb<
zM^Phs3pGM%mYe%Cq3$n(8j;qRo##6P6~Wo42DhTy5!8^~N8RuNRWI->lP-fwH$yMR
zq8=~{H5J=YBYPN&<9XDsNxZ_`AAml+X+a{Hu)4J!hLes*ExN5(9uHfcm6|v{Qn4!T
zL9GF2mHG179P5+ZhDk8NYV$(LQ7`1hHdtyk&2%F&gN!El4(norHIB0s7hroVzt;TF
zxBwfFPPontbyF-wx-V)9SE9DpE)2oPsFBOC-hBQS!(h^VQTa31^BR#vHj|<4<ZLke
zJsoQM6~Yu4jcPCkE8{{;iPur(k5FsiEvlW&8_mcSv{pckRDIOypN^X1<vt==iF}LN
zpBGR=egjqU879XBo6Ot=pdOF`Q(*{tu?%YNTcPeBf&n<$<}XA|>0WG!f1wwBO*fmN
zh{u{_%)lD>6Kd##zBY?&1Zr`9f$H#H)CgQfJ?K8Fqi;|{n_!E%FDGh*!Z9({LEYCF
zSqna=BatLz48R!l;ShX*vDjy;8T#88MmqU6bHs+Dm-JIigsHzVW<ot62WmtM;ZiJ(
z8uBZc0e^SX%)j4u^G2CbZ(IV~;!K>0&#*O)*<ptG2BsnH`PRHqI@B9xMZHJ}>hnGf
z%X<izne@P&W(239*2*UI@_gqE5zXB*)P7F8%N#&OF*WHrs0X$|KkSVqus_zvm8k9e
z3d>`P-DYHJVFA)TP(wcp)!riO26XrTJ|g)jxPo4E_Ly`KmL*vmv*Bn|14~gu_%(*&
zF-(iEQM)9`Uh}45n2>Zs)W|ePO;rcfh;`k|{OiqP$xs7hF(b}Hz0oGrTpq(bc+vV7
z>b{_TX7Lrrbfl}G8g7o+u`}ktk(e8oqS`xxs(*eT<F7?=pA7jP^=4`In~vl|b)+IH
zzd0snPJ3Y;(t{4L6YvnKLn9BG7nzBbNUy{ycn_Om{_o6Z!*EmwHu{L@!QWvSyo}8;
z^&xZ8b;F{hw_`QDkHxUiVY5v;U=`9UF$^DIIA%S<p@yxHS#gpbHAnO@%tku<F|#Io
z<%k55Q3bPNJJehawiQO9ZkUArxC%AI>oFL2qB?XPwaQa}Z$>UZYD6M16*fkl6P>L6
zO}@_=K|~LjhU&-$EP>x+2!6ndnD@Auf@tdyREMWyLEM1t@G5EzmHxqO;|5rb^g2}i
zXQ&ZRaYF6+SVTlL7o{;V)<yNa2^PU<ER3@;As$9O;0H{Ow@@$eJ8ID-J84EJ1ihq7
zViIhQ?&?R4NLLKt`OW|$>d{!#B3oc9Y(}lt1J={1de=}Le2)3h@09tbQxHQ*H^xFZ
z0@c9{s0Z)F6nFqr;wkj$jejPhef=w{;a6B36P-45Ru0wU+L#hs+5B#(h6i9l9EQno
z4XUHtP%m^G_23(*`ybo%yVH!nhAi<JvrqG&DpW(|H%33~hZ@2-)B}cDCs=1<D)PTT
zFK)yjJcD|%=a?H4oHbLO57oi)XBmH0Xh=o?Mqw)Khw8`()c&7>8j+Ql6Mw>i_zpGH
zF+ZAmOHhk!2NuEesI}sE&a9z8)LN^JX|SD-NNOT|ZN><!N_qxr)n2msS<jmWLQ&hS
zEe^$aRJ|A0(ihB-55+9x&p^G{dQ6MEF%O<bb-?$Eh=w-NMe}=rROnAS3boq1+H^0}
zkoHG4G!t{-O4LXl#~gSWH9~JtBa!iv=|C~mE~$)K3+<8neNImzYG4X#wJt(cT#Z@-
zM^HEXikgaNsQO7Rn>Wpf8A%sHy=hfcJB?B8v`4iw1l7)b)C;b}VD0~PM6`;}poZp>
zO~1GLT`}iEGE~E9Z8`^Pappxmpa5zFYM~ZsH&p!?n?D>iRf|y_xh;9V^OT5gc#m2O
ziLaWu$&6~C0BW0-Le;B?`LQ-?>S8e|4#iJ!9BPD~qekQ(%!~m)nHSB6I%x}|ZzPf0
zM5f>goQSP|HoxDygPP00Yi9MA!?L9NV0m1PS_^kj9sL8fM*Oau{5+_sDT7{&M7=;i
zRELIKXZ-bMv&d+Vi%@U$7iLHQU(7e0T&UIB4>d)jupF*N)&CXs;K!&%8F0gNGz<rm
z?ujbDi|T0Nn`WD*yXiCAEtm`ybVIHBSk#*h#&kFt)uE-Rx!Z>t;u9ExS5a@8;FdXx
zv!I4P0vBN<YK=WcFTTVeOz*pG8Y+dlp&IG|O>BNg%uBitX298~HL?!12KJyjb`P_m
z|F8C|8>)V7)W~%}wbLK9E$3ln^lc*&LF5gV#L{=n7mD7f3Y)PMzCfLf`R|&=Qx@})
zZi;%qP}GP`L4W)bbKpwMiAPW)d>8eC&#|cX|KCKy$S88p+!%$KNOwie?QqoU9*=5Z
zx^*!oB)taJu}$d3{ivb6i5jT{_f5yrp++PxCc+AsmFGKEi6kbY1D3#Um<t!77TJER
zg746a;lG&<wnv@u127-1MAbWOP4j@ifFj)#k79#|e8a{JkIdqHg5`O>6Y|)6H|v58
zNbf?8K+@mMr&bVFBwYh*;8;9_CvAG#6SF-pV<GaBKQ$v$1~mc|QEwcH?XWpE!foi&
z>Q3~`d>jT^i=c+88WzUZSOh29^iI^``wi=3+UKTzN32VF00!cBs9kX#o8l`hfVE$k
zDT;f+_(za2hYYRC%curkVlY;EX?{D_88szquqB>EjZ~gj=FQ_!^;e@7-$_h?KVnM!
z1=HYTOpAY`7G;{(jK7yi*lW{)#;9%72UFu`s2dkqH=-IifU0*Mwf&x91`K#(+R2S7
zkFe=>Ha!^i;5q2U?LH!U&}Gzve#2_`4z-Fa{b3#uW%Z%*7o(<NKZf7~)Z$C~)*Q{v
zP*XP@wKxx8X8a8!(8J2q$oQ%dNl&C9*2ZXz#Z9Oo4t{4AQw)ZZ9%NmK>i7jLiFdI-
zX8p@N=yNPZdL?GT>zE4vKy@hbdsm-RgorA%z^vFG^+ung9<UwL;W5mJKVv3*fr&BM
z2lKaKX|WgSp{V)~P%riY)xorXoAaa=YArQF_wzrFh<Y{;b;D}ZT<%46;5_P}xr3_r
z(B{9xB&3u7V}7}m9($5*gqv_LvX1$SCXf56+0o;1|8{Hvmhe!9pZKVd&(GujCDRPl
zkcapi2covuQQU&*6PkvOVH?t(L>_m@+hK3gXRtDcC-%7Kgb(MFK8iXoIwtWr6EJsD
zkFyRppl>~qR>?f>qD#b&w#`V_#R~W(md9VP9R{ZGID>EyYAT*%K}?d;<F1Vo*pYN6
z9FK>v8`cf*xQlHoY6K5rY5Xz3<8%M%MAB3qca9ok9SSC(DxOCj7{8*{MnGzhyH*NV
ztD&Z>J?6w%EQT{N2OdS;cNev5JZU`cE(k_VX@xXCkGoH+kfBxC!B!ZLYG5hqK-rH;
z@i6+~Y19F84z&nxpdNf5mom43X*~{Sl(RdX$Neq(ru1g2a%W)f$)AJac)~{{o=8&u
zqIV<u(2IpLdE8YRi5mJC)YP2CS(rDo#~F^hu_KntV(Kr%$)xw8+N~StakuqBj3J#o
ztH+s#!!Zx~GG#M83CHSW3_&j*#HM%~i(~2RX3l$JNz$WGZ~iT6L=K>)>M&-&r`Ciy
zJkBuESup_TquO1Koq4|V!Dd9|G>dCHYH=0udfX3@8mKvpLOoy@YVoW_?c<y1MZX}A
zyYF+OPP#IvdW}%$#Y9xQUt(JP7SrkT{{#_zJl;U9`g>RjgL9e1*cr7AH{vpUk7aR5
zu*dxuPgha<zG7~+6RyP$SRjwb{h@Ob<|Vxelj9}S+PRJCb;DC48Z!U9ra~a<;K_^X
zX=(Ig9n_6IF*goEz0qO}#BJCH&)@(on9t*$q|2}}=@Y2uqzo}55{$k=WRxeO2D_t%
z?sL>ouSD(dAFUrSCF%V6%}|%d^rY*eI@%F6)UnpjP#s>5>d<CXyZH*3k!xIl{jY7c
zgN#~u5Vb0k6*Na>QQSj%0%|)}FJ$(47u4L3K`p{nsFQOOYU=(*ogWoL%}6#teY$qQ
zoY)^V<<mpi|7u_!8L_w&KgINg&51S@^O4?*3-K;$q(&AoL%9+Qliq{s_#@N<(iAn@
zE(|sILohoov*`oqC4JvVMB5=rm^p&mp*pk-wKmqGdS0NI8R8142SlP4VPC9-Yfw}7
z0QG5_pt#5Bj@eM#bu1Ra-KZ&jgk#Z{iI1YGL>6NRhL-fWUnH7iDbn*%4V=YBn5dMg
z*Ak189*LU5EvWi?uqwVpE#lIp&AzXNI$v5~Ib4jKtUl)o5xwDc)DS&Iy+O({X7S|1
zNu*0)9PUSL!xCl9nz@WWllGP~A3E=m4d9I7ckkikud84_^&a39(lOy?#61-?1&ncX
zBKpEG5HsRus8zfS^+vm}JU&OweP|^!*NstcJ_t1uqc9t8#Rxo$H8D+uIX_yVMqm}z
zz~8a7=D0*<^ZDHi>yrKnIU1e3Rm@yXLO;^mF$wNMZMQ?Hj$cAG{17#QMXQ>*ZGbv(
zE?`T%iPf-dHB)am`m~r95t)N~P;c6#y2t&uAX71t^i9+OQnZGdiWm$f{Q<Sj3f44p
zT^@&#u7_*!2ULgSYnk%lsHvWcLHK1Y_P_S=Au`nSd#HWxU)$q;pASY2c}=W{y-)|v
zI@C#a0JXg?p|<G<)Rg3@W2UGGYD$}-rnDDo5syK=_@z2NzJn2YLq-pbs%wtW6BtH1
zUp@1&*$VrUK8aniVtsSp3e<h68+hDbV0?;INMA+0P_{_3*vesk(o-=j?nJGXi#{US
z?=MjM^&M)+IyW>&Z7<Zm{uFiNOw^ojLJj31)W_;Y)ONdrS}U(nNBf_ssmj~P?53uu
zBRmQ<vcA4Vk`b9@D=e|Dx9&tQ<wvdetw|c2q0EnZfgzX>N27MbMAS&^LLE3CP#w<S
z#Jpg6WOw<TYD7v?Fa%X$D{6HgL49~!vFW?0H-C#7+7wMq{Q{`DtbkerZEgM-96@>x
zYO!T%W{&u>SfBI;4A=hui-@*e+2-Z}V^I&7kJ>&vP)GD3Y=)UznDRcT#X8x#4%Lw#
zQ2YBKYVn1&G>fkms-2FgUG@zY;`z>VBE>LAEAs`U5r&hVf?BmFQET81Cc+O`2K`%`
zj)$W<IuSJjvr)TZFY0^29aKC2phh%P8*{$oMxP!ufru8xQB=hXsGdKzX}`9n16ffG
zmOy>#MPeQtjvCUhP^<a{Y6MfYGbdpvYH{~L?SjjwHQ{N`{vS#tw7ti<k83dmXLK;1
zZo5$@+iR?Y<vW@KXdE^nohHgWI2!e#vK1@g6VzHN+{x^U2=pi22(^ovqdsF|I<f!t
z=99_LHd=texCS*Pr%>fiXEXN!xPfFB)Pa<?i|J@1RL4KVX}Arw`m0BqZ$1-Hi~Ju{
zM@o0~xc{1_f{%zEung7n&8UW-VR0<d&Esyr&Zspo2DJ+oqxSpPs3Z70tdHkVi`m=V
zJg^rQApI3;(Van^oXLBbDfR^sQAQb?(Euxxj<)GlsO_^4wc2l@R{1}u`*MC_EQy-?
zx~Rq19km#zT6dsE=mu);lk{{CD4$b;h!#r}>dk$qRlX0kSdO6H;3;ac1@<xzh_H4;
zJ!lGQZnvX4at>AhsV&dY+oZ!$9qf$xwf`p((F3-j7R?RR0rVW(qJJNA!bPFpya(z*
z6K#40dPyHaO~F0X$du^oasLfz9js0IE8L1tumLXX=W+V*eCIil;n=ai`C0A;YClKB
znC(~(HTPYxD-OdUcn8(Nj<IGp?8U{T)5Mvd{Wjqg(s|-N?q61I!y=>$4KQo1E&9~c
zMMNTS3zo!}s5#F+&~&IShLK*6%Krs>pfkvP9Djn^PCnGCpO0G9*H8!5Lu`-1gUtw!
zLY2=N%>LKVFC#;%`V^`|x2%6)H0hL|n$;SMnu1BFj;zIGcoKF0Wz_eBN2n2WhM4aI
zDNqMmM$~QzMXiDGA?$xGo-Sl)J55HN1B+3sbv<fMFXBK99%??_7NQzBiR$1>YpY@A
zLuWs#qY=Z++UST{lp|5k`2w}pHu;FCrw1_?o<bc!&roM|dODaGgHS`9AN9Fi6_a3h
z9EtsL8NNiVfjJ}0`B7q|+0NbZIr(c*FScluY2SCmM$VxY*$vcCzQvz0#b`5hzoGjf
zf*RsXW6Z88gz=<XphoBvKEUc@J?_7rDKgHC)FISo$3xT$B^>XLgwIJyL~oJ<lVUzx
z;o)NwwaqS1F#Gl;YRI!pG)ADNt{Z9%O+^jyF4WLoMs4E<sBc8?u{t`F%vZV^=+*w;
zNu&n(KcTiq&}ZiCZ-knfF{lG-8tM%;VnIBPYVb8`NXt()`??EOCcPDdRE|11GktDe
zq!jAIsx79|{+~-k9ax8<_yQB6cZylvc~Ku4VW>4x3bmT6qNb!Zx}RpK5u1$KUaK(=
zZbyyKHPqB4o@z!W8@l_y2oW`09kuuxqZZi!EQ||L4gP@Io>x#Ec!GMvgwxF8&4=np
z9n?s5K|Roi<vi?ntV{aLbdPfnv(8}uYq2GmX)0#KCZr3Zj!Yl+#^W|!dY0+HNK^;r
zVkO*&<M0VK#`xLho7DHH11aGg^JTRbYNQufZ_Q!5Xs$x$dYpRr2_C~8cou#0%#TtH
z=bJTf3AH9(p@!C3U>0Lu)Ckr`E#lUw5$uARx{0=Y3TlKGqSnrS9}%tMgbPhWp{Sv2
zYVC_!Jd;pwyaqMr2T=E2!Mx}!GCyqQ!{Q|SVl!NhYVS|<V*17AQ?(>kCGG1#q#u#x
zs0P!2VSbxc0V7GT#zOcO)qy-qOb05U-lQq&2p)u*%F$Q>=b}dT0&06_TxvR!6E%Y6
zkOR->)F7gUdZ32zbJX@)fNJ<CYDj-X?dP9Si|PsLi1qu@yjd`6WU8U+wMBKPugxEg
zx^E$B&1}YM+W*gpM37N(nfZz|0JYk;U?MzV)5lPs4Hq#n-a(DXW7LEFmV4ZPCzus=
z01ZGra02SgUu^R?qT4Q3;Q7umB5K(GE7M>)RD%UjM{*U^wrYd=^omE#`B>DHtw%lJ
z0($W-`e7oDQ4M`E)JUeY=CI~RpN6Ugk^EQ_bx`z24c#Kt=l5pRzJGvv<A1CfSDO4#
zRDM;|eXUU)?t|5E0_tQvg<s+aER9Q6vHx{uUtVR7&{wEcnSHgH+bGl`8i{J~5NbrO
zqlWeks$<F5m~$ft8<37i)jNzjYOkY?@XTvH&L}K}Iwy9n^_kE26zgoyQA6Jcwe7~C
z7gu00Jc{b@pXjdY_2!4loTwvvCTecyqxSt$)QGM?jr3VmyT78QEP-!>nZtDGeu$tB
zmM*A8Gzm4=i%`4c5b9t#i&~_wQQOIHqd9_8p>|U-RQ=|t&xFpX2l`MWGYvJOzBNSj
zphKvJE+YHVxrJ)Tf0Jn_1ocKGQ6o?e^`<RQZ`9tVhgrv<cFAX`c4yl364c^cg<;zN
z>xgJ*ucLaLdb4@6?5O=+5OomMMZL*F>kiZuoJURBHPoBEviT{$HXX=_TKzdt2UC93
z$aTd4?f*C;qsbVJnxn*9jDZ+LIu!MwNYr*~i3@QA9>#22J<f8xg;jCvHuG)yI2I@U
z7wW^T$T#MQ9*jDY52E||e~m~<GM=H{An$gw9V?+u!XBveVK!=NzCsP{G3<wDP#uie
zVb)4*>_WO9YQ!#Ld3=ubF!Wn9C7+^Ci)kDYExL7B3xCAT7`W4%{U=as<SnYfWV_7A
zX<pPe9E4i^pWF0I)V5rWdeeQVA-{@xk^88Td9#cCuYFlyx5=o5I^l-m*EkvVW)=6C
zU&Yo$9UQ|^9omjMaK1-1d=0hAAEDONd(<i~vez6?wNVFMN7QpC?PdRaiL53=4If7>
zI?q1yra@SWbU11%;;;oS#pd`H>tf`7vq%@B4xmS<wNUPWdEjvCYSdJpLv=if@1PmN
zY^d!OhU$4K)DZPR4c%hY8?Hm0h`X>FzDI4t%HNr(s)ZVvc+>;NqmJf<sKvbnwRVo6
zM%s6Zhz^+RsMYO%$P8g2)EtJRc0m)=gW^$ZWhknlWmpH-Vo`jJ5t#R|`RTVChLApp
zS_=<RM{>d=?#al%{~)3v?TJnB5H|Jjb@?bg#$LyGBlLZ5erq-TxOu>9jG}(2AI!(@
zJk(sjM7>DL6J`oZVhz%RF(K_7K%FN?PwKlN`#<9;^E;eYs8u`@_2%<YZ@dZPaXYrf
zLZ?mnMAXnOv2Mpqq)%Z9yo=Q_@Qm4Z9kC4Q4XAeRVJ@EUR6T3nyen#GccB+=;t2Ho
zXilzC7)p9Sw#MI4i?h}_v)_HFHFF2`hMCWskKOLrlk_}nivAbOdC&@dT8*=bB*zn|
z1L!hpD4$^vCc9`3o<gWOj>Iq=frW4js$(}$p9Lu|nHMO8y1zc^#rmS^%|_jK=o0&1
zi{qKi$a2|ivl^%hF*dyf_23hz2fs&c)52Gb4X{7yKByPEiK>_Js#$EcP}_Sn7RKGE
zdJnI%|JxDq{$$SP;i%Pl6g9M-pUvlY8Pp=}jGFV^=*4r`24CVA7<tVc$xko^=?>S;
z8t8@U&=%B*c?b1j^rw$V43Sd5n4w>Ts`wr1XnuuSR9SAA{4mrUcSe=ZMUB)R)Ehp)
z3>b9N?Dx{Bv%e1Nf#Xo;$szm<eLoVJL8RR+bK^7A8z#DKehHl&bp*FTJ-7>Mb<e{z
zcnY;<ZlKo8Thu|5_E)o;@}SZMF&$P!t+mG3QlJ0riA*G82VTO;cRbD$%zW1zt%>iM
z-*z>@ksdzna2(~0e)Bl{@Cvraxeq)}M|^_=u*E}<`_FGqV>s!9kIXjy2es?sAA6hy
zioGVH?KJIobD%uJm89!G@i_1C6>h-iPd(0lT=LB0{E8i(o3p;^3y=E`k7i(V^8Z1d
z{moyR-+C`V4Yl7Z^O-UgE0bP_h1HYaiKxffUVGgC|Nl&!MY`S_b4K4neX2c29ViL@
zFmGB5H6?3MFK`{TxXQdWZ(JX>+CM|p+l88<CzuVB{K-h<C6b3o6|9Hazf)14^BYn7
z_XpG*KgNWZ@SRzF$x&;eD5^Xfb^mbm!^NntUSHbudej=&jQZ?2{Eq!!jL1ncm|FMZ
zP;;+i3HU*QplgcFEA4O6J3rRpDVmBaww_9v9cQpDkEeVeVJ|_~6a15Kp7>bmv`)bI
zXCs62$NlT{IksX78szs+?$woew0!_;$=yaOC~5Qh5RWAcAnm1mGvQa;P8#wS5x<6e
zaII}qpDT5EnGHTNu24{(Fq_POa1xcz5f)O`lk^kfx`M4Iu`2lm3A!#40?6A&`jM^k
z8FB5ZGpfL~hfvmzUQ*)Gw4IXR>qjC11)4uTH~w>dMSKX26(sydZhIPBO;|v@C}tx6
zhOM2B`(Kgvl0N}65On1yt*f5FNkqMk#C?>vqAbYI-HCj0B=MB+m@viO%vU$}Jh)3<
zZ*IDSyKEWj(ETrCWF=jnctOh3VK354h~FbrBCYEd_mwAq1mQk;>&g3*keB?rntxr}
z39~6&Nv5s|*2mnWtBM`EB-EK;8`jGIit;klon!0eqFy1DlNUptj^rbRQ{)x4ZE))S
z=enckAEokQ`@oMSzuU+t8d+!?&uR0<llIugIJ=xBq+1fc`kyvR+57&c4j=taJJLT>
zCy+RYrn8E)?*b8BA1L75aj)7GOeTKRHlWNlr0beu_s=%}^Dt#b5L((cl-38$6+$7}
zNkRT-g7&?xy2LrDea=)0BS`4zEKNN2e;WRQyfKtz!(!CyZOe6%MUjpme;JlzL<(bD
z%FB?qfcReOd`tWYd1nZNCHXVe9#+=;&n1$X@H3h9sGw^Y9w4tGjou|ajSx*(Lf#?t
z&}b&g^o3H_1JXa3s56dxe<Jt@y2?;b=l{R2MAX+2@2>v>RL~V{aLRIHL7R7hyuV1l
z;fAI>EW|dN85fXO9jjn=TVG9lPu}NPpOETb`Pqo`A?wT_j3HDc1nPz*+z?13Uns%#
zj!-AT%#o4lW=@Or*AiV#Xvyu#xn%|M@>quOmUvF?UP^pDVL0)R*JR@Q`1u;63Egd(
zmv+9T?jXvtU_9X*@wS+jaFzIJ>dqss?`C?w)13rg_}!}(U9Cff=Qx_2JUEhYosgLP
z+o-QBE2tkr@F)H8(oY5@sI#3AN9aVEJ_0upuVLHgYqyhx{3+xW*AneOqCSazxRt_k
zgmlDnkf$pHHsh@};(78vUX4FS@DTURA-uEq{D4(Rr>Cq2AtU$q<KDf5T;zX2d8o=h
z9#Ip?)b)mtTX8Dhhr(2>X&bFa-dW-;35RX{)6{uR`ZLmeV{xzI)T?Okc|=ZW;)w`x
zl#jLf`^f*E@VP#sl9O4>y_L7eNZZg4sBa4AD1S(3!&@XJZzm7X)rc^i^fKG%D@;!q
zPF^+Y>c^Bmw(bQyL}*QUZQaZ@iMYFu_)g|rBcZDb&Z8ptJNfYh=}++Eb(*@HNKddC
zpHO~>ygG!2<j*1ma`Q#f?)s-*6T)HYRi|te`C-J9Qzv%<=072s4av|ogK(SpOY&L~
z=R2AEZ=O{4hJ5{)Qj@Zc<cHG0Q{st<mr(_-M&zY6QD;B-35l<!j;@*9e}{N6Opc$B
z*NU%5?l=6SR31S_VG2snh^|uPB_sVE@x-{BbSO7>z>n7)B6}!1ifJetMEH35+j=Q&
zd!JITi7jtKyc+Qx`n3MeR^(@K_iD@yorsm9!dl7;;c?q)M(amLQ?4tJI{KNYDEFQr
zuLW(*BTv^!LPOiO(tlB&gnIr2cmL-nGoH-XgzVf@kIIV((}*9zthk2oGx0d;R#z)r
zg=j!mXY%tA8dIl<&D%`;<5i5j{v^uM{tEKPQP*DX^WFFu3YV)8Oa8ZlbD#8FYLuiA
zKl1eh*fM*!(9cOfQ>PT=bGiQ_@uY;U#D@@c@l%P@^IvT$uOnqX&3`QlQgd@J+(|)0
zg1*5QAy3y(d*fSf=s`RU`HzUFqbwO#;9<I|;R-@u@>)};h0S-%Y#WL%Bs8VGyxQ0M
zpC#z(P6$&b*A;uiN|SW|97DrxX;eQq>9<0i?F0G}FGV<O(?Q((gfNo&?FccHO~m^I
zUDK#{p7>hgzP9}FjdHnG8QecVvyGjkp_Rm+aYL-lYl3NQM^*W6!b4k@ko?by&n0Xn
zzb^N+CGTt6`IMlmGogX0&wrxCX7;xYT;PUph_9nk7H+Ihh#+qmdH;~t9DgI7i}))-
zZSJo{9bLar_6Om6@@iAZ&Et<rq<<mZn6euLT@|<|t3H3XkfEPpbK*^VQwiItF65sk
zUq2gfvU&CF!_>$K@_H)5wbb65n))6a?}4ibFUZSIofCv~q<52^NBn@!->O7(r6T@2
z1-fn!A58q2O)IZ45BozAt`oL1MXZZVw)<<#rNoPKe>+>YmUs$6Mdj1^3gmxF{CD!S
z{@kk@i37yaQz6FQsDi%4H)BG|R}sI6x|SQ9ZR9l|gp=>by(6$D>D{;*r{bs7y-cV?
z{Nt5`_;fu#n42c@mJLwXEkbwFL4*#(*HJMuWiM37HH&m!%8nCq5Og)+LAp{<FNX3U
z;+t(*8p<k@*UPQJ!AAae!gTW7_y30qp@ag2#bkX=VR@WNXhggg6~CZtIpO2AhJ0N?
zJTNEuDXCL|(2@LL(jN%>2*=4wN_a{<lCopwHuujjNT<~KzmCGcsZ@aYC&W_|vXCx~
z-w^JR-wE^cu#wz4jJU4v$^Qw%+!RMJ<&oUCgY*sR<RX3<H&QP%!JqV7%t^i3#Pbn+
zz4)U&H?*Rl8R6rVh4^*K2H{~s6!Go$!5`}sA@4WJR@(er!~<;M5#m(|St;8>xJun;
zlnuA#p_Fm)pQz=}U8>}!+2a&6rLwMVrji?PZ6C6qvgPDgCp{fU+q&Ob|DtwRLN`J=
z${X1H_td{>+gMNjL4rH~J>3W&EDVdTilkrKo2rmb#!d4{cO}HTHFz8H(o*jg<{(V5
z`Jxi}V+p#xCOjd0Yui)aWI|2Cm(=N_{qLcHN<91)=D`r#k>->|5YLTi|J8sR`HFCr
z2A(Rx)sA{)x&Im=H}MyElk#qaAGy~Lb#)}a5kXfM@_m<V!8`0rm_^|w3Mx|}J@MOw
zL4+diElic|NF)!@mC>e8ac@aAXtK?p)Tzw9y82)O%3s_1CYS16Yz03GDv|ps_9Jho
zt&x~UTHAOL+u1Kk2T&)<=5OJi*_7QSuLki}wsR_OPM)sYga?%Ax@^6x@BanJSjWxz
zY~!lHFOHpsRC-N3hXM^QwdLWq!GqYFyup;upsxNS&qIjo>QDM1W^z;f;9>7ka<Xk_
zvHUn(xrsO9rmbWa!1=b)H^he$ACL8IUUKRluyLa9mFi#Vs&pirkbsA_Ck&*<K-+;G
zO4C+Jd!PIKU@`)@L02&v`je1{iedJq?AC(#6J;|Asj1t7``+5JrtaN*K#{kYyxO#P
zkhrc})E|p$$RFV5P>*<O{fa6Bk=_Jd^D%&%4iisiJ5<y9o<_!#pUBpIsT;T!P(Ke&
zBYzjpCuF2<Uearbe~ArgBRhE;Nb5>QnB>NI{}vP$r7(nyYlLOQ|0Z<h##q7z9?*%<
zjIvX>gHWA&p1TeF_mBPDqw7n`KVCnQcb&vGoADFv>1t2@5aREA{4v#L?&QY2G~ATJ
z7N(x##et*`{j1S~<eeaII6>EYTb7@8?%B3xVh>a7#8Iy^bq0{<C2ntXOMMS)C5OTd
zloTi3pZG5XUFmJ@8P=q9@JCbRWTH-U(z?3*tJP-Ye@A-1DRO!cKS>8F+qzNzt?P4&
z+6P@Gb3K**vT5D>l6V;T4Tz^A>?Vw&&M54FRsU7D1obkJmxmBeyd2)7p00kx|9#!F
z>0<8R721*)WHur^COs5?rIB&OH`($5<eefOLVhY9oB(xoBzz#$wQpC$>Li=ls9n0P
z*V_&ZE)hK_&f7aaHqP5A+8gDq(<HKiw{NFUqC3YqRr~gd`*-Pps9rs~xHYy$jtB|Q
z?hR?uqgQmFxcp9J<@mVn-jE*DkBRCW*JD6*{;dP|ephzpy*B}KFQxPZ1Vwe};_V&X
zyHj*btT(PN4~mWN7abEH8y(~A7SlJrU*VZI-=ue|2L4agxb8h-|F=$xsMy#Z-THWA
z`u2*B-CFFA0qOkXdUWlvV|_Bu>tc24MSDA&u19;j^z9MnJ+wA1CfXa{$9=Il_YIu?
zcO`cS+;@%Mu{7MXHZs^75~~;O+#@=E(0^Vwx{voi@7p#1jyj)v9@d$A=CUVA&0bMn
z-mP~J`q;ORw@bdLPx{6)Fy1cFvF;ee;Gw1JkNfI$GTIDBXnb6cUOi%?;-ceYVhhhb
taM_b7?EkZ|&e66pb6fELb(=e2wi7XjwlQuya$oWIW!Vw(-18yP{{iV#R9*l8

delta 23982
zcmZwP1$0%%!iM2}2qeLR1PBsBf=jTF;E>=F+@0X=TI}Eu+})*6+@UR2tVnTpD^Q$b
zg;L;uzcWKu*IoZ!Yx0ck*|W#aN$9;_-}$V3<>S7UJnl?~t3h1H3B(&29p^+m$5~KL
zxsG$RiQ}BYV;F;TnmW!1{D@g_a5Kj#ip#Mz-ogo3rn%z;;TcSiFR>9Oj&Yoh*dF^j
zj@vm;q$?SfTR2V~{1KC)UrUpp0o#(Egpv3T8)HN(PXo?W3?}W%(@SCw%#ZCc9nQnz
zxC8Ux8}!4BZIpIXnTQV=G3bTuQ9bXB$#6WXLkp2-IU6uBCZ|^wFc>Rhd+TOou$;d!
z1=erpIH|BR2H*(Hf%7pt&vy<JNsBK~4~*a5m=5*e+?W?j+WfAl28Uu2oQ<lt3gh7}
z49C5g58q%x%-q3oqOdUzzy;_oKqP<(VcMK%ERAcBxpAIjRczhK4Dl8WA$=Yb;yX-)
zuFi}G`k_CDpvogqZ(IsfV?)%G^u$CssWaoBlE{2ARB<z=!DASM_fZ`y+lBeU<)}G6
zg1Rpr3r8c74mD+Am;q~|hQ5c*A8qqjVixibV`6;TmGM{4Ka!!IC+cQ~J{a|YFw_Go
zVj^sgT6~>RBXJa?@d^51!R}^}l|;R17c7IZI0jFm+O6BeOj##45p`e?s)5N^7H4A#
zyn#tDZBJ7#C#s_*P}`~|YR<c%H}*kxrZWhu;x*LT%HGS2Oc|U;x)o|l-0z7bBa)=I
z>2U~ZC`+K;ya{H*UYH5zV+!17y?|=yF&4o%eH<qj7Dr!fkIL_X8uGR1hd&}y?skq6
z2_xeUYHs{ld3rz*Oo`R7Cbq^<+=1EgKB_~B`mx0@A8KmGVrKjuweREicbo!P9#ww;
zmcm7tR{Q@Bkw7v&VSG&eoq6MoSdesORL_T@R`q18g!54&^8n*wV)m5YEIF#<A?S~V
zP-`a|>9f-SwWv?yT<!ln1I>eu;x5u(aS-m}M=BTFXt3G0RfaeYho3VM*}Bdv)SEP-
zkqo#1wN`ecI{X`|L)TCv@EA4H>4%!Bsex|2K|>;Ga2V>1=cCSnb665n4x<xT2aDo3
zER2UyL;nQ}VZGtJ9Ztfm_z1nwZ-jYZa?}W>Lybtb5sZI0k#I6J=N)hi4nZIE9%(w@
zhw6D%Ooc;H^=G4obRFtNGL163CK@&Ov6vr^U>E#=n(DTr9VY>f7|oEVN0Z2Ci1TnJ
zzC~{wM{m^Asi+}cgqqWJs1EG6>5De~7}Jse1@)k`W6cp<2(`=FV{#mTx__dZh!)E-
z^ub-28u!}@S8e$VEJ1$USaV}(tVX&%R>kj8Q}z}^u+TWiseui#I<CR8_%~`dMUFS+
z?x{q|k#P^RWA+K=4QpZ~={A@VSEAO)QA~^XP$Tpi>tfuA<^>v|FX@)3k?Mq+GB;{5
z&cZ~v5*c~7v&ClYMK20YV0t`_LHHaKV4_K8ssd2?nNazqQ4LnLHnO%uwbR==&AJIS
z5~t8d``>@EIYQH6779X8i>(4?!U5=qi!dIp#|*d?gYi7718*@gx~7<OBnk3{P8w8s
z7Sz;++5Bis#q*u|L^Q-*F)2>PCb$d(@GCaQfT@mC4Ev!vxD^ZHLsSRTPcw@v6qAsS
zL~YmVsQbp*{3EF6Ttc^Qd}IsWV_wqU(@lkfn2dA<jKYQ(j`J`pp2pnx9z!wn40HC^
zL@nyUsJWkx8o4!C05_pJ_WKORUj-T1bE=pHQ($pSjx|wp+#0pmx?w%+i(z;YHMGtw
zv)B@&Ivj#2u>hvRN~n>HK}~Ug)Y@1yi}BAxWH%YwuTN2P<U8BENeGrFT@`cS4Ad^!
zi?#6)ZpLDB%<g!OnMwQ1HE$S-`AN6K7C0Bn;V0B~E#;o)I5~-o#KO1{HFtlY=I8^)
z#rX5hi1?vD=@8V&M4%Q~6lzgcL3N<BEuV^oNH0LnB<BKZikmDjBjKJvB$$jX*c;EI
z=CtBM_CEGSz4;B)RCzBl`#lkAwYNl#NO#PJb1@KqK~2Fe)ReqMy_ol6vshChQ|ETF
z5DBLs40B;S%!kua4Ie_y^>fsl2QM*eBpj8lWYbMii?S!`B%O;vxD++l`)&Fb>b}pI
zLi<12QZsj1F#`or7>qF(g2PbTb2+NPBdB^0FfGPgW`;BvH9|Eo80%pO_Ct-xTvSJP
zSTA4@&v#xE(W+0j+zeS()D6W^H#D^Ael|S=gUR25dcb+qRJ=oNXRj4zn<Yo>n)0aj
zs$v@Khygef-HI$AQUbT37Ts$shF&X;k*JOi#4`8^>tf{h=F8?xtV;R~>g+GI%Dhlz
z)Ea1xjj<25!?Rc$i>#*EXd)9=JI)fkip_Aq59XJ|t5}V6*)?XUr(;3V8&Grj0JXh7
zqSi{TwdPIhU~$qtFcWUD`RA}Y>6fVUC2}3Fm6}Mcb!Pi@LRO`-0@dJVEQQxlLmar?
zl;=dPfkLQ;>Z3-kqjex^q$Z$N{~6R2-@|nH7bZY|_Xcxg5UOHcOo*jWb5|AhfI6t{
z(+-2NA8PLBpdS1a`r!$ie+@OI|6l_wy3yP>9kmv=VFh%bB~qS9noVZtV^E83A8NJV
zMD_R|OpK{Fn+Ih@bu<FiU@6pn%}^sa2z@XXb>CFfT3C#}xE*_HS?wh<kc|9W_$33^
zqlP|YtC`!%NEK%g24kLWW@M^c>!BXd6g8xsa0&Ls6d17GJUA4UE{%Gj`q)g%x)+fq
zWSqn4n0JTyOT|Id5C`ovQxk=HqgtppY=nA~b{HSKV=)(t7qzB#>@p*G8nsqlU@-dq
zXxhz->3P0WlZf_ZH%yALm<;Ek7p}u_+=Nx}0R~`!pUn1*#$eK8Fek1?b@V){z3bLz
zn1=Lc%!UC!GycIuB8ey?28-ZW)SMnbHE<hK;w#LJ-n-4B3`b2>1=L#Uj`46ZYGh`j
z7V#p~h^<7u*cQ~HKD3+hPetT18G54^sJZmsV?LcySc{@=j6pr1C#u2zm>x%=I<Oow
z;{jAVkI*0Aq2@mRUSkmIg$nFt{MCU<WT*o%wxB;IWG*LRW%B3ka~#@m9-un1e7|{v
z?HEb=D3(UwU(6q|qA@S&C8!RZL3QAFEQ}wq9)`IOm=i7*^O11{%VPY4=2Nd4YI_bt
zJ>V$j$ApK>{w{%=NDo8?&j~$jj^@W0NILR}Sqn`tE$P;n4&A6Ja?iIFR-kTJhjH;3
zYKTu^CcKVe_!U!Q*so^fqERE#5|dzW^uv+X={A2Es{Jjfj+{mowcB|@M2jfHQS-ZA
zMbzAku`WdQcq``8jo1`Fp{B0kF|&QUV_DKCQT3A_H$$EW)m|CYR5U~%?1IU(|N9Wp
zT#dmzxD&O=9-<!b40Y0ZoiJ~Z1k;laMU7Bp495ECi~Z3XhoMGfENVpNpw_@DREKt}
zoaZ~|h-kImv%W%A{DK-<|KH5^%z{}-S4C~Z-WZC@Fd?2sJ@`5%!h5K8U!valGip1>
zJ89ZYg`U6vWhbH@HbM2c6DG!iHa`~C@EpvAi!lM7Ky~yI>W!YF9_%`0?)O8b15qQE
z1B0-FEpK~@@mE1_GQ4maY6xec9<bQD#=0HV!TlJFXD|f+M7^2+X|w+`qvpC2s)J2Y
z<vr04M_>}1cAD`|Ok^1u+W(ud03O8*_z(8Oz%yp3XQ1l+f?8x(F)zMDt(7ci%^E6>
z>Od#d6uL1fPPOS}ScddA6=>CdumvT~nFgw(w%HIIgtJlgQk*w7L=E{O)S12w^=79q
zIo`x9_zII@staahvtv!t`BB^4J%Wf<`&gSX2{okCQ4MX!jCd3^QcqEH_z^WisV|z5
zD2(br9n?N=g_`@JsQV|P?%#x3tb37qZs#}=t$|0V8{%CuL!2CSLrzSIg)tRYLp`Vs
zs-fPf2M$HGvk=wJ&!{&%iaNkfq89O=sFC^LNi+XJmrX$y)HVr4H5_i!QK-dP5%qv7
zs1fLhTBNb4`ZH|)64X@fLv<wX6=O0~{UFp@$brdtzEhNl8mNNmKm%087|em4P`hF#
z#>Yk25m%!|$p5Mtkq}HxIv?syE1{0s8aNC);Us*Hu{h`&;~zo9`?{IS;#h!m6D)#L
zuoxaktp)EJrlV<4Ya|OQzXGPhMi`7eP%khI)uDx`7u$i&a4+hG(%-cEKkH5N&894B
zwN69L(F!bz$5A)LyJa5ihgwwmP#vv}-{C}C?sMC8GzTUjKLWMg%Gvx_)S{nx+il)p
zJ{kUGY{2w*05x}aP(%D2v*Rb!n`XXaj^bjd#n=)TU=P&L``tAokrFjh1ySuZK-F)H
zYQK-$77WL%WK2P=_MNCjauT%$ZlOBnd(W))teA~-8C3mFsF53nYG*p8!=JDeUcx9$
zec${kw;`4$?Ve0T70zKnO!2!JvS`%eX^eVMU(^E@q2_!O#>Imeghw$0K0+;Kp9kg*
z{V^ZuV9bv-QTL6&0PX*=L^QWcP^<d~R0CVB`!F8q6R5d7i@|soLom)mGg6sR9g9GX
zNJaF<W~h;9gIa{cFdSnsBhPpC644^NiyD%^N9F;|ksdljQD^)d%!Wr%^<G&E{K08R
zx-TBV?vMEzhlQS)#hLV}*+rGHF8QOe8s5MFp6}#(W<IsbU`f*Lu{^HAgZRRxw>&r7
z^CO0mpZkRwnMSC!5`*5@1Dj%htcjOUi#z*E^J!SzS`*zGs<uS(;2_M4Yi;^EYVjp_
zWwvKHs{U|{#yO}p@;ho*e8oDL>QD2FNGH@3&B7?$g_??wsQXjCX8bb|Y4O_pS!@($
zBz*!K;0vsV72cRPpM|P_9JPpEU?O~j+Fs6Evq=3gImuwuqAY;HSR2)W-WZ5e-ZK74
ziL56h8Sb^7K{asCR(yxre#zgN5y*#Xs648nmNxCS>G`M!@4{fbf_lzJ)N>NNH=hxK
zZXz0@7N`e|ur9Uv`%qJG7j*z7{L3uDaMaP-1f#GIY6Ny*3Ot0B@GADgOdrfh&PMH~
zhnO4P&uk<uOISUuh!NNjd*EbDjjq4V`H&XVkgkbIuoG%m474t{<tI=h^Z?ay*C*3{
zPV^^T3{z?US0@rcMqBj3A=m*&V`qGYx}oVm=FNJbIyf4AaW`ts97e5;KTsV@^x4!8
z#FV7-qh7EAY6Kc!67BzHwxBDjK{po1vDgU@<3`N?g};p9T`YnZzVe+P{T!DQ?&1Yd
zAItMyF3-OqdB<^i7ViS<Q>;pPQ7@OX1;=6$p6?Wk>oR{HLk;;^?1E+DxjaYnX4HA`
z2Ipc?Z<ps>xPW6x&+&0NYca&v<*dV#SQZDwcX<w+eW({onZV`wIIo3GNl!v|e<II_
zFc(f6e&x-DgHVfOHOAm29D{`txjcWr+lPrsXG`qz40Qw+B3%wE;$YMi9l^@@4{Ay(
z__;iPps0`ONDudOxjl<%5gA%kyHKn59BTVK!Z7qn;_`gR6h+<G5VdRipcdzB)SPa@
zK-_^^l;>^vC)9^jili>jxlsV)lP;Xp?ecuLD@}$DlJclUSR3`=#<+yJorIh*PTu4$
z&tJ(i`J1VlgW=>SNa6DQxh)d=kRFU1@C^pzvXm~*B0Y#2`iEE-%ewgo-Wf#Z;SkIl
zV1|4HYE>sm?ehHRG-0TQ_o4Q6L>ia=eCD`u4!*`LI6kfE$Yv}@`XvTqL^_w}Xs(9^
zNUudrx%)N|&DDF<n}-IP5edhfqzhw8Y-Rlp2a}$RewaADX*dvDk?vvB7g1{~XOMZ&
za!gD5C)5;PMA~;de-hE+3Cv*LxDE!B?uXj<b5L`<4pr|k2H<DZ8>9?&d5-E(RQ*WQ
zr(kW=s&9mmI2*MXFQc|$#t@gYO#8n(5$$LHj4scA!BiEs@3)|~XHX`W=bzseVP?`_
zFe_%t?DBk3sf=1X^-znq6>7x#+ww`MgJ&Kl$F&%Ydoht7aGQu4eujFZWLeBmWyi*(
z%V1wzjM*_&R&y>yq8>C1H6pVy6gQ&UyMY=xS2i=1X;Is|oV5qKwT~AP(a^0$y}>?I
zPcNVveq{ZMdeeaHrbC%gYh*sQ#v`b0l`Dri2O?05atPMP6}TJ!L2bt$bF%+45V?}m
z%>4({B21Ud9G#gkl5|hh0kQ=(lm}2BqvuigKS0fSyijw0BJ4#v1rETmr~}O_w>cN`
z<9yN$bGyw@y(2?InKqBh^Gzrps^`s74;Y2ob}LbH{}R(<s=Ov0j=`iGV;vlXW$`TP
zg;M3SYYElyMW_+p<R+pA97HX``=~cgpWn<~Q`E`W7u(|$jKGhW7xRXhIc<)kNRP+K
zn5=+VD@(C7>El=s6Nj7o%VJH^?g2!!sD8tI_zpFPStHC1`LGP>cBr9Wi`w_QQ3uQk
zEQ-krnxnM}>J4k6MyM6)1%{#4&U_q)tFgECe}O{Uhh(5WJfaJ`oa;CP$6)s&46%#f
z*RcfY48_c+UQ?Vz`XOq_`xG}*a2&OmpQ3itSJWa-Rl>Yb9xO(>4aV07UrI!8z83Z2
zaRa09BUZqoCCz~`9QDR$uso)UGzU^s>_U1bMx$4hISH$yw%b<p!rSPJ_fd2I4E=e&
z^OcAi_Ah0ItRZSH`(Z--j14e;X|t$WqK0-AYV91xS@;0;W`oMOJpb*-F04*Eepz!~
zG(-*keAI5pT8>4jZB>Ve=C(Bs#y+?P-=KQDsJtm(g__%47=p)9A5zay9ZFKc?Cac^
ziF6gzLDU^f;!M=}asjp59#>%hYdd`<BO7L|Xck{J%tE>WY7U2>=5Quz)viaq`B&_S
z87jFv-x<eYW72OiKh~&hJ|%}^57O_jEw+m`_nnGn|92pxNEMgoFB8jA+a*p_^G4-R
zi>nppz+IRQ@1fSp7u5bvSIunCOsEl?fI3-cqK@F@sQY%K7UvbzNIr8D(RTWRnu5gD
z&0+~co#h!(b5$L+eFmc%9)}v*IhX+V*z%*+i`IJ>O!-S|(i$e6A2pKhT14~)D=;3e
zL+yqwsFApjTE$swnjY6ey<uzAfzkyF;R;)R1GTzepgQcTWzv4AHxEIrl?Y@6+)iyG
zn#(q*H89E)IO}mJ>3yih7FFAv=`FD;=}TAwGuJWOt|jUL8&D58fZ9EGP*eB}>td<8
zrhGOAY5#BcL|B!mj=VwbZ~uB`@ijs%z8<KCVo}@d7HW#p);Hf3E1<q`3_x{kC+fa;
zs5Owdf%%ZiiiJt%#%P}Jv?ZdRZb6N}UevC5i2BNuxS?q%J8DRyP+zsGq8_vvwI*Jo
z9{3rxYf?5c=}=S$%A(q9ig~a<y0y(#5z&yIM6K#{jm;1h#wgPDuszO3?E<HXSra*N
zkjn89p2zI?b5rwS_B)m%9n{Qx^=geefHq=nEZUs?uLn<RZazeAU?k~)7_->wqjp6H
zjEe(M+sKXjP??W<^X;fzbP#p$oWn4DZ_9JEFmqoB*ONaHbs!aM$^O^J?tqr2=i6`!
z>6@t4-?f$brn4Ef%ComN9f`p<q}!l6a01owtEh(4v@u_^8(=W$38*Ppk6NThP%n1P
zO+-iVQ`AU&!f342);w?~<|KU*wdg*ej?VCQW{xYP(k*PdAC@9L$)?YscF!Z!SFZT&
z%_7f^y3bwFMw+4KzBg*|O+_unUDi9Ox%KT}<~~1a^*2Rrw{fU9Uya`Q2(?yTpk5$#
zM{}f?LABq(=ys+M(SvrP=JqzKBcD)<Gj%6ZUJ{jVi)vs3>H%9(54edsQhhs{11Bvu
zA)On2a2#rTPeVOtizm(gJ4Gazj2EaWNYcd&O;c=0x))Z$leiTFx|%PiC$KB&wB5|F
zZm}3c+PAye&K*$Ou@7qQCt_Rt9tUFL9(0iBJF!Hx9UkIBEZWoju6G3|k*?Ou<@rab
zo0yk$-QH%gjY7@gVT{7-7=eL(%$(Q47}C8lKVG!?K7GxHUJi8Y^LRQDZKu_!Reu1r
zs^j%DCzU@oBV7eG#A{LIdr(7v0=25&qdJtJzcCoKOA4Y6qy?xc*os<|=liq&6A*bv
zh8l3bGhYx=piaab7#|~04Md`LOFh&YXp34q6H(h~JL()bf?BK>QB(Q_`(c#<=ELm}
z>i%~F*#GKb;6USW97_5RR8Kn$GHW9iwJ6u19`q|}B(9)3`UErLd(;7xX0SP`OQ05C
zWz-1QLVav^MqixjCNhl3JY0r>L(Cf3hXqJCrGuqB6<yAsc%HQ0?C?<YfEU(Js72;G
z%#36RUMC%a8o6Y{?PmyT%A-(I=dMen50Rm$A$pIGvFiwz=f8$&FwzXwGt`HN|0wfD
zc~B!!5cMV%P*YU{SGxGM8@0`xF=pEaqK3S*wF5GB?0+Ka$u86o-$xCtGuG_m<mg2*
z3zowi*b}>9Fy6!R=oM>rM`hI6KL9l~>rn^PkEj>8jJfbNmec2d&^R-st+5&f6H!Bc
z14A%qyg53fPzO+REQ+I0i*`S%0~atirkh~CNmW8E?&_!yuSTek@8+l}>5QJg|BoP|
z#W5c>WZO~O>n!Slw^1V$Z=#vId>D^(IaGtus72QRwYUah9$boQ=L~9F-a<Y2E$YP*
zPGbLS)#fIm4%9#mQAgAw8HGh%EKZCjeQ~nOd59rX%$xg8HT43qHu?EcC*>&Yf~Re|
z#5B`^F{lnK#7NvWjr~8G$XhaM;lSzUE7U2}L6mTY`IcG@HN;D-k5E&TXQs=kg5B{~
z+=FLu)GYHGRK3||?r)&h!r!P7^`2uEW9S^VlZLQ18CtzDs3Gi#nzPBM@)@WhUW(=L
zFzVn*IM*~(05x)rtbI@)w^LAWyb<+Ta0GSVEzFAE?s?{y%-pE`-UsXA52yyeVlbwi
zZ$9mcVHwhGusi;MYB22r^GB=FSe^6+48<>~4&+*BI#3$*B8^as(>;WUR&gvA$Aze&
zy@uM?fs0H>vY>`A3bkgcpc?9i8lmZ^ZM6i|@NcLQy^P86E^1A^MV+ki7kggJ?c^Y$
zp{b0j*b>#DJ~lrVb>mXhqS=9E@jXUiu_gAmUes#eh2D6?rca_i6Rx8VK0%GhYYfo-
zkH6IA`Clf6pbnlvs0U6$op8%-{x<Y9j2fwvsD=|PGYzIey+}UPQCtzVt6HEwv<9N)
zd^~E(wqR18?_47ij8D-E6D>DGpA<EeX{?#8c~K)(6mwuz)cMd4HFC?aFz!I@`<JLU
zj<>=Xh{`X3ZWUA_q8npSJ?@Pf;z_749OrQ<dU3E9!j-6_`X=hb=x@}b%=EpP+jgim
zGzQh)G1Q3MM~&=1s177s#s05NB-<);^bSN-JdQeI@1xG{pw%vCI2K2p6Z^0#CjY^9
z95wX4QQK|;2IE=`!{1OH{)(POy~g}5nPrXJ9Hn!~(A+LY?fdUhL%J3<)R#~VKSr$y
z-?e5A)1XG66zX8<h+0EaP;<QuwL6YsX1s)2q@Pf`DZYE1*-j}@+o>?>h9;=bf)1z$
zjzW#hEYy&0L_O#js-f$sZTSe*PJ;EOojj-)Dux<?DAbEKMZJ)_wapk|9f#T`Q&A1i
zwds|p#kn5y<7U**-bZyf)dursnNa&XKk6W=iF%Qx);*{xxQa}f+qp+XZ}zt>@ZV@U
z5Qtj+nNiy<FKXyIqqf}u9D%W@DN4M_7>psL3!olU7q#7*;d~s8hcM%2m$O{^{}GWg
zWQ^Zp-t06MAnn>}|EUElkanYv<X=&{<sL@hd(;brZZq4l9O@+OhU(~i)YPm&jqFL(
z(R~qpwg1a+H;bh@wkF*dHDuSZ82*J-u)q#8B|}k*X##4|ZN`dt88>0@PILC3MXix9
zsP>ZXGM}cQsBJg|-SLP_w;6L$`*H*7O%I`l{5I-Mo})(QAJn$Y_oGQyL!EHLaWhUs
z4Sm_4%-@KrqRx$xs1EH$jo_)D*#Bzy9vNEYf1(yuoS)4qk3bzz)lny1ThxQ6U@&e#
zHGCSi=zMmYH_e6xNtZ!Q#Q?02-(x-eg3(xa5Bp!Mbm<;*0R4$t3sHN`14mjnpyv7t
zs^@<D%n)WoZLdP8ju%IbP&d@bEl0iJX4HweAIoB#{bn0ha1#k7qZ(>x2BID?5%uOv
zQLB3wYVn*v4fT1{0dpU<x)c0jMlcLDg=J8?pdo6%4@9k%;iz_2V`X%2B9f2DCyc_-
z1Ln8hE|{J4uc)=~3UwqWJZMhF@~9#0fwl1%)^YI<7l-ID_B_lB;ix0#k5#jOHSK@G
z7Su0()bpw9b`}xQiS`loCjQ6F6coeqq}>>ghK``7>bK+OyJ6r7^QW8Us6{*%_2!FF
zZ@eA*;BIV!VZWL3$*7TC>5=`nn@9i|=P?|gVmS;xX|`QkEKGVUs-b77{aopkdGpSw
zq1}(c_z;Jp&uMdTjm6xg4`U;IgIb)`&amCJ|3?wgqIrUP!=SU~W49}IBE1OfV1jez
zJZO$ujPo%eo<$u%H&G+`9z!tcdDGD_)D+jn{5Tr5=60c5J$pbz9|ryx%o~KE8mNtW
zvp%SL^HDb*L#>VXHl5+3*=AKx<^64XCF;RvQ4fxD$!ybbYn@B%{~i?dCPQ!Z5LGeo
zvRQ1^Q2RR;^WZP2daqDJnDvTTj7?FCaV%<X?_e<gg^e-wRhP2}dt-O>zh*wPMqYE9
zxt>af9();fG{(Pf<}L_(l5UI|;!~)4k5ET&nj2>Altks%LrvvaRQYbyh}=cJh~G`K
z2+O0kbrUxco$=jJpK@za2ge^c9^d0M9Dd8(nDVxH!(3Q`{L-kSb|~t>v8YA72b1Az
zRLA4qF>50|>cNFjyT)DFX4F7`GFqV)RX=QiBQO?k;3aH(*X6vx68Fpz8hYRSHLE`k
zbMgHiM^oPSfy>#8pRpP4e&}*yFx?~b7u7-dn&&%ji0Dlo{$ciO=Etl`((`a0rhQ_z
z&30@-I_XoF^F8*&e=yB6^Ecg8&t1+w(ueRqj(lN`^!6`Zp8t+$C)OiB^DA?{48#t4
z(mo;@>KuQX50C9wiu763qVs=kdR!WJk^T{9V9z(^DE4`4j@|&&xse@Xuq$dxPNVj{
z*E_SenxS5}7v|BMZYH9NcToE`#e4HzEe~cT9gU^2Cu*B+M}3}Ozz}?en&aeunK{jc
zT73CYYoQ*hd_3y@73hTr(XFpozuJs*s5Nj2^&#;D!|*jSwN9Qmd<h{;B3vNo`ixsC
zJVc9=u^MSFf=<faw$2aM7M?r!=0m;RChm4PZJpdy;E;3Pk;&(SQ;v{RUF6aMbb)j)
z!g1;aE0ar$?SHRh+>_Dfcc<<fTcP5A>awAnyVOfas1;Y^&sE#@(A%oKAS#T)b4qYk
zip%eE-25wbv~`B!Y|_iA*B^f)Z#?ltgm2dd;`s;-2*b#%z&-DYCnhu^-cHZIO(G|W
zd4zieUxKbjgi(~~(w6k&AzFa3wtSolxLQ#sFQF9qgKYhJIE(sKDZlKg#Y0I?u=m<5
z$9;#4qP*D?96*?DD^#Phu92i06ZlyF_xeKPBW$WH_x7Pod;BDU?eBzBo}PP-5mFL#
z@x{sW)$KTCC&_C~VAt94r-Ba^4p7)0b)6wzk;dcUO!7+MK5i<Fe7|&(5g%^rs(x1T
z%aF%O>r^4$SDE(eU`<YbQrav+(AAsIA19k_Bqf<QXh3`8J$^_2V&Z=h9+S5BIOmAh
zq%0F2CbS`57dgiqUn=QP(v_OLx!lV~g;NoCVqEfOQdXLJF7p0;|365yA-$ZSYYgc_
z_|%i)A1AEe$gi8ZD$}U0M5u31S!p<*%~O7P>OCQ7-ybA=B3=d4QRi<u<37rd-^uuP
z-6pbwN^bJ!+sxdy!H(p$Q9kK))EP#+I^hgKS1s~m2z*2HTw}@S^T#<(D!I-3gno4L
ziK*gt!bnu6Vm{l*9vVJR;Xk;F@RIz--1M1n-Q469B!7mjznT0_#4nPktBB3tNBT3N
z6z%JJVDS80#Lw5%^Ydc<D^Mv7l~&VG58KE_-9UwQ<Xs^zDF%|KV|M^SR}=f75Xy>D
zXTIv0B4-MD`Rs!`5ZBei;7r7a_BsE~e<CXXYBL8SNBX~4X3|;h!`k6+(uWDZ6B65p
ze5;(5`|8=e?<m)mne<ogTT6PR$#UWnKS-WC*MA<=j?7bJ4ziWPx$&cIL|KuxZX)7o
z2^DPmCh_dtmxZu~ye*`4mEqoc|7rh>$^Q4Jp6~g`2IX`kHJmV5J+luDC#|cfH8U2c
z!D$#uh@oCDTuhxoI2VtS*PJk&xIc9x{?h@noQaeL6Mi9{SNmUA4JviTn>4bWcuCad
zXI*2xWL4Qv8d*+VHx^=~Vu|-7J^^*{^}zFc!}kB&Gllqd>fAR~oSJTK<kQvpo=km#
z)HT}Pz%MRN8uF)*7mC>ly3QJ$1eEgy*J)<+8<4Lr8fmycx6Ru~`Ol<(ApaFkAip1Z
z>20}ve?H}GhT2X_#pQ%hI#(9|Chr;QszY8K;?>ZfP@KE~8vNB$%D)Furmx`pX;0sh
zVr{zxsWXZ6UxYC7s*qmh#r*S)+jDKf8Z@|4DdPItyp@WV3Ec=6Y4{Q0JA$q`2Inkg
zb*R6MkdnOL@qe!k+{2g6f3J_k>QXN_4(~th-)#QsMPuKtl0>3xIyrG4I;ZOrdC##W
z;ddGyi~4Oy*B8>cD1S-d`=>LCkemC;Q?``6@wRhqiT5J!xsF*~(Rhe(nu5V5%lTq0
z%1!>{|3IihV;yZH8z}E*?;l3lw<`s8UXoZx*(O`}Drqn3oF@H*5JEf$!L4ti->&}L
zP=TA%6A}~G*X953YGoVUOdS_>b5bb}LBDY5noPr^3H2yHg1S23pC;<;;Qo!IL$v?j
zk<c#~x-Jlw5w>w-2HZ!;&jWM?a>G_kL|G0sOgLvdqTdJBlkQ8My@cuHHz2)-{KkY@
z#A}nUYYgFqjaPC-dh(p+REQ$z{{`{9Z8ScW(vs%a0MAvKpL?itnRF(bmuvd4=m7Ud
za&<K&l(bD>qQ*z^^;;jmc{sDluT5)S_I1+QdKoAyM_zr>nFw=i%cpQ0>C}WCv{Qt1
z0pc?W+h~*D2R(naAnJD3lL#Z+A=QWQ?TVoCU)=n{b}$ubUE$P?!Z@VY5F!bo<h7+<
zcH2SK8$sS{LVfc8w)Ykyo}aLc{4V5q{x?*AkkMava3v;WqLDIG2qyewZ@h>9Q13@V
zN9v@cEF<;e5lRr>L0(^6Wb1z=9Yi_>p&Rl3<R3t9+riZ2htSqS?V+g@=z2<A*JeT&
zD$F8%ns`%g-ivt&)olay@e}1K$m@Vf?SpG`Ulu|c@(WX^4`n`-r6unHz9nB*4$`S8
zch9FnV+szE;cv>E{p39(uOZ<q@mu8Yp*%NEMK{i)Ojk#%;$5lx?J7aMHz7XthY)lv
zBvj?0KDd>#6*@zIv<=iDvxJR*;f7L#8swcKuaRvafqj6tO*bPQL7i_`d?E`eOUFZW
zRp;L6)ER<5k={Xk7a@-=_ttl)ND}&0wI>A^sJMa#isNR&Kg8#duPX!f2G|EDqihQy
zu1$O4D?%pf^&-D5{!Ex`@BK{t|GV<Lx#@dCWg5RijWNW(UA=9@m%ISmP#qd?P5ucS
zP5vhG*AuTx-f&yL7!D-AFJS@kEVP}1cmZ3!3SV<iD(=@*I=@i3&K8QY6qLnm<m+mR
z`7jI{Vged`MFZ`Lry*P;zcT6Vgu=xC;C@}vgcjsQkv`?gF+YyM-{h5vYo71yqEaO?
z3)mau;Z7R5MZT`1gcwD*LU{O5TW=@nhlHP~`<1+C>L*YouDs;w`asA+{&RcJTjEQJ
z-$2j%yQp~IR_;z#a^mHANMR}rQ5~+F-0+rgkMMyoo;uY`k&}^n-`V&#_S*KwQnrft
zNX$u_x>gfELK}t9TjT!+VH=57D&@*d;kPS{NJ7%DurqaZC8WXY_5oAKTSWP4@_jv}
zeA~eL<d34xI6_<={0_U4_n0t``kmDd`R;N5d006zo7nV7T+B_y2)b5sV}y-Arfe4J
z$>jT!_cQUUxEpniuvR3Viu{cBz6CgeygzOFruKhbDkrf+qnmY|puz{+h|>M^gX<Rg
z4eiZ^=)^SY6tMReBi@s|3e+2n+dX&i8G$tk>B-Yo{6EiHsqav_mQXl^hO^@}8oFn)
zJ%74tO<r5V4}?H&ZbiM;)OkvJ1K|X98<GBYEwUXfOWtD250EZRC`E+<<fS8wC12N7
zeF5J|(6z)`3ukh}Z1PT0u^VBDDsVL;eho|82If$=81bIueIisMU6rtuxUK*?T#_)2
zIyp#pqU<egSHoY(bMseaCyEMh$kcTnTM|~0A5BO?#jdEUxxx8~bQ(e*%5+_({t6TI
z{47sd0A)o8O^H_}<g(>S>~oZyr~TKRN@u9B5P!3U(RAqBwV$%QHeJkGox;2154Dxz
zaNjaQHp=hlVVDdnk=GoX(DrHKnW=w+u$#O<(w)Bj4pozct}e>N&Qv%+2qL}KQ^L0y
zj3lI_u^QyZv-h;Xs)V7`Z$LOgod`M*Ojt|)V8V~K4Y7puQ`!ik+;jf*B%y09H~&dI
z1EDyTYS{c9<aZ~0C7ps$pLj*e=MrX+j=^W93D3_GG@O<^U6%}=pXJCqPyLpJZ<l+E
zt=OK-{p3cH?o3Fn-f{Wb%1MZ4Ab%YX|8||E?4i9s8}atUd*f2&aeq3DPiUxna1vg@
z!?ukC+W*t-1AZoRAmMu|{P(It`ZrsrAO#btGu75fW;<Em-r%B4Rs9IR5P3sbLETCC
z0cY8I)u~sKFi_+FfXH3jU>xEz2=CO2y^3OC@&*w$5&wt_2y+Rezg7B=Iq1|b${rH#
z(9SVjPx%O*5udUoq<!r3#_0QBEqn7s;<btEJHcw=`>=>DOU{ku$t!0&_TJ{Nq)r?1
z!b#V}+tjH`-9YjWllR=#e@40>`FF`%VDmO%&OH3+VjFuzyd@RmQ1O4SJg%+Pnoi2J
zHRZ5OCAQYxd!WeH!ymf&$L-L&L))E&6S>}n?d%`v`l0&HvXfm;D(_5k-SsB5E6>h2
JZ(X0g{||lCbxHsL

diff --git a/locale/hu_HU/LC_MESSAGES/django.mo b/locale/hu_HU/LC_MESSAGES/django.mo
new file mode 100644
index 0000000000000000000000000000000000000000..f5fc6a7d076a2c087d37dc5759f42a933edc0e38
GIT binary patch
literal 131395
zcmce<2Yggj`o}#H5JagK5ZfRkK}hIDnuH`kq(uUvSi&TkBxA~inF$aPv8;8~wfDLz
z_O|xk+uD2Yz4x+~-S_)D&$%;`5YXNC{lD|!=6g@Qr#$C5^<LiW-SLzVzkNG~LR-U4
z282Q{bP9!jE0%32RJu<n^d#I3E`i~FL!m?A!Ehk#R2~XVfJ0yvtcJ(H$KbYbk0qhd
zHgGvy3{Qdk!LQ*mxK|_;YJ|_i1+btZ6zU02g|fc{R>LhSL!n*ZD!3QC6Ds_cJTwfC
zhg0Bna0L7sZUwiGhC-9z6qpZJ!tU^LZ@v|F#{4nt0KbMx_xG?D+?0naJp&<+42^}|
z;F)j+ycEuaUwiIc6AJB(`4G4nd<$*?zlVL`#<ii)U^oEg!a1-XTn6>L6Fe`3dhU&I
z7<|av{|FUdmslv&18xW9Zy4+Zr^3;2IvfsH!m;p5I2FDJ_lG-B38Ub7kg5zl2dBZ2
zbylv;a1Q3rVHi%R4~6=}z2L@h72E_K1$)C&;im91DEB*|^7|<43*UjNk6+*>aEpde
zXmdCK%HPg#OSl_c0_&jC^*G!f4nY`HzjL9&9Sc<s7edw7ZE!pI3RJoO%iDL4n|&S}
zi2WSc4JM(|eK1tIPlhW0OQGVw4J!Vpq0;*il-zv}RSu<1q0lUtfSuu8FdseymCqkw
zA?&p@6gmPfgo^hK*b{yS_56+r3*QG8Vcrf-hE=c!{5$Lo{{fZG2cg>2D^T_Q6WkE~
z4r!vHj!CPx3Mjd{7OGqxgD1kzpz7nml;!s{sPtY2RgMor<@<d&2>uEOzyZxxt}{IM
zhKgq?+!-DXhrkD57x=Ze{})twk6LE!t^lgOOW{aZ3so;?!Oh^kaC7(~+zoyXhr%h#
zt-aJirRQY02;Kr!FFjWv)36?@y`KO_!6%{oZ_t8nfjdH#OD&YXI}~mN&xgwI<!~%~
z7AoBv(O4wUeP9V30OhX%c7&(E?(j^gbYBKHg?B^A&2x|}gx-dd=S3?+p)=r3P|qnn
zfIPq>Apb&BS5f{sv>!MX^YaIWLKSfH)u9kgH?#sOAMZld>kbE*oD@N&cL7v-DxmVe
z6snvrhLW3?VL$jIR6X@N*z(g4Zi#ssRJ!(t(g!EODey%&25x?c>HAr5Jm$lp>fvrU
z4)!?|oe$^19pR<01AGeVdCx(W=j%}A^D!I^e}Jn0o&I9&Wf#~P^TSZje+nue-48SQ
zEP(RA2UPhsK-J6pa5CKFaFc^w;Rwt}zy^3L+!_u#A{6Qhi=fgo5AF%~f~UY6;f8S5
zk(SQ+P~}?=Rlf~T&p+6kPxa=@q1w~kP|tY{4u?O(UU2YH)}ALqg`W#0H<hq6Y=M2@
z!QTB$?|uzbz8>`U9gZd}=Du(atbx<ujj%ub8J5C+e<g3Q4i>@Nq1u%?X}Qmb#qdIy
z3qOI%U+-hBzuggTkGUF3K8}Ktp9`VN=PtMqJ_wcmt&X#L9sm{3P`Cx03cJHaa1&S!
zRqjb|UJW~7J_brokB8gBt6^981eE`mz5V;%zQf-vzV4n|dFDdJGsd&bb176g{0%C-
z&%;jebvO{d3ngb=jyJtA5q8I14&|>As@<hv7@iE3pBrH}cpuydJ`I)LSH1g(Q1$wq
zx8LLhE0?}d<vR@ag!AFvuoCux_rP-aGMos<pJ?ezLABFMpwjmy><zzwJz(f0Yo|S-
z!p(xRKLYAGr$L3g)Z5<-hhcu$yZ;1xVeWFW>7jmbH0HhFj_`Px2XBT$;RkRC>`mj5
zJWqkD_XSYpRtHDHrEmhg*xSDi<?lnd8T=h8AH7etdLIZSXT#y{a2y;7kAo`rd*P<=
zNvQO`3pa<~!!2Of)2tl(L)GujP;yZY^WiF}c6udL{X7blk9Xm8*!^@HuPuaXAFE**
zycAvse}iflSD#`1&m&Oz`vQ)Dxo3t#5x5u@!#kkb=>}(^>tHb)51XLs=Q61JxfOPV
z|AZ=!r=arrE>wH?5lX&t&Ng}M26w=m2jxB=j)VI^R9Wa0sQTUJ96t_%Va!RGf+s`O
z=SJs-LQyyl4u<DI)!)N#A$$T#&Ig=l<uL*d!n_!64G)1T|MQ^g<3^}_Jq#spFG1DY
zhj29f4ywF!&o@1}0IHl1gR1ANq4NC>lzjZ)&0Q}r^R`g(I0~vgFNWK~3b+kC*qhIT
zisvq<c%Fr-w~yd<Fz4@99{pi|%+uiZunH=^BcS}Pf&Jh^Q04g!RQdF}(8BkD3O^pI
zJQhQxW4Y%kQ1M+4T{@u3>mw-tzeD-&cafRLLzx%CFib+le=<}(+yqsw55Q6IIjHv1
z`C<#-9V(wgU>{iQxeuI-xfx2{u7?xh1D>HZ$U5dpun^t>RsW$&Y@E3}oP+TO*adEI
zspV&5sQiTCUT`d|fhWQ;_zRo`=Ux^Hoe$51`@)Hr+r02hI2UuLE3BLsz_FO)Q1!P4
zs$Ja%bK&Pu<+k~i*58kW12D&->`#L8;I&ZgD0G#z^G%`J-B7p*j6%hifCca@*bTk`
z<^CB|{r?OVPv5Jp+=h5gf-0vuP;!3)RQ+BEw}Q7owae$B%KI%Se_z9m;Re@Oy>*9*
ze{<La=E5)>4^{7bLWN%myTfC={aH};c_-Wh{tClz!L?Qn&2R?h6XA6DDpa}mzs}_A
zASk&!7b?AXLgoJzsONkHmChfb%5{T(Sh($=%4ag{40nYJHy=t4mcTA>8BD;{a3%Z}
zCSl|CR_^b@5tui=!Sw267{>e++z|G>(bxwn{%xVkb0|C?j)N-im*M8{3vcdlljWx`
zRDMUpz2QmlB=|L44F7VomG4`y7v`K>EI*q<<!>vfeB?s)?<3&E94^=w^YUA*{Eml`
zlWSlYJ_Y;3uc6v;@7t_B4u?H4?+W$2y<i8}07t{6a1LAp)o#Cs6X7PeTf8&jPMBj*
z<$f|$d}n)J1-Ha}7aRm%hG7`G!_58R&KOJJ*6>iM@aIF7-*qq#J`8)qAE4Stmpd(=
zBVZ@YrBLOvJ5)WDLzP!GRKAi>;SYmbz|*1fa}88IJ`4xK7d(H33fKQGle<xHQ_Rz#
z;@ur?11sUS@L;$DJRd5)2ci5w2PF?5dHx2KuU>asItD?dV+xf0?r>x3vmWk>dBr`n
z0eC-DdJewV@^KQ}1@js>4Son0z`^%fe{dkw^RI?_{(W#fd<pIjd){yQtp*Oqd=o5!
zAHk7u=mXY1%i%Q4Yv2g@37ibKdJtU(_k>hQsOv+fmmh{(W8UUrlZOegALeOrE4U9-
zJ+*lEL!kU04Lib1pvw13H~`)Xm7X`C<h$o1R&Il#%3~_*0p~;MhYHW7-u@t{_>YH5
z$5l{r{Rqs3zr!hT$49OFqn<0F(t83N0<VJmz*nH;XWT!n{mz9&n6H5H|20&3Z}OPM
z*B`1L#=*{T7F4>+;4m14`S29j2|fT7|3Bfz@Exf1e*q<LT_3md$%SFeV_+A!J9Kgn
zRUXw)<*^JZJ%>Tb*O}h^S|~Za$MZ=jf3HKO?;AJ>c6h?ZHA7$?=J{|aJP0a%S3y1Z
zR=5eg2X=!`K;`!}sP_CGRJ`BAQE<a2EqxQ9(pv(%!9Bfw4OG0#;1IY9c7>NgrSk@;
z{5%Tv+_#{@f9}n{K$TbLr>uPrgmN!}vY!t-z$U2jOF_lI%JWFilVA_*&xK)lHS7<c
zg38x7a0j@-(^k)epwc%H%DohJhY{EVHbJH1AgFeK98`I%f!o1X;d1y3R5>S}F@NVl
z$=A(r7<>*&PC7hm^3xAW&Pre}xDV_J<KBD_EW~^wl)S#^?YDZ)!skJ?uf5>`uo=qV
zx1QskxAHy!N}rzym9HydZ+JT#2%m&{{`XMjy5S2p&+h>{Vvaz`d9^p!LzU-JsCZ6-
z+ru?b<@6}r7QO^kK0iX0!xk^v^G8Cpj{+z;*cU2%9aQ+^pyc#yD1Vni)&GM~{@;VD
zhp(ahcX`S3xdq$;^H8XK7DB}{A1a=Gq2gHy70($^`C9{}x2}Ma->0C;<wbA)&9lSH
z);_vI#oODPw}q0+9iigi2`c|Hq2#j$%74P!9|%=X=Rl?7UC*ze{Qm|e2c2KBdg%)l
zekZ8*ITp&_6gU``K-F6kZUhg2`@zGZ%I6!X^7s$z3%kE+`5XkLU-RL?umm0lAA?81
z#jn}A-TP4W*za|d`w4Jo%#Cm&yc9|f-iJ!(Pf+sF;SIAN2vslRVHnPXN`DhndR9W^
z>twhuJR2%Mzrt-`$2V;}vptlYHbK?TA#eh`6w3d5P|y7wN}jsEW$7FNTQJu_xqkqa
z&dzUJ``#3)oehApuYr>HBvigy;HK~xsPvo<Rd07emG5IP7rp|O&kf!&{ktVpxle^>
z!+B8h^*Ic~?_htp*}E3cSSbHRQ1O>}`z3Hk%#Cn!cnXw!Tme=8cR;1<L%22U_?{o9
zLHRF%Dz|c|c$Px7$J1c}ya7&yKf*C^-1|0uXn=CR7LJAALg~Z7ADG<i3<qIe02TiM
zP~~+T><BM_+rl+)JNO_}`F;SEzi;4h_-{A@4*Sr;MPMJy)ll_%Ae3Am0TuoP&vRfW
z%$Gr>>lzq_cSDuy+fe1S!AF*^O`*zTN4O!J1XT`&urn-&qhSr)9-a*)Uw6Z4@D~_{
zlRvif?F*&Xm%%}B4V1qpJ$rq^UJ~X7@F6(&Q^wM8^Uq8!zl3T(xu4rOtP0M>d>d5$
zH~PZ*ss3;Z=IL-cJPh6sANS_tzqEGw5*&*C#$Q>vjEBnq6sY{pgZseU;coB-D7oJ7
zYwQ2|c@Bdrry`gS7sFxjC~v+MO71>}b71dp%>NQN3-dDA58emW9^QZp;P-GRSn{pa
zPYO=Od@58uyaW~gJ2(LD@|~@FRYKLrWpEGpI8-?e{ND1Ng7SYUl-xZIH-XQ<ZtzXm
z3w{oJ!+%4`W3L~qK1V=3e?C<EX@ouDU!lUC?Rhm+_<NxIJqOk9zJ{B_?mt>QJ3zTl
z_2zxNxdrOEr@}D23F<j7K|SYVSOkB8lHXl^viKvOtD)@AfhzyIVJ`dxO7439Z1S`a
zs@_h3lFNHwU-&Vc3Ud%jmCH1^87ze*Fbb3K8mRIe@QcY&0_I^};kgDX-Os}@@B_FM
zZuP4@=U6xv^BTA%d;|7?KS8CZ^KZssQ0|N1R&Xg)evXBT|0cL8d>C#4UxR(%x3Dwp
z`n&CG^@jDB4}kLj2~@s*he}`Xf14he2_;9nLCH%BDqW{T`M(sZ9`A&D{&P_J<$WlB
zpL+XWU>D3A|HsyiHiLDTcZ1i!J0T*>o>7kLCzs^pxP7iO;piOPp!(-Q9dg`$(TPyy
zo!im49I9PC1pfgy>tyjf4EMsEvtf=a?|onc=BHo*oZLCb>4(+u49pKf>4_y>azaPK
z9X84dT>-CxSHeBJ<~VuVkjd*p%(LJmcmbRU--P?Xew*ZkR=^cd_3#ZG0=sm}adI&l
zF2P&@kAU~X8aS(aj+3+Np~~-GI1WAoXTpto<hc5o4|m0UB$U7Bp!CFhP;$||XO5GT
zoji-6>T6%P9ZbTJ@Fch`d<ZJs2T<)Lr&o@X{{c|-ISFnJr$NbMxpzMTD*X9SdgN}n
z5qto4fKNi{m1m*k?=7h3egqGvUi<aV3H5;&Y-;(rb+a6&_d0H#<Hjp{!m0RQ4OKq(
zz++%8o3_f&jZpddCyc^Rq1t09k)8%0fcwL}`{ua)#+RVvbi|fc-_u|M^XpLMJFlPB
z>*?@J%wIy4>rq?fxc!71pxVbTQ2J!}*5-dPoPhaSsCM!hoC<qvWBD$HDvv#&^upe-
zD?A#i{7!+#!5g6TPT{sD|9eBp(+%F-d%K*_D$M&qwY!huj_}`5@eB;-xOr9)l-#U<
zx$s&ThOa>Bk6)n5ZL|J4ZX7Whs@|)i^u>{|8$2I&hgU<@>z%L^J`5%QeYejE&4!Io
z?do=@avwav+SR>qHRdimSUWrt9*y~ZsQQWzwCBD6Rc=4Qjp0^1n%oS6(odtI@;ejC
zeP5_@+7I@FheCxv7b@NNLFuihq2&5I&mMzv-2TfDsPvu>^I-Q}OYbD8cn^h&_iQ*2
z-V7Dr8&Gl=8l2<$i_PJ1j74w+Y=$bYOQ8JS1l9f@gNpZEZ~oPrd+(Iv`o|&gQrxFN
z<>Mn*4mTcR@>2(;Uy@Mm?;5E7=Ow6c{fAon{3nzgd<4UA!#tDsK`?@OJX`|LgsSIX
zp~`pDeB&Ufc0LiR-R}Xrz<uF?um&!JA40W@eTG?kJ`x^*`F5ysC>(D2ZH8(m$3e;6
zEl~M;78b)Fq5Mx8Vfku=(hsM?eE2Bb6aEaR!1*Js{!f4vn9qUIf1y!1ZamNvhB0mr
z$HPK63LXGe{?|g)>!VQZ>V2s8JdI99`B?!~z8Avf@G+=-7ml&?+z01j{szv41!Jw9
z9S>Dsk3c;)cbwH%1ghPf1INNk;8ge~lwRC!yvgfOI0N$pSO5=!(x(qV$<w1y>3<pa
zhTlNdOUIpa+<CojunBVt-UUB^_3)wzIiY{UUM!xU2zyQ<T{+|r&cgiG<ebnAaL5$v
z@7{*HVUF!$a(_EiyL$&pUVefqzaCSqAKVE_4&zYm=vJt5{0Mf1y$f>O_<9?tcDO5?
z46ETZcoD3GA3@dgtZAnAE{1zy{vAr*_AIpedKw;zIlsvC-alXm%&$O|#~V=k{X?j7
z`U%d2U5icMmBBMGC!zdxo1Ww5vD-rBy8^2IZ-8p=uS4}W|AFe~kC~C<&RsqVOEKrq
zwD?y;rRxzWd7fQj?f*ciaytng46lGU!n|FrUB3sVuRepl;J;vhxbZA&CwXvN%)7xb
zY=UZ^CqU`%tKn4mB$U4CG28Ub4p8+p5pDx_hmyk-RJa47>h)Zx^xXh=hmS+WKVVKy
zC=RE>8h9;S4ExTt_LPKb7ni{O;g0i6pI!hJu1BeHHLSq=6)b@Bce8Yz3=1(|1Bb!y
zpwcy9zU99VcE%iqjj#bK{jWpG)rU~&{su~}HY&678|XO>s{Tu$%4KgTIavya!)7=V
zu7T=LUV&<7A3*8*@1dU4Z-KSbfu18hcY%_R*--Tr_dEeEz<fPa`nxPNJ=zmWFKhu-
z4)dVo=>({He-i3>Z$s&;&!F_ucDq};7DCBu6_mebZ-0=t{~J_&pYP4LL#6L=m<zvx
z(!YHdS$U3xJ7B&5{tZ3^HILeT4;we11=X%!fJ)zXdz!qAfGVdMQ0d<tPJt&urSDm&
z{^UI<e?NKq4HsK{eW2tn0=Iz6;aqqeoDbiC%Kz}aEFD!)<#jHU-gp}-+_rn0J{$w3
zC+9+?zYI=;r$gz3*Wdv7zGs(xtQ>|y#WNkMJokasuojMkPeJMD&ik62ZRR-?DqIni
zKHdvT{!(x!csx{ly&X!wz6zxmcPuyi1yFLIgjMinsPWs@OKg5n2oJ&>ho8f*q3Z9A
zh{dyEg_Xx>xGVO{p!EE`Q2kkcrNw&;oP+rrSO#~gvVQU;sCv2(s(fyMVR$E$yu1lj
zZ#hw`_nvSE%-h4Ua0XQV4}_|>Q{c1keK-%^Ty5#=Tw~=?0?)=i1$TkHYIEE^@NQ7;
z?*pjv?;Epm*#OuZ^XX9Xb%p20a46=1`&l{8hicbLq2%pw&oiOq^=c@&xd*D<ZBS?J
zX(E(-ErpWXi=pCqA1Yt}^5&lPW*!LTZxWQhl~Cn$Jd|F&9;&{d@$O$k#nY+5?6-!h
z--%H5SON3lU!nBSZBY683`$P=Hkuxs4tK^}4W&oUhl=M?sCb@&dhX9K4Ew|_+<4d@
z^Bz!gxj$4oPxa;-y!mOUe0&MRuve4ydn2Lbcrlcm90pY%r$WioWl(zfC#dJ-EVXtp
zz;hB*x)wt9=P9W0PeQeaci?U?FOd_v5Uz$A2M$PDKM{jXm>-9d=gBFP)3c!J`64L&
zaSJ>YJ_%RB`OP`*yzbL*Z_E>x<%I5rr$O~ci<alO_4$XP+;>}H<I=0)e9SLH)!UF3
zYoF7g>g8}a7+w$efNwyR|JePl+{$4E=7ZqY@I9#V4z0BD%eGMY-yf>I919!a>rnb*
z)&Z8EDmX&^pzN=NiswNnd43P7{C<E+XTd7d_j^FqV-l(zoeEWN7eJNQKfL`zQ2pF9
zP;&7Gl)ryL$z#_8ZT`A5RC-ge2Rs5Q{?nk!={9&W?6%t4*Wck-%<sc};Z_IP{9=Eo
z`gsiwfaM2Uzj`Pfg!wY4=R5<I&iCOa@Moy<?sSOh!(p&H=DncW!G2KbPC)f{heFBY
zx$tOsDLf61Iy5JA4txwwgR#Gu{9XxP#QY0XI-WVq;{TUtm&2`{_kl{+P<St#3MF?N
z9AW)IU#NN-4%H4y;DN9X9soau55SruZT>s-D3hlvq4NC-RDM2(%Fp*u_0#EStH)mO
z!W{YqC^@+2uU39<LZ!RoF{Uqu!eN*f!y)i!sP=agRQg_kDyJ`D2e{F(R&U+lBFyuk
z>gN(~{}@z$x*ccbHVjIx5>Vr_RWJ<CfurDEa3=f~>iHA@X7ipJI34qaQ0e^?N`Lh}
z-qO7@R6kn-Rj%hj#d9N6JNP%${B!sTR=;DR<YTJm9H@4%7%HDjJ&%SO=UfOSH+Mok
z_i;EGeg_q9#EIrU6RMsU!EUe)O8>P$<>w+OJ@7PCd-xryJiDD_?L8OjdBxsb4%NO6
z@aEH@(sv`Qraqs9(xYQe$q9W74~3G4`cqBrRzsEB$#6D&4XRz`o@VAFp!%Wbq4Mzw
zoC-sy=Y(oO0W61?!>O?A88+{q1uHOL1&d(MGi~0r5K2$q3e`VvdR9*8dsqg4gfq{!
z`PVMznEc%YyI}u1l$?A3B|n|dHTfL^RgUAJ<ggfagjG=W5rZnv6>tK)7|P$<p8tWW
zk8RI0j)W@T=}_gr#Ip&iT^!_jE}V<`4ygLu_<ZYE#zMt+091J$59NLdoCu$VD`58v
z>^VokM$8vLm1EDpTR+_dC8rm_KJaF!_V5%`d3*&`FF(T>up5nc5?lzSpH765o3o+h
z_-3edJOK0HS5W1%%|$le7z&*{Lg|GTsQ3?qlCLwNYv(YG`30!*_z^07n_X=A9tst1
zDpWZxgkxYFO3p5ZY8Riwo#9SvOdnN2<*OO0|2Yt<9FK=x;YCpW-8E3@cpOTfd<NyO
z@Dh9OA}IY<4<+ZTpz?D()N{{<dd{m*;ogI)r=Ot8sr#i?E?YsRV<(soC&A&c4l3TW
z;r8$vC_VQqRJ<=jrS~n*Pd$HtDwoh@rf)WfqcF~Zs^^uk0G<Hl?>VS+eGHY~|3J0t
zZ7;Wa9S7w;AF6(0P~~|TR6XAf<M2}`{kHfDYd6P0>6vTcJoq|P|2OnXTVL26D&9+=
z(s375exLK^4`CVRU*UW>?<$kazr$TI-v<@G+toRt)8P(q4|pe(9@^p>lZz@Sc|Opa
z&-J_oj>P_1C^_wPt<}pYn8Z94s(f#NlGnST+WQl5Dts2IJU6}0>T57m`WM4tumP$(
z&VkY=PeIASH&FH2=^xhabD`>eJd_;NK*>i7RCyf^T{%Lvqt~I@+h<VE+wgjeZ%eoX
z=1EY`i9p5E4AoB^0(0TzQ1Ltmm7jN^^xQ{qL%8t`rVo2Vna6wX0y|@#4khPvy?HT|
zTvk9mzZ&W}e}(dQ1Jv{GfnoR*+!KBcmA+kXG%kWF?<%PD$DzviP^fs$fO`JLQ2wrh
zlEYiP`CF*?eusaBU2n2-Iu)utUk8=GC!y-|JE--LoSSXEeh|C|^Re&(IQJHd|7)oF
z+v!%5$JtPN@O&t_{uoLxjla$6uN11@E1>L8hAQ7Hq3ZK#sCxbdDm|OrZgMaJrZ5*k
z>6M$H{67q<;WuzgxW^s#+yvD8;y$SI>2jxy2R4JM?}>09SP9p_d!e3JdzU@$Sg3M7
z2ks58gOaE2ciZ@+Ka~3*sCt+PrH6NeJzyLvAFHAAdjgdHxF3#&??UCH&pkPz*I_PH
zxK8()KH40P!CV66Z#C5Oj)!X37eSTZ?NIvkIjDBr>prs|0f%BPfogBdpxoC$^}i26
zm3z+pW<L;0UW(x;xEk&YuZK0T_X9Ss*&nK2Uxd;pJ3eUU)lm6=3QBIifa+&AeaQ6J
zJg9V6!H#exR6QI7RgafK$>+0B<?t3PfM3C}aKytV-?dQn)CA@46wiyH>gPtNa(@JF
z1Yd<JzxSc^*bh+pWWXbqp7~JWVlWI3fa*WafkWULsCb@*v*GKo5DtFS#vKiCA?7>a
zPO$esP2Wt0s`n*O?fpck^12;Pg_}J_JUR5saC3OZ<J1Sd<_TY)PujS+*Hbo*TMShX
zcR<zq4o}<jCc#}W*FeepCGdUt1ys78ea4=b`>e@940gi)45;!u4|ayvz=Pn;Q0-#;
zb5?JsLe<+9P;!1B)bn44Dxa@m6mI>z^(%+K>6o8}jj+!Pmd?Xr3+C&f<Z#G~)?R19
zLoi37(*H4(JmkM*@$CVJV_pN*4qt*Q&(SZNzS###&aZ>@@J+ZB&U(el<xV&b^Y2i4
zZOp6I4hvxzbA{)jo)<yM$%Akh{0<I;170(EErBvG_2$#O`EGCiz?-|hZs{BaC9ivX
z9t?NHyvDmf0hQk$p`IIl!}2>9N-wX5(i>;P74UYb{EmLp;*UU;&(To!w?mcF$58TD
z{FbfnFNd=+KM9NAR&QH*FM%#SumSrgp!Dd(cP!lt;UdiY!}H;@P<lA|uJv0V!!pc2
zLB%`kJ(HK?p`LdMRJy;1>X#edw|Y4eN)8@@(rX_>mBVjvCfxA@tG76mzPbb|U++St
zZ<i0P-R=n`pY>33c_@@zp9N2VSHQ#I<d00A?}zgLGE{oMf@<%hKel?E>{$t=H;#gR
z;h9j+y&fvPPry#_9jNDi<lX-R_53YAv3--l@Nby^0>6ZteM-I3&O3Z&@*V!%+C?Kw
zVE-{Z4S#!mnG?DReh2H|<zJaT-r{Skr)KyH_U}RIqdUJb`<!pBJ;h-Q_TNJ3jr#9Q
z4xWeq#60Bt9Cz;KM|c_LPkzV=odr+&F~`04FzhEAhrA8djwk$V^Tx~IZkW6M%hun@
zp~Alb`@<uCF?qZUj>G&aRJ^@^&Cx4up{wC3aQEM=+&+gY-;TeVTx<guVBQBR{6F9_
z_$k~7M*eN<x^+<Ua}m^YAMoZ6q3U<T|5$x)17~3_gldO>g9>+pcYhwLo&5q;pM63b
zxc*@qxC`dlP~*{K;2?Mn><C|io59y%2l$OQ{{W>=yXI`*+GTG@wYndw*!>>f0DZ)z
z-*Mh<oFe6SYv6}S-^2W}_a`^1I@IFbn{mI3>rO8HzJ&kcdXD?U@Uxh3TVqC@x_<ps
z?{5?AkMMC+b078bBbIL7s<_5@JJoxVYZ>M+?$>g?=i}*x-Pzo~4)1`M`#3km|E}bP
z=||{g>?d-mzW)P{#_zLSXW>?d`AhEg8{qjkEW~~YmwqpBb;s@o%%6Ebf93ut?4Obc
zes^%~?8{E_5hd<!Tut0>fW2hvS<J!jBJNib*AT9cvD}yVF6BCt`{A$;_HTL5n-cze
z%wg=0gqw5eHyE>i(r@~0h`+1hYTWn4t-p6a7JkL`IoEMM>>WJ+Mf`q%o%HSd@HX#8
z6LR0A*b4I;?$y6;3hObS$Nh&~yI|Ju9l}k-{va+?m^-8PFYI^3einB6Nq?Mz+Zycj
zJJR!W?>^0!TNnHs>EqSd^dj8H<M&kWZ+rX=l{<C`?9?tF<YK52%J*^XfjRiS&&@;l
zJ;y&Uu>Zo}96}st`MA{<^*aJ{j*kl!7&;I09$Xi-iDRq}M>7vG^a$;P`8E9X;~v!;
zx&$*r5BK{Wd(@iym0*7i_Ye8-vfK-^bVKmltIe}yKb30_ABW7{xL)QON<5oje<+vQ
zyMD8{N6m-+hTBxQJ9gu^PqvBopV<8cx2@qw{55!Y^)C_3Q?dU$oIrWx!@Y4IkKLKv
z--(}FxPK74r?^@~>`zjBumHEyU|+7+u$zs$eyiX;*i9kM4=^9k73De)yZa$(D%1zJ
zPMG!k1he`H{SGJWt6ZzO^c#=AzuIm3?}qq4*_(F4UB3Z_(9VP#;_aTt?pMq|;(r0p
z%Jp&fg=b<{45z_uynjXU2zJN9Ib1!m?6>BgVMXXfuD@_i;nMFs{P!b{bIlm~1@4M@
zUB63l*n_w>Cj7<RPlV&Se&&8V;yR!EE4dEjKKLEOeLjZkV3e!YyM>A87W}TjZA;k9
z^(^;$!`@u#v!BH8>D+6atzRwok8<fZlXUKi`#11V%md-UTyJo7#{ONX@yf;c&*kcf
zIryo68jYWuxKdmdxM^&64foT1{7=I!*dK@8DDKO-pTqrK@OsP>xHjc}TkQ1P94;hJ
zSHtJ94}SB58+boqPUZT=hxsR*hFSgNbgnH3-$d9uxwgmtT-@{I=HojGJN<s-+Clf&
ze+2UJH^av{8@s2u--GJ`@Bc~se1rL~m>K@K-zfY|@nJs0W*qk$a;0!T%-i3E{Ucn*
zVz)7NGhImX4(IuJn5Mb)yk~L$lxr{Yun~5*`ZQ|{bOPqT`#8Ucn{ge8T@ilg;oj)|
zJ`eBbT8w*%f7a35^Dp!T{$JM(ziIGv{1H4f7(Rx1KN$R;#P2njkMtJ%;r>2$yK<Fc
ze==7;0>6N{pZ8M+AHZKRZiiq$g8Pl}vjgT%T&0-xJCW;M?!UusPwp88y8TtT{fNEh
z7&CCY8v8uLf5m-g?#IgmzumCYJX*iIvF`*g#gBd`5&nJdN5YNae%S4aAI(=Df(OBT
z>_-!aeq*ugiupe7JHy*C=MlCX2ES9exdXR{U@zQOa0S1P-d{H#-~RY3^X_|bU&Q^*
z@ILSFVbA&auOO1KxL=O@Q23~ibc-Nz&qHz7uOEIkfx`*=6n2Y<>vZh&dz`D($1U@(
zxOc%{N1v|2*fnGK1J^c$nT_AGxsK=lLAVvXjO#V-Q}``bB>aZ@@RisP;+l`2GH-V+
z_rY%@c1tnrO#ByPe>i^I{{Dj7g>r*qvfMwyta->7;^=_A=Kg=r3fznP*YGnI_tOaf
z0{0tnUC;eWF8!F|gzB>5l-&~CR%17lt0!UW;jP%0a%mhs3_JY}@Zo;Oe~kNH*nh_T
zrnq&5lX#YXMet&-IChKiv&h>!Hy?-YH3wOM`$QlA)3W4O%QeE=z3lz3aW3}fFT}ey
zasGyJSFTDQf1LZVTu*y*f5Lvrbuj+-;Y#3k6#R%wzvJ=u9QT)Vzc<&7vgCJ(!TtTK
zkLz*bS;PI;_)mJfGT7UvQ=b3L^{IF3g#EGHpT>1P_Ol4LH+I(%&;DHcRdUVs{%gG5
zQg419|2J}f1%9?9+#If{*sa3uKiKUKKgPU0_uq4s5Pl|p^m`MxpST{ut^_~Mjz33Z
zeiQS2+}`5SZxUg);`#^X$(Xl;Z~HK#eVVGUe-itHF<;~DX8UI;j)SnP(+$7#eb}D(
z&++#$cnR0H*lmNK$GA4dd^_gTxxa_|La1L4?!UlZzqhz=;r?rHmfd`w^^<P+J?7Ig
z%=2usc54Xdb3cmk`*^p@x!;6qitI`IB<yeD{tN7aUk&&7VAu@zgbydTIQQ4WPPkvf
z{R=+Kg>vL~19o${CS%`$um`~zm~V%d!oR`&@%IwfF5CydF5I7hVE|!{B9C*Se(!MA
zV(!mX&ixhm>x<jBa^!b1<{fc+lxtfq{mOWbew*MgfqQ@Muk~)da4W#B-uXbEVSf|X
z3E1iPAKde}cH%k*^L4mQgjyrnjr*DSI~TVLxq{zi*z4Dy=WU05H~dWET7vxm%q$Ir
z?&5kByN$TM;(i`(4_h$z_gu`~xURtM-}u>y`~A4@$+acsaqvd253#R+gL&4$gj~hF
zeve@PDjeZV=w00B5$<NpZ{cTq?q7me<F7AQN6bIN?eKRB_k+0Vx%S2Xp4czs3VvI1
z{|0U=-~(I{?r-wX4g3tl?ql56c>C?S@9rHR<i3z=E8PCU^$LE!#_d4wo`;)$dvV<+
zKh8v5V7~yr`rY9D=zg((#@)DGh<!2U6X2oV?|q)X;<uWshHC=ubG`j<_<!5SaV7Tm
za_Lv+xjAK`-xSQ>`7qNkcO}djn5(&(oe%PYU2pt-54Yty&f5#SV1F2we%En*$#sj5
zPj<&}&EUEKKaJSu5Plb){SF)mbA38?$89S2JHXyq;T6Y4T(1!RD;fChgTI{#|2o$W
z+<yz-#=VB?8Nzme`YpkJH!l6Euz%6p{{rJ&C*$@a_64|a#{IioE4YTa5Y&@T$2^{)
z-xl8d1YyT;zuK(rFMbLLt6wAB0QVoff3qbG-n|3%yI{FLY{KpU@1ZksEcW-qd|EHS
z+#Np=Z~qU%oPyg2*iGktPoFk9?~a{*?{a;Dn|?2Oen6O=Fkb-&aRt9O2y+&Ge!yZ|
zUBq|3cc1LzyB9WK*Mj?r_|^B5SNaH+V*Zr-KHhw%4<q9-KAv;3p0@+`3kh>Qc00i{
zyxWc3AHe+)aE`az7{B-Ud&Q?;k1TT`>6py50ngl*YdP-A{qt{@nYhNdQ1)j4=I;2{
zZzS>ji)$eMM))w>cn*QD;&u{OPy8+-+|S-^feTHagxxvVl@Q;(-0Sxa{tttfVZY4T
z;E(&BxNi;{xb!;%cE|1k?z{T*%<%k;IF7)6L+|%H1>kok{s+S2vA+$T!L<c`cf@=d
z_ZPrY;@Aeet1#==mFsACM;>q+j$1C~*SY@A{lB@Y376!$iufzI7UK2<yqT+*FyHv_
z0q!P@eiz^#{GP$?4GcGUi&u$HzkRV^$^9=}fAe;?5^hK0U4Yvn^A-xj<(Ti!it}FV
z9>eZHF8zM<Zi9*ELm$^kFlNr76#gplvkbd1_db|&{lxnT;dT`cqcAV!{!K3ZHuIiO
z^xTN_J!4Mp{m9)h>sOT(=|aNZhxu-E3dOj8oaYyKzmY7z!~Jt!!tP4^{OZjL`W^Qp
zu%F9)53bv}4#CeMupAa<`5leFKG+T9n#}zK_%{CZYvMlp_n|kB%(DCzyWO}x$L;|5
z9&sGb{WadtGVGq<J{S8QJa+@A-x99hxn}viP4^6S4Y%`~6RC@alg)`}xFy~ku8k~<
zhL=U^V^!f)tg<eeN``ae6{$$9F;Y>FODqzui#5hlgWHWO(pVL)j5k)tYKV^*YNO$b
zM0|NNn!q}dh*qZRTk_itSy~^BB%=zPid3eQltegE)xe{YsYE0dPploR{p^&+>tmHI
z;fh#eRjjclJZNBUW27NEI5{Ysh^CqojU+1(O*Yr3<Yad^wwtE*AF!Y{mJIVR5>7>v
zsc^I*5~~lV;^A0hbv)6aln*825toNS6lSuyvND=XRyWtzw`3Piq?zJrOvUOfisafE
zRAptSq1ZiY&h!GJsfuR%&-P{MYg`sfMN+YNV>r5^DMmiS19Sb|;8u^y4!UO`02R?_
zBN-wN)nYunUp&@G1hw&GiqPRginz{dw>g#K85Pm`_;PuyiKfEIR3t&Tb)`=aK@!M1
z<&lUkZKf3MDV4R6#u_JviEvXSnOq)ERD~&2FAeGPid0s{n;TR4;e|+yld(3bNRo<3
zxG}ms9Zh?QnHeKX&B&$+$WSi>L4lCYK{SdID~0~8TuZ90imT$$WaFSzn3UEHrB<3+
z!fFB}K4mGZj@MH%62$sgV;x0mdGU>6f)bFZADncN+k=T35eipE8XM!OaAn()j#R{#
zMTdr)g66WGCoY^nn+H-U#Fq%#;e@pxRYhCZvwU4pa_Pdi8c9DcR?`@#NK$G6PVV!=
z3uxjlYc64G7p6Q^ZEHzfs~om{tcz8G{YQ_JpYWf5oNEu(N|#5H;Ut0=u1>@ooaB)2
zSaqz@S_+D$G1(MPq{5T*j46TYm^928O@??ovQ;ze8tUq+tZjz=Z_06<kNf|&{6by-
zmvReAET2+w;r~zcWT@-^fevv(oYrIQX^_ysTx7eMzC>cK78CKpUYSt0Rk5}Q+Pn0V
z@B5_78t53})!{+4w8`Y;Q4{Imn(0R-j~J96%2l=^G_Xj0A{wc3y+tE^CfbpRB0RB{
zj+6%tL!(s1mk$n&4Ohi#VyWcN@bXwy)b%e7O$akxb!dFrO-Zec2M%~m)rKQYO-ULq
zUH^=DyoR2=z^hl<LOc;FKnI|T8=D&{c%(x3tYFPhKuPkwC?%DT_hdAZsH~++Of<+S
zwK}XO5pQm?$B}Y$bybvsL_J-n&tG%}y?ZiLP*@g5S%nG~mGOV9B;)mz2+vQ|;*-*F
zB`q}?tqK*;mo}wLDZ57NY?8_Ff_NQWmW#!8x2}t{S~7)1FNI2qRFlGRWiw+D)IciM
z5DgD8edek*oIBlB(S)$o&xmyWjGUN^GB~NC&IXe~dq!2XG3FCR5)#p6F}fU;bbVAM
zBptXi8Lh9**RX~MmZw^pqWS7>R^gCJ<T}TA#eP)s;8j7aJ|1MOsyVv8Nb*%CiQK_N
zW^t6)N08ulBBIYo{6S>vNs+Q5g^A429l2spP7KGJG`xt^hbtnLb?PV@qxIpYM0^>N
zm`J*GV@ky<<J7p5wAn=krLKQ0D=eAg3Q^s7xKIN|H4LIt892+?@ya?xyfIvsLJ-$s
zjp%sq^?~<l1k4w`Q-~2iR={T}whX~_qL~agHz5$dsx(TXO)_q&iIS|UDsE|j^bqlI
zS=sb-rks-`+l_Q2+_H(eQPvD6>qT=jHVjS@;VcVEYMvSylAS;TkVBd+gG1V4GF(H~
zW8#sH0RLr-D57N2KLnddDwT*;NMlS071T(EDLv^3wb|BY!qrC;Df=7FEz;O3F?fOs
zl#xAc5XW#ue1$d8D(6hbTTp~GL7)=GwCfC_0dLy?iz10e!ml&Ta&ylLrh#L1A{M1-
zsaS(iF=EC*Ai7NBP#Y0d#Wm7O);a}=zDXd{)Rq(jdLpB}RGZb#QuCCU(^VBMP7jw<
zm1@L7%VK!NpcMs9t8PxjQjA1nNrrG#MPuBwx|2uAg*13DHYzES?k6b{l=@^mT-PWe
zC0H>-d7>#P$`2Pst0PP>$PXdsp!2FCsfct_`(YHM)U_Lp6J4J|yH}G<(3C8eDvOeb
zCz}x~YC6iS2tg-jLEh^Wz0_OUf-Ewhi=l?3iYUvfcp@*^6s^>lC#+T&j!9WHAV}7%
ziK4-^KjmB6G2+^bE3cF$id2!!qcUTtBwbmhbCH^(Kl4Lh)odGmnwL?ic^QqGH)?RG
zps^*q>!JnWBx6j=mI`mzMYDn$Kvh~-=pW~6kml%SC_$bjH)H}$rJ;LOw24fsnUtxX
zqtsGmJu}=t^g!crQOu1uRtCP^ec)hCxy)tV`^~m8Z(dnC_h69e<iv`6UG}X44?^5x
z$)@^9OL#77!}1nrVHZOS+O;}b*-}ZC6V3JBOAAHWsE)mYAxl$&i2y+pHLj5{26ly}
zB4)NN-I1h0IYp-4_Wz>COh3RP*JCQ8h$W+=KieCxQ+mi*Dy$h1W2;6Yq(Mg$tW-2K
zV?#5yF-o91!^>-9Xk9v-N=7BFky_`E%r9|cmhy(E#y!c}SW|g*ELvZ+gePP)3=&ty
zjNWxu?b%X)8EdH{+J97fBNdN_<MoVUT02{xH6gr`PA3^}r2lU1p3>MR+mgn-yOwB7
zMfn~w6Q&(!OHw19MJl=?RanpLdVaK8YNv^MZwb$#Z+Cj1SmKG;{w`+s$h3)`ri!MJ
z?ZH`D)ERGX47R@-TS1ZU@q%X3o^3KTjqyXCA3!)mFqo*1Bd+mgrq>#=n#Pv`@^_Vy
z`g#^4rfcvW1VJ4zI<Hm-3tP{&UEHc)gg;p;wOxhkN99IWpd8%jLrL*IQjsJ}94zZJ
zxEbN}lA?KGI-6Jog%F-oR7SgsSGdtkLBWiLB}IB1-lgg*Sjo!gX^eR3{~ak5Mdnnl
z?@Q?Yo0HAtp(X4(KT<nv*+}QT3NdzaIWv;1McUj@qNJ#`n=DZdZZ_(BHAIY+m3RaC
zyozAzLR>TpOXr3ean#1EELrLJeH^$C<&mUB3mGav)B3gaYmxAv=BCC$nURNUO@8Tx
z2U@%q+V|9M4Y4X#T^)6!Y&~78B6GA*RuyOV+?Z^W4yw(q!enwN8#>cA77Hop&@?7L
z;X(>lq`uV<>CtICzC&~aKR23FnM=vhF$HUqGota5(lFyi6Y>8olE!FCCFPPJ30lcY
zRWz|GG%e7z^gSd%eaG5XNPOB`HKSF^1Ywmzbn~ImG{%Be_BR<SEb!_|*`QjRScywf
z?S)d;Zso#h7HS$3bsniv@v=5nXd|5ZXtmZTn`q-21GF04<cA6)s6aIX(<Jgy#=t68
z8MOgPG=avT<Pa+sMj9#Xd_1JW!K`(-3YhLmYr~3-k&w-d+|sRDL^M$yp%k1GHC59X
zM&UFtjB%Al=tR6eN;WOEev(N#f_ZXtV{FBQVZ$bAIyhwzWx;@u+SHI&1y2MKSDBJ5
zma7vqz-U9f5phm1$xfx3k_xSbOHI3`Oc*(8+}L$QlOP~^I@!YF9g|okDaz>HTS)Bn
zNJ}eAsahwBgr_sgabD3A^cYNth{7i75@GXAjWFm6yi<D_jiaYDL>ifS(2}a?vm_A~
zs>x3TT~lyFNVj%HmYG-CEXzH)xe;yNwq)IeEmO8`X4>`v&eF0=RaM7bY}uCCS!V1l
zB}+P8t!m;&{v;}@b2nxrWtp6Z-CS2u60#wVI%rvU$aGOvGRmt`AT<Xb&jiKInEYa}
zUtD!7!{unFT3Z8ls>_YZ3nNYH3;e9Hm5D;lYBO#vyv6m*t?Z?oSuST_O}|5Hsmuza
z<-?j7!)Syf%R1TYCh(dB%%5I3dd!H?nm-~c*}n2-MO(t9kyxT#%T{R{Ca;u;Eg(cP
z{W?u%J?*-U$L!}Y-3_8+L0QA$wLI5GS<w#~7VG||E@nj&jDzB=n!155YP+y~k8Wyj
zo&rB~1`!7J3maoB@t6ALe7`$m3qMS^(BSx^vRU+PP9R)TbLr)0W@-#hnY(%Y;+~EF
zChhUWP?}7KrNP`_c5c>E?tF&9Ho$XJNb<{rG>q1mPmjx5^rfFq=Sxp_<5Lv?!@)?n
zv_87R=iX<`MvUq}>QTtcVhlete{zqoPAJf!>GDK#DsVjR_bb>S(ME}HH`*>jtNCda
z8bA{#Ek_cDL2V;zXqpEzpOk){QB*pgh?%yzp-9G0QhPSpS)+K!b!(gDXhQlCMdvq$
z7!v3y38%?WO_i=opjS`CDiKTPWVP0gqm!kQBD~pMX|OViB3EZ%t9B%pb)H0vp47%4
zYawnuG|Mxh8E=d;3q|SzRcyhS!%;{<Bnwze3+}U9sk($rn?XBSkLV=JiK%)xH+0Hs
z#Ob6l<7N&^SDLUkLu{!?y&DNi6!51}u>OP#Ysp^}jo8MhDL+FkvrYHyZn}XT-Kl#-
zq`s9wJ3X$BwY*UoX_CZC0ySFF?yKwUkWQLtIsz}GNKcG4O_Y|B9?_V%w7G&7(kjka
zqmR`ds|{K<SZ(zRNv>tVneIv*s+%xrd(BS@G+1t~*MhJ1PiYfXF*;v*I$9<vtc$kf
z+5D*q^@hj<W35)YQ&qwoA*EK!Gh8E6SE&}4U3=;Ai(96#HAXh2H4d$f)oA^jxvV16
ziVjkv@Jp=h%Cq8G;+H2ikY3^jR7~MADP#1X7LvLkf0`47Bdifd{PLyimD&c=0}IH^
zT5~BYgXOV$Rz%5@4M+3Ci`2F=qcGRl+m9d!>bgB94{nrhbJZ+?rr`aU+Z2%!nHJS7
ze;SXaYeG3w!nK0H64rl{R14zuHr1_Ykfk_7Kn)As_AL`MpKCOomVecUuk~=J*KFj2
z9`iy)9abUf)Fj)@?$|*v)U>f3ow+r#{P6tZ1@rgxQfPT+g^ZY(>LoRPlD1<(FV+yN
zN1deuDjp>|c(NiYTTn260Z}nVPxy5@m%8-6U`3Q|4mCRKqkM?+MI{SnmKV;OyP$ZF
z_JUJc<fSee)m+*=G+5iHw260nb>f%w+&V+B*hL-LhK4UC1d4GXL!;~n)WK%0$h%px
zX3OezT@Tq}J21nXi1-5$C{=6CL}_DnZ5Fw*CYXF?KVrGgG1$;E9ST2`GeZj3vHQ7c
zT5B>NSCuf{MvF0DFnJG_FEh`sj%f)sBP8xgX_;tZ+0MrLzB?p-*WcUhf*Q4T$*dR{
zEves3>svR(@a`PTD6lcAp6Eu=wrJAI<W!dv-|##)qGNKa@q*PQQ(dY+%d4g$-GaZm
zbuaRNCd@*L*MevjCcQir3GZ4qZ*JK3a1>!HS8EmW;heO-n!Zt5D%H@)p_}#EJ~w(D
z+4fJe1=%<oPHqfWu6fWZ7X#A+Ye#;YkJfEzP|wTU)wUgjbwn+QWP+JqN-~mgy11U3
zdXsoR4{tN>kb=;<00rheP=OleS~Qh3f8^0g7CBP8)WV?2r;|<Jp=(IwgX?S%+a}s!
zq#>w*2SR3+46s-^Wjev4KoDwJa}&ZG9mWJP#uJ8_vk%-<A8&C3If{Yw%xg|HA;m7J
z?^ylVh!m1iHyA4`om)I(9;!<ws(>NM1X3TXVqHfm4SM8E$ZQR*oYmP(StC1@Ii0Rw
zv&@<bhZpQwTAURxKG=<`OH_=}#v++_335{*t4}|t(^@F|1HN2Bg)Urdf9rHB;%qQ`
zeeTuxx_W%40Njx#8i52c4>@L_!7`zn_ZQ7Y8KCujZ3Z&rHfmghm5Rv^6_pj}$}5{$
zFd|f>Es<h3i_X4JhKi!BNZU@GDwUFEL&Hxn*)L5o!Yp?_oYI=ka3?xgfwH$f6lf@x
zm2UsUsTS8drb|PR2PbG0xhbpYiikErGCi|~QMNo}I)xBaC9^`N@RYS%gFr%>8}qVj
zv&z!CES6+LJ~O%?-?n!X(0107st472L1~Eu-d0zJ+H8m>hpVQWzGfuCJ{qjp3n-`O
zV)SGkxuPj4D$UF6cd>HHnnOB>TR=`P^R%(n5H?jSOH{J2LTf@uhe}d1MG<5-=&Vk}
zX;XE*C~uZjQ}O(8Np-6M&)n?k)^fLtSAlw0K;=p;R5Jx?nR?e^y<Z$swgM4I`(vlp
zX4~%M)=<*`gKcJH2N@P=39~7}x<s%{l6lH{LeGhDiX$0kwXB%A3TJox8q1#w?ACSH
z4iRWAUyLdxSF%Z8%<SGPm7E)3w!`XcvRVB(de`k&Qs$<zhq}cGI|{L!wKvL#;e{Kk
z#4<(5q7`dW8kAe5xuXu08{N8fc9~mAMv`3;w}YRqxO8EggriziMLcS)8VzcN<zlVw
zpt|kwqlqbfB)XY#zDAw(agwTSR#&NEHXc&UPXbv+!iF<`<Jc7sXQ-iw)AjHC(#ldg
zUx`C-l9Y0(tY;cqmH+3r7mFxkmLUx`wrXWiiMX|_h0-^Etkj-e+N1BBTzv)}v+Xh-
zy%czjVw*YsX<7P1<9g?o4#-X=n`VKmwCN+WLZ-7tjk$GEj#2pdGdAg1t7&H8WMia>
z_L>U(wXzJnLR;CDTt*X;Di*dPsb=TEnWn1N+dKGP%hG#glz?ipofNeK>xZ)^evGby
zGkI<W)X)5h)7ETs4#QSKXpn)W>%S>DTNyzm|M$9qLDK&a-MW;;{}x*-?U5aYPO#cq
zO}6sQ_MtI@&pp#}*F*ikD}(<g!aq|A|4n@BEQjn!)ct9nC&*@It2X%u-N3ra?GI!8
zZ}a(w5w0_%8e^jhncmP5wB6UwN<aBm@2Dmz@pU^*)_{WEBs~D}Y6qpste6u(QnXq&
zVa!p>UbGW`3y+uT<^-D7`(gN-^dmRhS}C*j{=C90J+m$s8ot}<^UzbZ;AtZ}KccA6
zMpt@8n@&P%h9MrRB0riRUJ}W#SmN@zB;szRIhIuD*2k)cEN`rjN2)?aZ27W@wN%fb
zWHiZXYe%ta%Q#fj+|a;UykA4kHnw<!?=PJ{ch7^G<GS3+jUONKm@<~cnu6|ieXcHo
zuxVu%kKJP3LQ+|(D{0I_lC{`PZPr9N48VTYs!(xZdc>T*9XV!f#(vcJ(HX;-5hFvz
zWw?iP3z98t18WgiXI>I5uB#u6D*@KyN(}3EWo0-$Eb?n|nO$C6#$c$ztUtZKoV7j?
zPS!Wq<cEr@MvfUXVrMvd^!QLQ8~cbG8?qFpx?a^=dS1-RK3jTKfv*TdU+qp2z>iNE
z^JnZ@9ro}MYu8Xw(+}$WWjbbrjHIxePq9>n3!7OG4!MnV`@5c6w!_~AnLfR>6eN8F
zzNXE0P}gRfx1iK}GBGn-FJ|75{mO`qlg**kz2rora+(O!FY=>v=@Y^Ww6tKWN$%W)
zg|ywcVtb2+hq3IwV0Kx^TWCLl)>9Fy*TO2hb<BoX<YTI>0Z40C7ioHn#`Z3mBWPJN
zP6V2VYb1rX@{zAKddS$jO;l+zE{+CPsa!RiW&qA~q|PnrH8Pc1;nZ1qdY)RmqO!g@
zso8={O|T<bu6^G0b2Vm+_$&q5(kWM#2DOigJL~3Am6}$<QHYr||GBV|*8lQxQrSVU
zpjm1qgu==;YAGEn8j`JTXl+YoxBcHnJpBP~ld|vv25MQSLcMbO--9C2!D9oVZf(x;
z-~~Ex4`f;|Mll_814uil5X`Qr`9;wR)jEf9GGfERRJ~h@af_fNptXgb=w4W}PKBwX
zU#wxuk$HX1_g2BmpY4XZ2wgQZOJOI0bsV}q$(7smRTtsbm;6c*GJ>-WHB`~-3Pjez
z#Ra8#G^s!GCdsmsf@)@e?3?FDeSx;}oSo)ip-hRb<`@inJI*iDSXPp=&m}4kYui$w
zT1gKTYdt~h3U2vW3$FfzloIV0PdJC@mc`W%=&d#$vsM_lKB5q={#CvVN~F2y7bsx4
zNE8$lOZ&@S6DzG~_H?)G99vt{NZiI{_JV@9QiOI(UTm{8*pu*Ufd1&etI*)UOMd!z
z>hfr`POoEBMOu=RM^3cU|D%QmXZ}ZW<{zEIs|T8<#Vg&iewAkN=sONMvG}Dad2yao
zCYp(BkV+7hmpfZCK?bQ9MUcs48@ra!bQUfu;_<rHwbrg}63;xpo#U?=dq3x5N75Za
zW?12OOOmUyLX)m|J<2qzyUud;lQmao+7G8sKtXfvSR1R1Drpq?S>D}xwS*{r@U%Tg
zn+8ueVYSm^CdF<$Lh3qD>b9K06Lb($yNwbeH#8XPyE*K%)T{L?w`5()Op=#GlIkF7
z_F73^MoHOXrA6b{of#I82W>9;-HZ~qVoUF-EV&1^@#&`<(#sJWhIo&t2~*W7r(kwM
zO5GMhunEnI#Y_g>EV;y3Xu{P_H8U=$PsLb+^t+bH!8{z38x3jV?+&<V5aUXmgGgGH
z%Z=piKQvsBw|MYS|Dq0d!}E5=SQTdpGB=;Q+Lk6ZATi`&aI3VMq*E-p<yiP`m$8`+
z8e%yNOAWKtNRi#jsOAXdXJ9TidX3hN$K8GAAi0~cw@$H!B`gcMgJ)~I1Uac{wiimG
z;bB>xbV}AO8|5}cR)km1DcGZYddckK^0@_bipysg&z-Sg<|=LPB^c^c4!*41l4<Tr
zr6phYtELTR%davT<-G#pi8VCy0*gP7;2t(1?8=xVFn@5_iX<vxXh%fb<%rc`RYEX!
z4D?A_mNZatdrr;=gD%!<wN#$BaDE9-pcK<Bz&al%w0^guh1XN9=~7JA=Q!C_!7CCw
zL%LQhNhUzS;lU(llN+m+xGgVRB24elCnMEF!#2Hya|O?-tc~lW7J}_I@};n_b=&Gy
zoB`IGHh;ovdRaITsfuw>z`b@$A27W>%EEkM`c0HJW)zi%FRlZzK0&80QJC#mnP0y`
z=R#PQZC<lhy`)EdAE=>%xu<vkZ2l}o;SZNvkK-cL(Hj34iK$n5eit;`|1dw^Y^^o5
zhd{*X9RbB`b9VP`nO^DA{)k&m3|>p}=X0wS)^Bp^(LVic=jtr)Qdg1$#m%vsVD*%)
z)c0m8b4v$aY`r$SZ0L*J{--)6m%euVN8PAOKD5k~?TdS4*AC}r$I9_Dd#riTyUy83
zCy-)s>N&mn@A_L;>24L-DFhvS#-D3YUQxK?E~>890i6oZekfh7QmnEG3dOA(X0O+~
zl5t5?H_|!-R#Xbk+G@Pg-VVy@_B2|ten>^&a@g)RPj;GYKZr4`&cIvh+?dDCXqr#t
z&5eP5rCRrqeiKLHLV-ASuQc1XV*7i6GZ!o<of@2H4NceK_w?cU>3n0rZ6i8$=H~_N
z?T57XxUTgrlHMx9R?AlTp&9-qBs(C$fl5xqdRr#d+SjsCrSpdkBYlp*)e%l7u+w9p
zEMtqgP4EYov@YN$W|?`ev~HnhsTnQlV#p38p>mUAc`hiMo9#E2n%P`|uF9J5PS6~I
zp_zN}-log`vC(8`#vcUWM4mRG|BT0ll6t*T7rgA~<8C!TZ^zEXJv&m-dQ6DNwsv^r
zr3898y;7hiHLS|7;Ac)Jqc^FfIGZ!9kU<)qy`x&rj(NG}B=zoy0I!we>|PCSe`dLU
zSCV3ZTW4-<yR^rQoHBlM$D4yF)^@Qn|0DPHL>-)MTTc}J^xOI(QH8E2205=MI8F><
z7-ungh*xFSrqCmdYtV6Soz|bXW>ihJNz&{uYX<&kZkfG)=X+nO_YXbj!9*0c(~#>3
z-o9fHG`m)Vjz9D0b+`tBOBs?glw}EKF5>1B)7moaRmX4Fl|voKT-z}ST2?S;_S&xg
zY3(}(K^L$o%^SH5>kPhb4?z@KW8#Hq|2S_792s7^5xnc9Xn;0%ahf}i;dzst3~-|@
zMps_H%(R8wvUb;X)hmQ~(@2Upvo@(3kxQPrl=?&1ZoMhXUUKUC9<4*oWcbghH~Xb-
zP7~-{8Co@cY?^_H--M%|)JK8z0s?1V+I~|7iz=p66T(ItfbyjjL_6!i4^uGC(_25n
zv@fpit07-uH4IXhoH^%~*(ap*G&q_=FP(8_u>rv%ETbdVCUIl3#B9*b@d)77t^L?W
zov|B|@dQ%j-aTNXrrC%8yp0~AH_+UO#Vs~BHQSrA{)C;IEZJGK^5uH%&}N-k&(~YD
z+V7y92gR=!7u-O@Pe;fwg~51Mt5-37d#7nRQ(2b>1+-HDNC`q?JL@|7r!V`k^`ilY
zlayd!8I-HWK5l4du6~YTDf?5gy3G60Dv@Rlq^R?B?9P{sCAIypawk9NG}U2tAcQek
zPV(c%^gDy)`o0Rm^a%$)=5`em3eG`>f_b@LICKNbb}f@3PM@gWvu5K6i7hVr%I7Jh
zn&q3|vli5UdP7XdfH1p}rwvibd$KOZk;E#+Z5?ZsofZnpq%O~$SaV<gvCkF-vqf7x
z(T+FScgJ#U$yzm#R^e&MP^)8z+v+(a)rpV2alioC@9}evHCVPRvRya^w0y8@*sNyW
z+29Q|#IA%zHx!wBw~@5#q5H3>Tvoy98?6FJ2#JH^-&7~B9jO>xr-Qwg_57JAw;IS<
zJ)PmxyQ=w0pDU&6`bdo;ahrCTp}u+DueqT~vY@9nYE#11nvKADv&MZ`$t6uO*n2hM
zY3bu?_5dG5Pqr57Vsj&WH|!=J_nE3T@hE}qenrWB<>mkNH<Uspyhh%P$S#zA;G9OR
zfrSyBUvS#ny?Lr!$EwPmP`ibe)>_IfUE3!O(yO;N-*cZ;$SnB=k77jXzBEB)*<l->
zWlh2KmYQCc9g51+TUJbBY5Tqnx))YCPaCOE@dic^oli95;~<e~C#Bp@)NA!vt3fP-
zvb3P(f}nL~zF|QyePy9OT$*{W4?9#9hf0VDd2*{)(jab>Z4;}ut9velUMkDd<!(ac
zRIgha;T>9f!?Z`uf%rVf?5tOz+c@%UKfQF*PLn*;l6IP$W|H9f5i+VP9kbWB>Jry}
zx?A3)>D4gyC{^c@pm$rzSG-mcfjPPr3tqyorBYVk^sa?U)qPO`J>Wjb<y8_%pj`9@
zCIzIGw_s&e39|V1&_Jez5z~sa74LGm_uN>?b0-Ja=^!mZl<FlU8@A5tTB_Ty%{)XZ
zI1`IMCGDj*5zV6?aGx<_-Jjkx?a^n#?JjB@nE80$O1Hbes`W?w+`P0lTHlm;uG@c0
z$EU6_ZE!6+I?Rxn0jAySP;|CnkhXGqMsJ`8Wf!Q{wJg*Z)VhI2M6bH|Q@6nvor?Bj
zi;!+CyUWg`Ik3*MsnuayJ4c;<lyztboR&5GM_Ndi|1h7t1>flN{aG6e`m(eQ_wLgl
zp;-m)<THv#O9m?VP`V$nfpS~(+Hd){39y!jWZNjREZ82aZ@^ujI?4JDiPL^;sJTz<
zupsYzMCxnws!pw)jCKPU_cbf$*{PY#Ym{`-P4?DO5Zd+8^dC{%8MPLqF#-n&7wN4U
z>vfz>x~KM@Q8H>wwje442bUKWqdt`IAY%8@tdgO_WwvXy4iBy-Ep!t*v#n!bd|1O<
z*)_B@e~dS5X5aVO*o75~U|#DU^54f(<`)%PMZ-$5`q*F~!uUu7sdXPK*Shl9(RmaT
z?cELI=mJy*Zn)O^pn29n!aqCv=+Amx5g4>=jawIG>o2|W=T7H@+}twAMr%{jj9!wn
zC!zSKN23^nZ&j?%u~jq}So~&=5s-eHNkVHAwWrgIX}`MRi;XH<Kfbo325y5$?|!O#
zu)|Ak)0sZfJ|x6aOZqEWer482;O1E9dnbP`w&0s?*5l-7JrY0m-8K4WCd-^h=WWx5
z?4t_dLb}#Jezfn*v@))<x~@l&khF?Sr!_L!ZSUE#`)_g__*WOpy$!Z$llFpm+x$uZ
z6#^xYEy?N6J6Pg$AU^nXoZ?J>C^8t8*nCH0JY|RB0h55jlA`%+Y;lIAA;P-61}<zw
z4@TxWkQTgjsZom8(QX`<A1>fD3%z!FiB{2=lCcfFV0oNz7e|qqB=R~_xX{1D>7$ZP
zaH@`U#T$eDGRh(o8KWZYzc9BT#SGuwC(nX8sRl28IOJZSm>p-Z-H1O;$34RSWmB`{
zBU2?f#Oqkyv1woCcx2{emj9+x`deZ|$|n!l1j}q{W<K}fw=Ue)87~3Y$676Jw{7e`
zoTACAy>#L~^)@{bjh2)aI3-+Q=lYA>@l;N@h2|i}mCO^fmx<c7Ok%4~BiK^BU)QLU
zrF}Pr<83uM(#Y}yduvs^^o^U|@D4WAqQOxBjup8<5Bf**P#dqfP9*!)Oftz}EbW7%
z*P3`xN3PCQM;5)0Hh2pA1nI9+Wes23dH2&jAbYVQf{gw7$ldDfI-+%Mw2!O^t(Qc!
zNtDgf>=RmS@scgIxvbRE^xBESGR#cUb&vQl5!cFmu0C?WS#p<rMBOGi{>vz7TQzH>
zK(G2BE}7F0ErW^Lc4dRsq6soDZ)#gi@1VQVHXmBjaqq;0<`9Qew<n*6s6w915^3=_
z6S&hW*wWs5zJ_4Tk7zaQ>1OYkuo<gQ1>qQBn^>h{-t@6HX0>b@*K;;DYHw%IQP#TE
zEFX$tNbAUS(t}eJJkf0>AeScj!HWyNuXg>R-YpAeQ#{#?RWh#_H3c8|$Y)V6^K~S|
zOrOc~Y4lo8Qy3lmX3;-Au0kVebf`XtOgq&|BWJGSrJE05yAw~zaOu3V1>v&Ue9p+W
zWI5>4b~`BDQLoD(Jj1O^uiu&4Y4e6n5N|l>(ErH8dZJiJj@S7B!ZoL~%E9q0e;%%_
zMKUyZSV3s6WWg^Sx$%(OFIRKnOMg_W6DWH(QLTr*ly@-|h@r6C&yphGm?>f>clWtL
z_0njNW`-X+*sRxD_4P5m980ed1f!Q!$ozC{Z3jDZqc!wfwvb4b(w(JKYRfasVZ8J^
z9l%Fn`2Lbc+r-KKF5=)C-%5YO#4I=y(?2vf&S4T;j2s-+_r<e1VVk}9uO|@~NuE_$
z?1(U`i&NQ~gSXJmTq_HT&TR`LxG{F0h{Go2$!LxC?%jHc^W)Cz`jj|-Huy<@p;<8p
zN05~<mTKv@ln9c^(GAY8avz*#$&M)4iBF%{2)+lUfYep{eXe^#t8N)(m0cG4yr3Sb
z)VuW167|_F+M?U**EwTS=|A}4^5};Y2$R$jbAR{koFIM9w_gaYjG|5~n=YhnX-Zcx
zUeWh>+)>5!_Pu*jmPbXO^+^Od>w{Et8C9?Vv5Ri>PLvQ7a4SPtUr|}xhNhAgg7c>S
zquJ}QZtWeDeNvcK7R;jEB*D(c1Ydv1@<p#<-_lHfc#>IwU*ylk#YB&9h$cfeq{uDf
z;7(&|a9~WUzGb{C+G^C1ZCGm>+{)`(uEE1>s$%NF)oAPem+U9_AR~kQX17pePibwJ
z_Q*&2D1cgj9>&Erl9@`DW#Dz#JY-RNDA+tT&uy*oZtqW~kIJ}R1aIpWfEjeULB!f4
zFO3ED9cMcbYlDqo5G1h-7Q0a&y!_!NE&P8E_Qh4VRP0s))zN648ayoh+LlJ)s7kdT
z?WJ&HUq>(+Vtxgi{#GBzmM^wF=&Kp8=&Mp{zCnt#6(uvL59~-3#}f3~t{wSylGf%4
zXk@-1Msk?dySKyhL-VSuQP%#zX!`u0)9ge?XG==bCr9n5Xy&`7na`T)L(x7eB`G+s
z5{xNX5l4C0*w(FO%ad!qP5kc)DjXdxwedUeNcy9J>wkB0ZT~ieZKTbUZ!O~S38^+|
zU*~5vL-XoTx7h-`whi*6?*`5<D;OFsE~KkO40vV5&S|nZWkRACTeYigI?rvsYVifl
zNf9Z$HW1y{O0y^RZi*ae3Aa01%izs_oKgc?uiz~Tjg4CEQ8Fp1WC2%g(!b(u({Xu}
z&W?na+ldqnjWo?iNK8`LxFucs21R|Oxsl#lpKo-6qN7sT!#U!%Z?T(y+F$G9vNoA*
zM}eWhXdI-V%)RC4m$`#aK@Tdk!Q05;BS#KWzcy%L1uwxi4_Z5*@5@>C*YahgemSR?
zRnHO~?-qQ*U7s`40x<oTJ49O19OERQX7og>84tswQonr18ksw+<(G+(Tt+T_J4F&o
z{1iURbZ!mHm2djx1(k!3&J~*5he@zjSnA$xMhKGOGFR1kvu#A431GX3?%=<APd;kz
zhDtn3Q+kBQzah*w;q(CnKTxy%-t<$e-FZhhP@qzy{@nxS7OrV!9+8#MK*Zb**#G|I
zR$c%9lz26SDrzOVoV!4=D&0<Txl(sC?@Ze9m!$=pA}#JPYeiJj<rEfWQ0cz=5Dc62
z0g|Aw2+gc4kK+h79gH=yz3pZVnzGsF1nO;=>t~%VQPy~@ptBE_^1W_*zsU8s#O#Ee
zMH{qcF!{5Yj{lHUz1C<*p)J#9PC;`XLLbofr&il0*c}d%#?V0-reqp$tL5^oY~E?F
z@PlMi{0NO@%8k|kf6auIOzXtcD1#o$6rF48npS5P!h^Hot`+n7&%)XWs)v8stuClT
zCm2riQH*N#Oz?P-W1fAyBw$!7g|S}t@~!vMjuRTnf^$QH`F{gKrNwj7OUBtrRWl2@
z`GA{82FH4{4PKlW5#+hCb8z;}&inYetKNG|MBVpdIfxg|9h9FxXs{cGsOJjQd}**7
zQ><P%>lMy+9a=(Z>-1T});3u_<}<8GWdhiKOxm|ICNs|VO+(hgm_G-vk)}Pjb<BE7
zdd%h4Oc({a^@8-mm^+oonI=v*=4T$}#%J#Rx|MFKuuA)>`c#Kn58{=6u#HWscyp9)
zU=^on=nNt?e2>F#MEdtQ+~#AGFUqXo`pBA(BFh%#tMmBFqY>6r(~nZEXo!SVszYHY
zlW{{3v!;*j?M9^iPGIVvlwx;nRNa_=4Z@lI8x=|c0|_lLO2Ctvqq9DuH$1YA(5F|)
zGpS@@#C@K^6}Gcx+1uqlvvJ6G?|4@#o!~kfF0~rJ`W}z1Y&%Mh(oC=R`OGVFRv7i3
zB<sL#0bs3H7)lG=r^Duy&YN32cR{=FF(?vu63G>>dq>j^fd=Id(gPAviXeL^(XOS$
zG~Gw1mqkl$%oECN(xWcje_pbdO*q#^qwX7(PSukfy_%(tXmC~xPWMQVvbC4JAi@fT
z7Pusx9FAzzUp7FikT3tGZMPMUb@~8b_WfE@t@S#R;Y>8%U^}lQ*sa*u+|vIi6QN9t
zb^lYGnOnlSD<x&C$e^<hr*&B?V|WhRX7z3Sm?e*H<uz>%3ff#%V4Nf>)qmYW@^r>L
zy|7)X&RFXPP4cVxEH(@wHA|pbaf(l06n7(9x8#<`*Y`B-rI^>{Zy}YI?Ty1Bu_nfP
zf80tHX?i=CfqkWaN7A*R;QT=_+mz?H-kQ-+S@$|5VDKw$*#_lHJ{%bhXKm`?(8?mq
zO9QLb$YbX7O@52R#w77ZduJ0LE-@=I`>lFfmeECtxeWcS6O!iYO*pz;Xb+8Y|2Xfv
zHAneRFWg{yenDZ@d02{BpYCtZGU;rK{i~g=4CX|#>=d*@2L|1=Djyecovy88!nEFx
z12BohhyOsAztP7A{H;DU;BWPzf%z=F@r~Bt*=^13q_lN_wLFl#);_RkwVLL}0=9eN
z-`0^z!jq0hwbqR7*eN!@!XC8kw1xHet&Lg!*;UJ!q!MX8E0M-k`T6<8YO67(Bw6F9
z*R?l+(r@vno46fcRG6A(KF5*0E27y_u$7W_r$6=sXVa@TAqo`6|I^&N{Kj=;>ApGk
zUy;>7LlW94*{<s9E>*klVab%O(!+wOva1^xP$kI}l}a+n!%WI14Gqrl4m~-8i=Jrc
zfd>TvH84CQ^ncyo_pON75j&HV<aS-00!n7?N9=g4SdVW#A_YStAT=`y(x;%trV2I4
zQni}E?V^vvN905G&DB1rUk9Ksb>3QrKPUj3N<BT9C{q_$GCiEtjs(G!>&kQdnp#{)
zj)kiRiBF|>`n9UEtphi#BD1^awa($)u>F&p@#U<_U<nACcU{<ku+niG`f3T=E!@9<
z?X-SsOVN=l7eoW4Az&!Y`mRFb#Ft^)^syH|d42ewl+TtCKNo%voZECJwE<6#Hd2M#
z3mZYE5^EQYMB!B<h~~Lp;L*W3D?nL#DHLk6;2=8%>>D!g#(Y*U;&EwxKJ7E4RCl8<
zAgqa`8j>%%K-%=$FzJ{TX{Oo?*4ZM*fUoO7R7koMJOc!RCh=CQ`S>{aS{pPLdPZ<V
zXjfB(A|%+M%4#v5BYG%}?BW|xQA#<r8%Wj|l`fU|V@t!Bx2QK-8VNAsWM3vSQd_e|
z|9n-e&!Mj6j`ZQIAoHM)nDyR(B8dUdm!=Vhn{<UvAyQzi30?t!`XQOGlAB*d(Gz|A
zInqSdP>7Y1iyP3!Rb!rV_2wP%K64e`i1!5t6_o$|;FZ?~UvTz<|5*$q7zW;Z5oe}0
z1Ff^!nZV0<B6+-60T@<u$yT<PX7#NiDEyWDYefn~dl%lOr^@Rn_f6J0y}iBHdo)Gp
zw$ElAAh=E_1b5K4zPVr!MN5bmOxN+%<OZN)t$eN?Tp4TXVZ6!@9mv&WrdhL$>v_cO
zui`uPyZM=XH8q(pr=Rh;Xy?LSt1B1WY?|SR%6aM^k~?(796^9sKna|y{7-tuMCSjz
z#lzA!ct^U%*1gZo<m9N%!drh!+1$FnrT^D?FR+HKsxs51cNqXLM~YkZCzqqPYmawi
zDVuMjAIh!28dhglCQLLvVEiUU*(sa-rtS|Ec*vO%)N7|MRriA!SpC@YDTLLZ5rwgG
zfxecf^>>;pPWW4}M{)6O$!5;3RHPItLD}A7Cr3HlV6Y|8F1KI)gZ8*|fXbjYj58z6
z!QCtmmXFi9K^a!I6tr)fvYz-<P&S0h+vgX515bCE2EYBaK=+i$f1OXUc{1^~ztj)i
zbiYv(BvvAND{gQ<P9TLP??+}^D0>Px+9IC|C(zak3RWaTDFRRXk_HE3AIV}amW<i!
z!+R4|mkHN3Y&=s&c~=sF{0XH`se2qgmr4pVvgko*Q#h*QoMD{)ZCP!;Od}a0%;m0d
zH<8ak2pP;D;h52f_x%+=pUc(Sw`3<<_VxsD$cx#?9RBIf&+HCUL&e;`OHU9rP*8+O
zi#j!vLQ_zgr0EB(m9(7Pf8L@-#Zq#}Zxk<6nr=mU!G}^(jnxRejzWv8WUS(HW{JAQ
z{k~g1Yu8eq)iJ1Bt;<+fZ=mt9zmrq3doem9DSh>rvhsx59c#Rf6-@8WhuXmoD@)Be
zJTv{>9`6?vl2$xDQ4>MBl+ZptoamQN9kJC=k;@sN<;w6LfFch#YDh7JX{&T{ws75K
zG$%pmd3Q{y@HzPIFLc0eCuh;Bs#L{|Mw6qPD7@Lhap7a>aEmSg(rQZ52g=6Kys0&t
z>_GA`?zo~#&nG_Os%Tb8I|zTRo(fM#C}K>x4KBIV*fK5zk?ASXc0#oENhxMazNB+a
zIaknWlnVmOV7IcK$_l*s30Pn>lG1gyIiyTy!UUxS_f>ynrjY-w^asi$lQD+cxrJxg
z6sk?`KdxY^`4mL^o|E?>(mk&5{vJn5Dlm!-AcI)&6D}CN9kvGvbC`WZ<m^4Qiw9Jc
zfy#7t)wQE>oahu^#s$w??2kv&CEFcYd7E|}<e|QWr+9c*3)1~9=Oe$vYaAJ>TWPjs
zO9NuUE7fQTmy789is#BhruM;wpB!@b7wu8=W)}apfP!x{mzZunoXZ*vulnZ=%5f@=
z{MsOCPXR5|KX@_hp~C2LNRi2^c2UNI5TmkfyCXoie1vPRp1*KwwJZrg|G=N_fKC5Q
zk{<$q;YK7=PjfQ*Ycj|&;|?-cPG!ZCgA$NT8^$^;D07Q&ZJ0rPT??I0fpDW~(5M^$
zfKa^oFN>hG+MV>DUXL1G&d*)^0FxU}WR0%=Rc_jB&QJPBzEyamc?6Y|V&c`&#b_#O
zjHp+Un5Tmpa$tyCaR%6kB)h-?w+i@!zaaA%MZKg*_-sl4idSuUN^eocS39~dxEn?s
zO>8O?fWA=ucX(l$j~o<}o-0W|K`-g5-H^?deiUX_4tvct#Xx%ZbVLxQCsx4EsMYR4
zy}5;px|zoH<_4Mpl(*hkyZ6HBe)}fg*!4GdVqM=+LR=kEG%C7q(6msJ)g=x#ZPU3>
z1tP0++`$4PGzD8W9oD#dWifc9TBiEv;{EuB+tEfgzuZ)8TyDf6X_f??nk+n29yW6+
z1*}V5)HB!f3)-1)cs^K!-T+_GKg9W<7dnzc<@b%(#P!3y^Z@C#@fRJyO&NbL;4YLy
z*Q5N~R*mTYUa|h)_`ph&)dfJj&{VosbV(~~Kg1(KF{p|a|3M5gOG^!Od!o{6lF{j&
z+Ei76F+xzbU`o&lHLopdhae?>S2-w5U3m%i?#N<TzTYpdKNq4U(tNx-l1ZX7;guVO
zlvgr%a``GQDZ!waECBS5SoRYrMB`!e{(bp}4Qjtb6F8aM*X}6FMI-oTxu#2lN2m;r
z`(6yGCP%$Am&3uKo(l{!$8yI}E(aBZcJw?2OG6Q=HF2Ndk)Z9He(o>|NM=EqLRCWd
zFz>gYUrLKCi{vh43u`a4uk|UFQ666TR{wc%MZ~WSfl`Nn!V2l8(!JF7uW~$c6E@&=
zZ*RIAF|<CXNuoKTbNP!vBo7mfI9==xoiBL?5sh@@G`WK@;AB^pRf8yYKlNUSSB}Dd
zUt7x|MC8t&!-0nqk<WwRyTAG11D`5e(xy=>zs8uhD}RT12FD14FbX2L3rt)1r&Vio
zdY}@1>3SJqOkNrJ$y<zEL(qo0{__W@*W2-Z^p4|m3&YY~55sxn5qGE#+BqCy<Vam{
z$82t7{I^s=NpXF7X$+3%0x3}~5qb*D_%T%zAD8MWGQo2U5<-E3MMPGnYVp-WFc7w}
zQtU>~<-t$X4>!FiR93{T!NNtvGfwSeAPlWZRIDv%5irRL+7{4F;l6q7qT$q1!WI%e
zvqf__LwdKWtRg!ot7`x|2-UDm`bLC61qj*(##S;rGS2$;t+IEWzHjW{4b4UEMn;t(
z$n=?M$q`TCI}56HhEr~F%{!iVq*sbr@bH)&r0pWlPx9TB5Fs^fCz3sc%4v+rl@^aR
zy6czhE;8A5o}AJGQExh7RO(kg|2vw&1p>7>usY&Pz|rdCYC4gfOB@cpu12%W!{C;n
zZgycQoRl8K(j<4pZM!3eSB$RdEX^wsjhuI}>tu=zv6Mbl9*oavgl|uw8iSfML?GhO
zX;hI?+o$qhzmH5k0dD&E!+$Adgn#|P2gHOwq8TumCcb>d9Ynj>qal~^wdQw3^9!`Q
zIuKe8t{grsK`{vH#{a5+X_4bH;yx1Q1+o1dfSX4Ii!rg-JSnlIc05&VDESLZwTm<x
z-=<kZ+Q#%TbXX7m>?ZJO%{2zbgUs3Lll_Z}fpkR2jA}J=oa;ShCwX^i3ovnBU=FlO
zk0<uT4Un3!Z^Qs>NoQD5VmqGq2C1Wa^rTMxHIJ)GxLophWVL`fo8Z{X>bD!Ft-M$3
zA^5qJaG_`EtM^Z485X@UlONJrMC)n<a9s31b&ab!uvyg|{3Rf3R5piDS@%nof0AVv
zi5MwFG5I(O?yfJmtsI6{`5?G8o9n=^IKwlS)E@lFIT&dT6S8q7VHFVp@bzSW|FPeV
z{r$(U?ryP$PpBFOrr`Zq^s8NYi0DQ%>Z6UxDMx7+FDl?%5)XhD<x#eFt`AQnmTCv2
zAcpcpf%rOUQMjZT9BhUOA*w%W5F5jmDVBSqoD=Ab{bBW4BT(b0(SB#K01+snC_+8t
z(52Fp+%Ng7IR*sq6+$2nU0DkXLZK}>Ez!hPAYCv0)`L5ZC)m%3fUGSUxrnqG-1@2^
zS?cZw%jQA5fwEkUb&oHpl~}Kw=)Th|xBMzRA`%17YJ~b5KG{55WP1PGsbT#`eSAZk
z`LPR{W8b8bWc5TFnamSEqw0^h+Y3#iN{xitgx-_NMs!d$Vw7jtTKuEvFfo?q2OLSa
zKEZ;7G%-)%;wx9uL&aj>3KWs{@~K~b<>LFPfrva`|ML2K`9)K7)w|%BzR*1)(bhgw
zuB3-*R$c|m#fUGsnO=RE6_L*(*eBjWn0%AH)&1#Me=jvxJLmf^uD_RFEZXJ;i*WJ%
z)WBCR7Ff+wbs;?>d#<pQQmlbA{Zy-HfiUsD#Q99!M-isQy}3F%gQ-Cg`f^SW{|Wp&
zRSeCIt~}w@zwmAyT9Ue0wZ0%xepiLHdhb(r#7?3BkxOt=WtHZhwompIe@46Z!49F4
zfK~cTF43=_N;*nM*M+T`#@u}C(k2X@y!E?4A$#Z$#MJ}?rtScS0#<3k(X23pxcyf6
z6?MbBP-|tRm;%F4a<DBoPTfYu!SvFV(0)@?x*01q87e0xs-{|o+mh;y(8#~CFF|ZF
z9=Y+U>%nd;!L|Wp%%yYiPvt7beOLlJDrehgSZe}8^s&oZI?;G8ZzcT8&MpZ5w%%a~
zM!dDWm`vCK;l_w>Y8(JL{3|!o3NoZaq#{(x8w#g7+!v2ZIeS1~P#bB*g0w3Dq@w_E
zhcIvpRq@W3GN`0cs1{w79AoT^!q5)lu&#lm&ri!i64kMJ9c@c`y)$IL)xVGNJ-)yM
z)7b?qKNdCGijyEBNZlXhEnP*XssJDbo#bBTYt-bhYucs$^Ak8>j&*rW@sPP--!%>7
zu^I^Ci&X$wJ<Pa4+~%6mt8-PED3t`yD0O;GDrE#E9v^;99~Dr`m#h(C)hnKJ@Fiz{
z)n6Rp2!x8JB8xh{=(6WPg-T^IKPSjo@2k=X97EH_;^<3Zimks_ajn>Wrf6Bxm^&g&
zU{yC_&44!KME;T!ffdD&)MIO;Uu}(Ub2_y0K%s;T91PZ9UJSk(A1hgQ@YUoBPECLs
z!K5M$b5$nLmIW+WIkq~t;&_o#Hgk&1j=X)uNqDl8ZFYV5M~RY98JPxaE&_-#Vg4>(
zaxk+=Hja)k8tspf<kpMe{%W#vjd_@C*OU+zN{R+5iWw>elSFPW^n~)OvBVKm<&R6;
z75UkVA8{`>5VrH|wkYp}>mrKst-HALsxM5wQO8sozl1*Ze(NzRCLK(EHTX(}?@|FL
zLZ=A0Ga*uwF3a8b4G;{8h|d^R7W_Z!W$6UTq6AzHb5clsXc>z7DBy$Dhp+*d^yp|n
z44K8=2wh$q#we1_EXgymX7kyEki+297aA#$+ldffOSO(CM{@h;FrDMCIoK;+T*}u_
zOnq<H^wIXk=x-iXbVm#|YH+|OqTZ%_`*t~@({jvvVZkn6%Xi?wIx#1{&3>eAk@+ZB
z!4<Q$n}V_vGZqrl4A$7cUt`x2S)w|;@{@?2O5>^w-PEnZt8-14%xu(vW<c`gC=!r}
zScf5Dgfv5D38DrsVQY?9sTaEnTT)JaTHMlSxqZ~PBw2UHOmk#5g;tV#mw>&fg{&8}
z956{=mvHL!NG8}w%Bzaw<M|m;Q5K0%n`Gji>M0aiK1wyUoZ!Eh98B>Uh)7Lf_@3mg
z%(k8Skhe{u@dQKW7`jXl3io4_>ag~kd=gd#sAVBGY|<@`@=$f-Q+YOXu!U$H&44eP
zNSXEA0jKAa3UGJ~)v213fb_{T{$~7qpAD_mB%KavgFcZ))}ORJp8%2cC0<CjAul*c
zsjF$``O>tkd&p9t>=1NX$R3lzo4Txf>+8y@5!*{sqNy@fq(7K4gsjT7NpfXsx$YLp
z+=k383m*p(VFNse#c;e;U2%qc37Mn(m$C-hUX^9=3TboMuS-R6%Hf3KovVc;iA+F0
z!9S^h-385Q&aZeE=k>ah&Oc(7TwSgsB{rY(=ndHSo72dt3l&ofnv<oLLPNUg(oWKv
zYn{Wpn&FOitZMCHReH7neqP*kcwYtMur5f%9AB!HVO$xfP}=eE^QguFhvwkaP%n>q
zA6Sg#ZKSE>qJuD55>52+#NSQR`h=oeI*4$!%azNb&l@6skZ?N{@n3zjW~qU!d1q^5
zh)<dYg;88~Qc$7+LQ55Zy;V|fH?TWpfKNyMd08||UB1Xun>-<f^7Lr|6DEsvGuMLe
zOffZ(fhTK5BRUQgrc6Q=Y$VPAo=IFL`zfhQw5JshWKmGR3W`;w8y5#+QgFN#R_aZd
zyxNK(KJamiLap|&*&UD_tBoQ-_%^y`ntiN;{<~fLF?(7yu2CTgO-^I!(1|EE7>g+C
z5MH7F<qZny(UYkCAg$G_t%t-=k0tbi3u8b_)1fHKTfO>(YHbpj7ruu2tm5sv(KE^p
zNNCFtNwJ?yY7l<9MSpZK0m~K2jAUsS!fwjR2TJm4mJAvhIe7hn<r5`8Kt*t~Ui+?e
zOL?hRq~{{9X_~ZL*ilpu%`ld1@gZLwRI0t$F@KK)icRr%ETP9ynN!F^3`2!AsCFF^
zfM>r5_aMOnEIV!q=rNV*NYv7i#%f1mxx4zzNo^N1<S1XdEYj{uKxgigUXY;2n3CBi
zNi9<!?q%zVg;5qBM_kjz)aq8<s2lDKz|vP!TGVDeQ<|RlDe^h(=u`|q><-e{K|i0S
z$O8&S5k!N0i~O$lAy_4a9dPb~N0EfSzU$3H581ORcE;M<iqG-lB225>q7vAqp>A0l
z4GWwnJ=u+z5-pUS0`ADVOlCdVr4^jr#84T#$vc;4Mox#qA=t49=rtv4w7Ze&QRKpk
zMx;!debrs^HrHg)-CUN>I<Pc5CNOBT6B_lqdM#63jRs_hNX#S?yVs^7@l0Z0C+iD>
z3VTtei>F|XH6jjHvi6Me_{pSP=jqgPYwQ1^oM(}^S$Q=aU$H6D)4`DFaKQo<vX%67
zE+_pd>^pHGjF6}_URWwksJdjt3h;_%?`sVQ=Y5I4hFD!wPxGj!W88Els8!Y(ucCgA
z6PD_U@)b(4VNk#|40n)fOc1Z4R$(CK6_{;Ip(<pgsg!Os9)5WNcvO~-U02HzWYHDB
zb2{88`@FERsEU>Df008ds@r`T#6Y7T;$vbpiIZIRc{SHDnJbp{S9~#l@k)in2mj?e
zb;5J|YqA*p2SAN>g`}aUD|XxBWLsr#^I7&b)`I*TK6~Bo6?;reDofHcUsW>kGH2Ex
zb}INgVx)9fI=em^+I5amAV)1MEl`;#37oRA|HFeHZ`r1?&F*~|9e+mIdxA}L5(kkc
z!#{be);N+nA)j|frZf^ESa%e&GTHrA{>_OjvTvb$&ALNT|M6<Ye-y{Ugh3_JA5w9Q
zn0~3_0|E}Xhs!c;LlZ#UDa?G+2NVuRs*kgryclF=HXA;|{1_Qvt}agJDv{PZ^{TrM
z;Ovwx$t9@O^Nf7$8coSai-C>Js~e5}cuRq+f*`NO?R*9c#{-{k9}}Om?q28%Yo1tl
zW3scm7!OEJX5DX=d}5twam*_HaqII3<)+16p=Gwl&2)tYV6zOm&fRfodq_39S8k*Z
z^ll4NAEY>eJD&`W=})$1gklVy-!c+22sg-M_{KJ&Lyoq5A<3%hUR}&#=M>+kqSEo9
z4CB$A-4Sd+XvWRq!;M>aH$L4Qe!2O@)}7BEyhpA+EsX9j2mu`Z;bd<ydUSYm_};_M
zN6M(yJEKn^gquSO?fvuU!;eNEd^r5@cQ-%y-9Hhb_rZJj&}&C7Zn{5q&eW%;lx!H@
z<=B+rzs>mff2fY-^`|HQ{=QoHEicUXPSD9mk0#>-4m>-VqgqedsaNCA(`&=4PnXN1
z#myTxnAz(Qr}Sj<&2?0^8-;LgP>KCuapS`efA_nOetqNV$>Y!dbmQ84_wU@_?1uW`
z^$*^=C1i)QKOa%G<|eU1-z;yCAu^r+-Win$<&XdL==SJeyXTa2NQJG@rjCAKU2hKm
zmE(>}w{H&pt@j@8a~941=r++*i<`swk$>t;baL%<=i{sM;jca(et7No?+xA?uKC}m
zr?0;|d;Q(+v-7{rksss+oxj>2a}xF8-s$lC`{U>5-_K8lT8`)EKQ7LHSUx|0IX^v|
z&Cp5Eeo<j&le6iJio|EbnPPL`(tA9%IRAd{{Cj2eFVNN|XHO@~*WXPP(R^)fKhD2j
zkodLFrx1U$q*<K5q@Xu^ahuN3+JcTQudjXmE?s?g{?p6_BuR;V#zv<{W1YS-U7RhC
z&tF0oPY=&lUmv`8<sYw#`mZgn(An`eUp+lTz@7hXLEmTRe_N_^JQRXhkI5)K(9BR$
z;&7WjLZZAncyIG;IAP+56*&VYj05J!)Vf&0el&Y(X?wyK_VwfC0umS#xHz5BBL0VN
z+}t~VskOLXuUq)lRP%Xu{%W@#OY;;1ryu*TzdQedfj1F`!xKJBrOe4Qn!m7tc$Fua
zP*cLrV!YfR&koPdnAlE++{Mui|5t?v0LjAxP7#9XpTFGR<~M|~%Xptonn@qLcmBWU
zXrKqjPzd$^=EG-`{l(e&D+p_Ud3Z*+4_#jR?TP1jat0XY)hyEC$@Kiyj1g!-hv)zA
zv)o2Ax4x|y$g??3KNBIT&hTV=d+NTbu*Q4m|F!#^0U@UCRlK%%|NqWYxmhNV+Vs!I
z^Is*(i~FCAhm$jnV|eiTuMo-Zl({;f>xcT3)>%a;L_wjO@yPSZk~w+(on1FFuWQ2I
zhA+^M<Na$3f2Vv!pP0ow3&{jeX1-`7ru%&;AxQsiKaNLhwEFGzO-AMK(Ix=NIL|An
z++?p?p!qaDJ2{Xo0Z6rXswjN^-IrO##IUR)L2rNwe$0*B>!<SUK}RA>5cw&IiB#r$
z-xF2^!nS1E%*7N=082vH<E5Lh&7d?k!=de(b$#Ipx}qGc5hn_$C%{jBhY62xOG0m>
zHx<i^&EYLwhB6#qJ-asiHz^7Ko|(qK-SAJn$+nL@K82AS?(d1BP0rhFWWM;*{w^F~
zR$BH6F?lz`pwsMYB4-fG^8b+OuY30Y*W9n0_dMh8G}V6>p3ICqIRE~sL?Lv;W;{6m
zasT<n+l96NL4woLY%zv&L6j@pY<tX3`K-^crihQSXCQL(<03=E63%}t3=r`+_{Xc(
z2q9^0Wymti@EskdLHP@eQ5e<o<Y2JD4#*FSej&~wCfAOvOLjb*MpC4Efgau*UO9ht
zJpTCCzsDTe`S`;t*9TYcBTK~PV3HzP_7{9k#TO8TVu|Pnd>7}?{08S-k7xXGZSY(6
z$ob2IXFP-x^z8h5xFz%SH^QEz0hANJ7lVJTpEP@_?jmo{MGnT|C{|10!ic2d5e@F1
zzf@FaPP&v<ue}c-Le<rcvmw5}G2PKu&k*x)h5hl7c@sSh?l+lpxbQTdjBapPf(m9M
zuS2*M34_d<KEVaVP%wZt89Vcr#n1Vx8#{|bYst(AkmULIODj&3von+=I7|c?pTFEe
zwy`FIjayMMW#g-@!N#`u$@!1y6ugM!TukAR^jxzs0o+2+qB}`YPG*D6{U?WeV+OzA
zfY&o7=1G1hRDVf;o%0{i_cx%X<^glkXtpC9)HeDzo-I#cXj5^@*WVHOy3`~+A2ZG|
zTsY(#I^LY%H6$Z%WQsC4YJ$5tH0^vCwDZyLMI48_CM4BgZ+a^N#3ei4eLfz<ndg|x
zQlcL#w&uDtHY!`S-6z<1GJpNuv6et`*UN!+tHtHu^yRTbuC9lf!;$G1w0j*}Z*t6;
z>cem2(Z~B^d~9#{T%IsC0*l0<i5Ij^t1CUZd?1MU1v_y`xakt5WuvBeixw^LoMnpX
z`2A3#8a^V|=lQE4d}_(oKCWfbs~I$X$^rsLK^4k~oALJQ<~fUuRC+K}9_#hNZRuWG
zoXPR)?~=Tm3~tw?K1CVOLxL!TP!Pp^HlER;^fDw#&>d?JOO*N>H^)=xF<vYWC|ZHN
zCiNLwJ4EOcfiA_w&+#&|F{8*@R`8k~ht|ZCsr5_^qKw%g=t>Zqw~1;WV8@M~sb$sn
z$OzpC<+UB!FzsUI3hRO)zz+WK`n%`I{ZLk^ubTGxClC5}nn|KI=-|;IJ(oTjakQ%V
zK`Zikp-grh%s8IOzI#KQ5;ce|kAToJ>%#fpX5AC$j06b6G)@i<XEz5MSm#SRha!Le
zs{KXTvZ=^L9OJgtxC0cciLI5ZTTl*~3-hL&(DH*hJO2Ts>ikE?+D~Uxmkbp!-bHMf
z*RM8sM^)b0`C@c5S^vbx_H$c}eoqc)G5`72jcs-u6m?y^cyYiQ*oc)hV(`yjf5-N!
z?Ksv+3jg<bZ)Ok_?;xAA`Yd^ZG{f`^HSqk^voTT-0f}VjzBbjz<WsSxh>D2GR2x0b
z2iaBHvN!_|p={9HGc;iAY7T=sTM{91{t`hoW6Pbt#C+9GmiZmxe7ZN5072=NwrmN)
zrw`|c-oUS>$B;1+3++x_D%W`wn(=H%bw)b!E}M}hwoNuveYP?9kTN$cQ&KbA@g}3&
zMBpy(d_s2-6na}a2HYbyk3^)1>xX06XKbmW6r~w4q@=%*^S!UnrrU=*j9M%%HLR%P
zFF_@MlFolPI>9b=Kc;3~DnN*R!Y&Bf6Td?*ImYOuh3?DP@<KIayRyDm7M>&Tbel1q
zNEh>(%;%?584oZImN)5Vfd`1`K7)Q>SHy`h`*d}mzAC_VpGst$j^=x5RhN;LR!d48
zO_q+MMplk~eQj`$r3Y-+p^{<XvU1yWB57Z-dtsHp86>8m9H3O0PqNQBks<epgI4d3
zWU$IqK@WjOSd1l?A7L#GHYnhVX?Ok;4ibvJ5V}**8uN%6^`<8dXX%+Z&?uhw--~o3
zm|vQrb=TBHC-dsRhkvA&jNKzp|Aja7KD5;}Ap-PN!L~)nbNnDZxr!|6DmfuT3=7q5
z#E$8zulDY39Pgco*2H{SWE9*V=B)e~Vp^SHz7qr_+O>urLJq|nfPTzs+OUu=#k6Po
zP70SnoN;nXz7@SNx}W<|BT48T??9a#kI4=XAPD__I3s_8AxuNwGx=~jd;@I$$^Lvw
z-#Sr+XW#%FP|V;jjxKtfG6bGZj~?4o_Ln>xaNq!0P(NuCkzV+-7WMwgd`4TGad_d4
zSc^pT?9b^Ck<OA0m)LWJb1l(wL?BfI+P$4lLRt};1AOL1`^Xgch-yi9J(4`E2(Z>v
zg%*T*^lp!ftl^h)gUjD6Z=v!nsBb)60)0Ot1z!?j1e23CWvG_E*V1S8XTT!8XW}9s
zs{|LXP7BY6v~*_rMm|ob?BunVY3MU1S@bZPjgQc$fb3<7q>F+Y4*}yOsVezdj5OBf
zZ;~SD`7#p^PUcf2Ub32Gex4!1c(t%X`YPcSh^WaBB`$p<PLv!ecf3Wdk;IezX~LI^
z+=V0FK3N8);|@tXIKUD!OU)xF<HKe^XixSnA;-hpcRu+XA-a#7f$;zPpKQTA4!122
zp!SW8Pycl16S{(!lKgrZ3bGYVRL$`c4s<qMY|H*c6b?}z{a++6<CShcl4O@~o}sn^
zshOptU&>5FPZ7+I4szr9M<dE5_e7b*$kUNfHTob~%qM^;<}1%dOt8(z@{n{91hk&t
ze|9n({^{WZOHM)mf$H0AY3*S>WsN(1>3yvVtkTL<g{h)b5zKdTG{>vkv55>fBtH5a
zW{7H=U(Yh}nLHUfB_81?HREq{TnR#8)kEk41qvO>nCvcRpiSp=i0N%R3fq2OhT6aR
zrs?{V*0i2adKpN%+088$F<EV6AWX!v7a2U=2m>nlPn>cJqdT5J2zmf|Ph1Uq51k)^
zmW#Re9V~~RP7XQqRsIwiFu%|j3g)D4K<k(h=$UjYnNo$vU^Od#;l<z&MAAip*<{Pi
zPv3Bj;XgxX1=Y}?1&|E>fGcb_{vE-uIb-MQqsAF!>qoqfGiVO9_eJc&CwfjR0DHj$
zk{$^WL;4GFOFD9MompiE{RGOx8&3f_{1u8d5h_87F)mG)`-k;n^kjP*Nxye`cpN&l
zw4;$^xKvEEc0tc7M7ht6g*vf|Z|Qq6kTS7W2SKk~iQof0!|GD<FB_{e^QG`B_JC3s
z>@L*$-LZKLgrX8RXM<WJlA(~?bb2pj0n!HJ=1BG;oPzxzn$D15GAXXWRlmXY`EN(8
z@V~S34yLkkL{Z2{Yz#Iw3i83>T>MGw)ZQWaK#T}o$-dKnQ@DY!nt#9f(XapIx1}W}
z0dsy@213tO#ydteDKo-UF{$eCOfEIkx{V(B7m3k`Fac<h<*`z2^N0z%KiT6g%rm(Z
zS!WGjXj8kjnV$S4^tP{uI$l4xfByaMbZnBO6P5@o9pF1aZUBzFE7OU-cEJCunJfh3
z{zjk>1(`FQzv5|_x=p#kBhQAq$uKb5o>f|{*RWnP9I5-gzM=g@FIM_@&)W!&mnjCW
zQ6r7^KQ^yxLST9F*lIK7_ZDXi^7UUkV)fEkawF#Ckg7+ni53K8g9oVs;qpXp{9&U>
z`)0d`C7WHN=)atR%JpJ^dH>O$wI2)AsBK<Tv`65*xTc$mPq4jq*>{z1g*nTPmXLzP
z`=GSSq<j5W(BE#z>Qx8O!=x>-cvf5VR!%xex?Jx!YER3y7%~D=Ib})d91rd?O^730
zXn05s!?Q9W7qHzp^$)9F_MGrl42qv-u?r-zTK_yc(#zw$)3M4`|K^`R{0$DoWANL_
zF*?N@fB>t$-<#RV{?6iv*Dkyvbu&XC+KH%qnVS2o_J&)lcxwY>bc{8YMC{d8z;LEA
zyNgltG@RkW?;L{v-OY*8N$u2D&1z+>Wm~Y{BR?vezT#ZzNvwRx8KqrJ1_&d;$WyTS
zWYA}EG_qHNiX!ZzsF(2&ty|T09y(!%u|ZD4fwX>v4I7o)H?oLE%BsB@Wd#;)!#ZuV
zCdg5Fqt|?QoS3$@p|rDXi84z2m(KtyFe&L4ya!<g$D5zBGU~<oPneGQoDmHIGm0u|
zj#5KSZlL`<JI%THX;LMNlF$^*v42E#Ar2%+0*MR(Tkv=FL6&dF5MM6J(l7wcsr4G>
z9<BCE*f?`}Cgq*?c3{W}Y^CR7CUWr}VA;Sp(WnAq;lbe8wU-P_g3+YOV4*bOd<;G5
z(@!3LF=A7}D&*PHSTM9RI0i*vx$^cQu3Kwc47)gWX-FfAZ7WY+H{rI`lbqL7;gf4$
zEIqJxnP9x0vLIc7<qMflCIS6c=n7IH=4YcUzM@lFMdMBH-u1>pS!LB?lMPW2#dzgR
z3edClBN2lNvA*0plnhg^-|{tZw8Q!ND;mzie8y1NrqKhyK=?@hVUVu0J?b$rCRqD*
zRGWc##?UZOJu@fL^hA&e?TBQB*{4TZ^HBS}V^~01r|47r71~KBVFdmM5`1cx?V|T{
zS_~U?o5wwg5&_m#Iqnu;B*2z{GXI(8jn#zha>6cuu%`=9fmD<lAaFRpAyrlsJbZ8p
z!j5OnGsk;cuF?o_BK_?GhMs{qBxeF%FQ|RTpNy@q{W_HT$?NEya*w6`Gv1wZ2(!@`
z12vKYqeO&wAn?<$PYD=CFQ-q<2fYKdclN^kO(II%C4o2-bXP{3ZY1^l`Sfg|$Ow^@
zFl<HTpliftWPk6CsouSf3ua0Nk4S&f3pE=L|6-fqFC)Yx0|lBN{w2z0Kd$1%|I*2A
z8c_&PJ6|ct4b#v_0XQua25Zp1?!e$ir<lnxM3kl%!8;W0Q|ok6Rq<&vZSb>tak`J~
zBVszvN6Y}9TZ`hPMX(U94H4D>ExYNYjCDO;fcZ80Gum4Q9bujd7hnI~k)oa3QDtzr
z+dLipLP_105N#)G{`%nje;MJ#rqRcS53m8KQk6-o=KTp3WHX7zRtL=Fb$V!WGC9uZ
zIddsd0q#w76=Wdt7Hy}GWnl@wRKsnT6h|RkKtPYhbJqN2J|dRJ&*WGT^(IcB*f!hf
ze8jRac_l5j5OQ|Pe6jiHi~mS_i_k!aKs=ppkCQBBKd67&YRo376nugY2$)w;zD?Ks
zZEuh-Hn$#aeDO#z9+YRF@51hcCRApM77}Upj6IHF;O5c$;<d+L-SIh=4<2p)`O-Ep
z?=S?7X36V*93LSbQK71YqqlRHbRs^?iav5;RPBtxJM{WHrZmkkDs*@s5Q6(l0qtvc
z2BWZ~F=2N&sjn4oq8(cF;v~XlD@g;n!B@_IT87K}MzbpgU<OVS>T`03G|zM!m&s&-
z&5`(AbY23iq36_uEjYzKd`}qM)5X}4hIXN8iO~|<jRdWBzBMnec=8_e0>eWzEVTgI
z+5P=2S*m;XAO0a5Ne}{fhg1thASfumWTbb*A$BIfAt<J1R53_MF==vzVHktT`iTuQ
zo{((2$npP~@nu;uCju;`quA5myN(!1cgBOwrxMZ93}62hvrrI3r_8d86>~wb362x=
zoTLH<afFe}QK+bQ@6t%K)H9X~O<zX4TiT#6w!|H1U%swIWoa=XG>vvwo=6dDpDw_O
zP*y(-#5A8`n=xT_@=1hMe}+GYMUIF>0jVJvv)Ww0N2G{zP9w~IbUa3}U@YpczGvM{
zMd`%*x>?J#423l^a6D*8M_3N4f~Vv3a3Q5beh4Oootw5Sy%fLBQH|E)w60jb!N1MO
zZ0kukhr@%m=v1BXND9oz_Dc#uN}LgvnY>>Sq+8_eNV~#w+}{F;4vH>M$0kg;LKFD1
zL1PrWUe_G|J<22m7i)S?usG)d2pv)iDpBpgSz;B46`_6xvb4KkTM`gw!_T8ywhb%B
z8a~#vgW>=xE1!A%;FgV^`uaNpk56C!6}OVjG?yN^3B)+vrL?KcQZ$D`M<%*t7RNZy
z(=Sqf%bdUIn^FTG{l~-2H-C0Bg#*lvxBr=>hxrp>(}1(AXj)%`zcg4cm86@%DybWt
z(4I;|Ebl#&v4{0K#?vXoMPYvde28+Hent4gdm%jR!w}*ah<yc?xk3q!um&(tWyy>P
z<DOFC2_;O3pyYSL*kW&n%_yB$TY0lEdM&Q~ta%fO1uGu#lLyxapK#DB{~vL>*@uG-
z+KX%#KB1l6zkqe~3CC|=6q8g;+2Pf~b7|%#K^Biw^5t!%M6=hg0d4F;ix+95?=t`*
z+Z4=vFl94@S!B+dRhjF<hnP5E8z<T%t=W;ELA%4oWG3gB8(Ji9YO(%K%ac2`;h|!Q
z3?D;zZ0Q11%#j--fng0z$bq_nw)ybR2t7xEX-ESmxYb!5j0sxIdfRCef?kvXO%ai?
z+9)O_r>s22TTZOH7?naxRBV`!D3}3g#1L?R6U51M;Sn^cVh8<hTA2u>tv2Z|eJ;A(
zQxAf-Hd8ijMOk98TCSGMvKcVih@RC}vTsq&ExZ&q0u*pBwA6tF4R>b4q&KO;TXU_*
zV}Xo7V}E#FJCIg1eZjR*6(S38UY0ci9Yv<d7Aq;?w7A*~PR=_=w_bzHRu0{$A)r_K
z#`VGHNyZN^Y)71z4Ql6B{|t`0!I#we0Jed^%I1BmHhn5b-B9Y8<_^aMt5Qh1rG057
zTAM6ZYI_$q96M=SOx*k=!DkNAlxfHroMgCQzmZX>I1l+GIBr&0q3utUJeToCD<H2h
z4&LR7Y2R;A#2`8AtkRrC!wa1PmEfYGgVh&n1x#9}w>(4<xvb4%CdjeqbYp3irbK*?
z+W8$hhE598*gJi0Gp%hX(<<EsKlq-!5B4hLEFXjTGw{Nhx4W{<&}NHoldt5sD%@)_
zNMQf0NS|qZz&aVqC(?$b6vxIl?O+_jB2)4h96)OTRiD2s&8|czUmSC_xj2)V1hnY?
zhUwG(!bK_QG43~$5mtzTkrjpUrY97}ot}|eQ^jy6vU|gA#87#^fK7Zk2c}$h6O4-O
zgf29R9vljVBq{DtxPx`PUMOVc39!_a4wpYre1j5}>n>J3l^Fw&hBCXDkB`{b%kswR
zEw)j<tNvECLxomhv?@F@xm(ABPgGukdZ%ry+1jgg=(aSS3}9}{tPbJY0+ehiR`>~(
z0Ud8nIgu)IBXYp9f+;?R^H|3QcCa)CnG|NfEN!GR?+f!2g7!;uU<E$%y_&DTkz<BN
zMm&ol2-Z>{#N}++0p-8QcUD<-8bX@O#UXqI6;rNFAtdgevSOqZWb4IIF}-P)y)z>#
z#tI{Eg=d5<PWF{T1&TzGasJ<wd)=&yhx9*i;R5u#7+~4YU5H=)(-*EyP0sy6#5{+W
zPQJHSYiFA5kHguU6^d$N*S2_-c4XeFt$s)To3r`LeDC5Zl**7T<!ty%cU}{ks>>a2
z7OAmq>Vn_^0-Hm-l)fYnn3!#+=S!_&_n`b~!nDPCTsGNuQm+j$a@g+a;r2E<SM@Lj
z9fYwXxRvv|y{-6jY(QiC*-iaP1dePq9>LMw?5!QV;l4~OqO=I4Rqr{p#35TrCP}@`
zc_1V&aGPZ0`L3*yE>d2c)YX7p1}6n2DMjo$3ClF8|7s2hvI{`Ydma<;5Is$RKXI+F
zX2mls2A`0uf%pD@%4m()UUc*4lXce<f;=9a{}%?Wf~U@~*zoAi(v>iBop(NXq-rb@
z3SC_2>Lty^$)WyVEgx%H(Lja$yecZ;yS@<L$(n$_m$U-qntVd|2%saW9|Y-=+BH?0
zROvRsv4je}7;N4u=5zT|XN#8~Iy=1l&<Wz3I^ceIbpul3_!ZJv^a)&tvmA?mjYoKk
zV?24_!Y63z(kJdCF5vQw5ujbdVlPJe2W-CN7yzO=zF&0GZM5M(=xnclux5(Ftn`lE
zkN)|eKl~m4{mpOwl?u|*Yyrw2l5}lEspnh~$tdOraRUN4Jp(-!jA-$kuWFMfwJ+Kb
z9p{@uO3=vz;K)j~aHITb<Jl%B1*)b1Evly}EDdL+?BaMi@fye8Y!ar*@n@R%Jq)7l
z$slSE2(KJ$Mqz`FZ@dNJ{fu{@z4TThx!zB9Pr9#@4bz{+_K7~GpK8k4)~VD2t6o?k
zOXgeE1=x$>+2Urg)y;G<Mb>b6$L-%7rq4z!(>cjdfnc#BhKy1AG||IH_qOUpO_pPV
z8>A$;N@WQ@TK_2wenDcgNOP2uT~_2HK_^Kst<q)H5@zM$HV46k`p!nh1QNF{h0v85
z6)JM&^mm^=tBr;1Qcg$!?;Hs5(Z=Y#H>CE;<Oy&xjST11PW#5z^W#)vk$~gt6l1aR
zMR^g0R4HWaG5a~m0>WbOujP24oYBHGcga$UQs`OY+N^A@NvySK6X3mz8Ka{N^KBYo
z7yisQdtFkn@Y<F*EIDy6Jbv=B4_2-?`btg%$rZZ-*>&lh&|Zb>1hJ$N){l-=8Jt+u
zIc0XR)yp3EZ@kQo`4UH{<7o5t>tB!vDA%^2i@n}Y8nMG7BgTq)?6`(#WrpJsqfd~r
zs7!EAsm0x+-!F6=yGyw!*q^floMEx{>SFLIOlyza>Vyd>>W@8N0Q?foL}92n^Lr!e
zXDKo_HH}asYHpWOGA+79hb8gVS!w`G&Tdpjo-Yi^dCTV!NymCJC0kC-@>(6UCops$
zNQ3y;*>ICU7cq%ERYpfFa?rv4CRZ~_<r|JPF7H74Vb3Z`@(ph~6EF9w>d0`C9BH_;
zz1kRuiK}#7Q8)t&2|S~zhjj)j`wpXJO4#4Hi(3PH{bk7JGkoTQ^ZzG;q2zvXOjxBj
zAvD=~X|pihS!K$XsBkJwTm6OulST*-E;;F74^~f*www<+kv%E6DHb5>V=`3WAIZ)v
zf56KUk}YO99e!3RbopU=+&q(;#8CCXvRzsb0bHSo{q(7p(Ur?WI^cH|hHwUAq8bev
z3!Lvqfw#=G00b0OU}T8_dG2bQ>nTnvDmVbLP%0|QIlM1@C*|UQbWOQb+tCV?D_;)u
zlO!r>y<kJtR6^RU4@NEM<={RF&zPBKm^TM^OF;zoeKkk*^?F`zk9Q{9Dy`pA$@<G?
zE-g3d60?xIUE=tCvQ+WgC{W~(G93s794_Ccy6%e?!26|y1b_~X2p-S?w@-*URBloO
z<Q1=>$6bALco!myDpW_5Zc@geT=de-c=YvmGMOHL-uo5IFu}+<s!|lGz=1BG5X)r{
zu@za<Gf-3|pVeD(wjx~HPFImh`l`bl*vIB<x&2T+Q>7C6joKN$UEzK@_JSgYS+)q_
zW@K64RM<fMLa>MwM8O7%V2CREK@r2De=7ObuevW0VUv|zHZFP7>z{4M*8vD_3oJMx
zl~R%*-f)7TYKsqRbBL^oY8YO9fZunQUBVEzo=%@EM=Gp@w~~j5$~Zg{$0H7)-psJb
zYnptaglG<m%y1<5Heqak6=HXFJVNqpjQ;bQOPioJ$!T!)gVFD}AdUlxU%fu$hj_b!
zWeCmFdm}DM%Y1tNBg&HF(&NTsZZuTLE9`Hw6KUzjHA^k+*Y6L;`9wEo<g1GY;)-}!
zQuBpu1=TytxmjjKu#X%i?oXEWVU4T7(#t^gS=?|*Nr205s37j@LCs3{qz~{RPY<HM
zQNB|>P1k?i2fxSSLy5l1X|~e?@-V->zwzhCx9{BBeEeYJ{^sL*n-4yH^x2Ejz_mbX
z6*a5b;{@pa$@K-|_QfBrxkY;|SXsBn*Qbr<DjC45%$jmF4f@_3{sI1(BZOl1H1XN$
zM~_VlUkEr(e=f07_Wg98W$~R+I?)dnOIQmJNGfgT<S1MQbUus=_=N~G@5r-h_GzT(
zDB8s(o@~8CjKvd&e%sBR^8;!9FQxGXIkWTKzZi@G&%u8pE4Ae__2=!G>XN(<t+e17
zdwHyJRe{%v2l^%_K7|x);yA@U(kA4y3u@Yszkn5kV+SS3Bx6ymuqEa0zI|&5mtFRx
zx9Kd~#m~m;+T5Qovqdi++-`qISdNr!$LCn<-U`>*@H0DIjM2ym`Njtj%tdn##kBpY
z)U|x2m055A*b<?e%*m<qGP4Ds-Q%ne{ANs(?Y~rys9^=t&T`x2PLyI%p?%k_W#Ga#
z>}3t!U^eA<Kc*^OEhvk|rKMHS0Texzo~77<)i5)0J>tAv@M@GzJwOPtwyrpgJ(wvL
z_(|Q}W@^Mwgp8ye5kdQCSSrG(-V(qo%uzKjPz>u}H;ArtEVhbK$eeamfR>JVgCRD}
zpgovkRop6v{#dKbdNLnb-(J5N%59_?cyu4GRCsf=&@+*w-odEySGp86agmOeR%0~8
zZ3%-|eNn#Y5|78Qc(8<HK}=P!L2o7#L&vqoj1$b>y{m!+_IRVtDgF<wxrTWW@ns31
zbG}a2ZFa??uCDfR%}l1~vKpbNJdYSrCQ3Q0g^y|XTsAwiP;`>B+ZB|ge<9n|F@dwl
zs=Q$!SZ?&k)HTmm(RbGkBkxRh<5p+?LB$bhgWQ<0)1+9*h@p&=@Id{TETJwO?zvH`
zhh3N%%k=2c!~c=<E1}`_;bWU3ANGghPw<hESr5XDMJ3MOdB1Gey(x6VQ?TY`1wt`(
zm%9V&msdR=O=r}eEY4o6Rn!-TSmQPUxfYrfu~BRhi!GC}x|q)88bmg9WoNJyE7#)6
zO@>htU0l${bW|aKJOI-<CUUJObcbtNSbdo=sI3RRHwT|im!F+%k9sH`HGXT)e?lak
zc|Qeqc+0nvDvcUVYj62Z!>?kT_3J(BEPCHw)C^CT_b4{lT5{_y@@%3h`28^{rY*L3
z1BfX3*+gZkVuJk049isYrK|61>8PKC6+J#8QZ}luJ*I%iW1rmV7+Pw&31>XnLuLUI
z9UfADG#v~FgxR2Im)|Wf_r@13HWxJ)aar}|7f0B*P<xjY_v#I|vx@VUkG=78$rkE#
zo6CFGe;h^T4KFn0^G*-HscFY~P>W~0EB~Y+j|jiRQtNCD&f*~q6iDnu*2K$$$o;t$
z0cwNv-|m3j6r(k2>OH^ZV@yVF?_QN!S`{|A{5Fe~A82T1O#>I)uUe3Jf!R-oGzlUo
zJF~RD=3e*a!+V>5PP0(*GxMA4?sabteeQC4*8;|M0K}kk1I;7dxT-eT{S!*u9Y};}
zUv}*{TC6m5>2thSHCaSmp51hT+^N!BN<Zj=nvlCYK_r;xwQ!Wcarl-6HHYX>R2&wB
z#zES5eq-=iI4v*nNJ?N2|1j41&yDIZsLtm_#e`_HkD$8I?5gBKxQoga$xEPXE~%3T
zPIsFMI8z(C8FRG7$(Q6<lupZV+xj=CDx?KAb+M_=K;Zgvd2^Wl2-K$7cnE8zZF>@F
z$)H*2M5rAduY*6czz39p1rWlC+WJu^uD8THD_)-AKWy26sFktt^xz+&D65o61(X88
z%8h^$ma(^NHMJ9`P9zTtcBiyeLHUYj3O(EQeQiB3kwsHQ+7xw6CFb$#A2ZJ9wQdo?
zp(-f;_-h{<-f6^LA1e_jy}h{h)cVtcNpM{!c~B*NGC%s7Go42EMWiUlyjvzI3OpG`
z(tV2olj%7nvUI9sas%sO0;Mq1Q0SpMqmXD`@9>Fcdee7WOG)Lz?fUM%2APBn#15CQ
z`m;#JQ_>x_seNBiPKOuDr>VCUl3NaTd#u9SQE1B+AR{17e5klpHc(z>RDqnO=BUOT
zLO@YK)}5kpB_&In+}B_v8xepiqqA=VsRDzdATi0ahYIyQPc3b7T{YW!p)++rxqz4@
zu6RX%!)a_WNv|<jk9Kl+tRPupzAHKb%8&Si+74yNvOBT|3SEsBOC-L7G3XG*R;zj!
z9E*`lCNx~g5WSfQarOPLL!~lV!ZB+@KPCU?;2nEPhADz)p+KMIjp{V%JGjK8bji-p
zE<)8?!gydn{u13j`)23)HuY$cS`gw(vZ9nWDA$H*XNFz0Ag+ihvC%C>FrYjAgbQgN
z1-bj|2DUcfy|UIciJIla?TB?yHK?RODrVVh1@<dqQ2q~wm*QQc?$S|qfd{)%Xt(re
zTW=*3F-7;lIqL9amWD1xCX9RFFNm5F{{ds}I8drowbG{gFU<xdMJFw2bC@1ga3w=M
zV_a)Ol7ESF0OVfEC&hqS6_8U#u^^~sx63wV+7{B=F)umLL^X8ryFe=%BzvdxtfczF
ziWl;T=&p8<&>AsI6{TTqcaJ!wXh{<Cb(|j<S}KlP*Q+t2wEL`#-I5tU7KyZq1N4^4
zQ3UFmlE=ZtZSca~46-@%<MLs~SR^JjA!}*{7^aPgq>#nz%KZs-w{gx|nkaNGl98*b
zzIJw#MXxfir0uk2euRbt>Z^`ZmN`|dM1SVJN7&i|j4OAJ>ab2`Vq1B$D!#|{d8)M_
zrsVtQ6fTY%b$tb&3{Q)AgFz#mP@qs1;OaHcb}F}XQ}`rv-SCvWeL}`EEbqRgWQxaK
z(%&rKqObUZ-6wI4IV#BB<eLDs0Vp{&<Ar>x)dT1vI(OnOLkW*uhSXKlC5~}O%-ejq
z#=zuo(&o*2gfMw!Uy}mdeB#gd?^#P+;;X<n-`?Cw)qs)<`0~5gb%qHmnZKCM#|WKF
zein{eJU*mQ%=dT@jF*RxlI<a1Li=SErRZH^W3YWoK8Fb}6=k4ajmAcJJG@;RCib`t
z<X2I^nNReZ)5H;pp+X0!POnI=fK9rT2iReW=EQwWhmTzU_H6jAqcLBAd=QF}!Z-k<
zIHHIT*2*WD9{tZbI?I7)?MUguE4tZx9G+^1{OX3tvqo;po!%SWv26VthUNhkV73tI
z;4`Ft&|lKhd(Wq<+IpPomrJTiqx|F<=S>~v04_hEpbz2M$b1rp$qr}-m)h!I*5{v4
z+EcUNd&4BpY}y2XAIj`?qD?Afaz9NBYaE(SzVIrmAm}~i8bw;V*vG-$4XqpdHv<<?
zM_O{Y8R3BdVj8hwmHq{CPA;oR+JF41%EU^FV@_Q5;$*t=X$DYQdp?B`?{WB;JhyOE
z#auZLt1Bt3Yf}|#Y4SSerx0bagBceEp7&`(IAhle9O6th`Qy@ZdW69!&$7x+D^1%^
zqL#QKp_j(uv_yd^G>t94&t@vDT8V!5ox{JXrXa+`(wau79-{XJr;B0z@vF^|lG`12
z9hW2Fl|mHawT~Y^`rz?n;!r!$Agzd3X+UBta>Cp%6rv_sMM{?Z4c)Lf`f9qT0xfc?
zc5km4Q+`eHZPKHttfr#ilFl^@CbbaRPw6?CL^A?^RpK=<P-vn1hI^RbrJRJ8HX4VL
zJ75h$uYX$aL>{o8-|+(s`&~1zIhc<lPdHL^yqNs<H&kY&j<`;Usdjwmwd1!;$F6kg
zt!9i>{QO%yqaC8@LRlsdhVv~iu2OA4tC_&T>LnuLg?rsjTfhEs>E>--yYxvQwz^dY
zaE}6<aKQL4hfRl3f*02}stYPFiFvf!y`#o(dW0=$!_TUaoQ8pi2D49QGZe`RRu#`t
zbn(vcOgL*Dfh)0!8f=q5%r_2snPaX*a;MA<nXZbjLg7tJ(t^9+l`4)E1GDK-qj$e^
zzx4g|Ve8&m8B+C}CVW;JFD1}=Q`CH1>R5ling{;gy|bE}R~<RjDV*BYwVzRCMij>4
z0{_`sVi{ma)vs8l++bAJu%#^pUZ$6HNEVYgF3qFz%Br`SF6T<#y7S2wV$P{p)_8bT
zWhBrXG*=VJ4{KP@$BOWYBuWMRY5r|qAlDVlkP4|nP(l}dXu{%XvNI*N8o7e`tM9Ou
z?#o2k0>}Uzek9A-j$)}B(tPNztus>N6rJV%`HSTv%w6|sdYNSjB<^zfm5V;xtZq3Q
z5^DaHtO%qC9Gz`}C_!zw<Y&aV_nuKD@jDqvEy-F~x(!(|(yIJ3`f5b7%w(@eR(#rf
z)nf<a{Vw}Qr?jZ>3xb+SyL~*F+<CZR!O0qI#KG5}5YwO#>Qiq%dtq%%DRdBR;uJ)R
zxy-0qql!~WmLukNIDx%E>epX|BW+}uMqq^e^pZ;iY}z_}M#R!Qj$2CXgW5*KY-xrS
zjn##tsXt?f<%aH&TN4CWibmG~qo67&e1TXd(1oV9m~yxwNS}O(bg0{fo>&iu4E8_Y
z8Tr5H*Q;hP{<wX6l)Z{M{3S-6S}dO&ZbV%rZT?L9GL*#FyLE8-dkbl&pz~-iILHMv
znAfNBJ@fokC>1F1{6|A!Y0+4quJ|@F7u|A-+hr~$aJoB<%o$l38#`Q*JjFbb8B0@D
zU|dpp(NrX<U}TgAkTkfTV)42H9VD%}vS|KqL5cE(2?C`2t+R*djEq63x9(*Wt5NW}
zcAAlQ9Z@$zgp<m!KaA@9GV>L@Uz&)M2Mh@7J%C~YFO`)id2b&@yh&IeK*(yd)X^nO
zsGBQL3l=V_W7O3Gg2f1Md-(a*qm1Xkrkz8{SR($NKOny@42s!HRgGHp(|M{e=k4*%
ztPBy2BIN=LaYR3?EG#)T;#;h9+)R@wXB4tYrT#$&dTbIMdP22dM|4PSS8s_(jX`XY
zVzAA8>Rfe<$efNq!1ra*8?P?En;GKUJq7Q(^jm$0^SeEbhIe`E&1_x%EJ<V9UZL!f
z6~f#lu>Qgu4DP{=4G11}OEOr{fpkH(t%QCdI;>mxYr(KF9EH-Gbg-Z>N>@u5%9ex}
zeP9#`Rbe`s6p_~A<N+QRC`%kE5IV<exu^^Q==1}BNNrfJO!xzwf$7BD8dOKp#;M1M
z79gwO0h1YBi7#8-5aJ4G!I``SGo69<55MIP9pKF|;bJ=u3jfvMfoh%%uT~BYw6|+R
zorc;ebWC2&afy|p+WrY31Ev&1aT5>k-r7umqGUn%*7llJ&X4Lod&=cZOX*N$2GkF%
zYk-YexwL|dDHzPBu95K91!*bEK$G5%i}#xj;f?)q>3~?<0Wpx;+l7WAf2zt&;v6F6
z`V_U(l~e8}>{wg}wNEe|(GF6%-qeXa$cjMLX?QtFHG4@ln!E_s_|jyTW~70rCnjI&
zTcsEC=X`h+$q#UFmS2_XnyJW-1yaGvrbxuDA*)`#+$}o7SqDS9NOaqtrW&f7bzL$u
zPMr>njJFYXZjHg!5Mk3b>xLRW7L7-4zbfP|6QFrA52Cr48n(w~1z>`DCI<)8sBurt
z+y6^oUa3`a@sCcFH_vpJVL)|DLx?oZse#h+iTXzS3LG?$BKB)!B_r&WT?COCHb}W7
zpj_CFFvvxC;@LP9&2uPLWN{RJ0cloxhOtYw??Y&J8_M#5tB$w;(;N>%d%haJm23HD
z5^CtU&-1lp(55G{d0R6!8pSYzT>zNCT65cP^XRl~R_vQSS-Fa#iNeg6?ZYgA2k}ua
zfX~Et$t@;6y_fyDZ1P;N=fXP}o$0k3pC3);@b(t7i5J)2b23?}abj8F$Y)MnS#O;z
zOPURp_bIEu!Xl4y3&QBA{!Ki+ja3ROlXvV`U)v(yPBF5dNSkp3yxuS0BsIIVDCO&5
znjOckw}UnVPRV`*cp-L2+M`|i=?dyz-6M8is*7#0+CFZ@Pi5&)E{ogO84!pWA7(BX
zri1K&%j9XzRi^TnAuWckexsE+&kN?2Doct@M<${;M)aNc=&YlMHo^yp9|hUOVba~1
z5IHvy?^B(*cj@`L8x{INF9q^#Z-?uR*6}x}QRnp>$j}S3rYD-1@PD9~!{M=$Ko&&V
zqztHxU{JkLQ!E4AMnpagvYc15W=%y}Mg;)CV7@Egs4_?1aLnA%$2$D*^BH2+gq>ln
zHJ8|iw{#@b7h4<e4>xa_{3t{b5OzZ9SvNE<XSG|@(lbZ2by&0fer`tVYalYQ4|$fu
z(_D~4&=~VblG!ocn#w}T*#z3gTbCP?=@Qz#wh6uK*uVVeRdJG7r>`g5Pf3kbeQqm#
zDBb9ld+=oeI>dF$8+d(iCs#nSm1I#>*)#}aoq`q6^N37NAI8lblq1zx9{e2w=V>f4
zl-^7SmuW7F<)MZ|e8-}ICk9vRv0PEQHRJy1gO5JC61}+cr|lDtNxZVQfuuTelA@2q
zl_f~wHU<o<$qJ_BiDpI4G%E%QI3hC0t0VrieKOrwq5kLmjcWZR5)sfiN<|MzSY>kz
zjfz{1#*AL)ezE66UIti7HnYWZaLiOr9g)lD>=@2KcqzvSZo@!^RV({pAvQ<QY+;1$
zPe%7R?B@h4jsywk8nz7__p;uzdX*(o$X>Q1>~P-bG8ITETFt6AQoa2`qsUq9Y(gS?
z{6RK$orj;f8-}dYm^9xk0vZu}o{Mr=$_Ppu1E&ruNKq2AStJmX$RCD5H6CPjtWDcb
z1sok$xhkE8_}`n0Ob%iI^gw5eAly-#B->E+D67DAbk`0~YxF$n=Q)YKAcF$IIf1B>
zO%^sV5tx9qwa!h|KP8GbI0ZowFb}cbUA&bwqawDvjbal@S41#Mh?Jf}vP`W{0E0bu
zfE7!@W75uzTxKTD_Est$3*#oz=!l+a%WV*+RWi7dZ8#PyPGOboh%^-_o%SMV!u1l8
z7HE+e)>clZU6C49hf=+`YWKu)Ko*R`jgivMv1^pPB!}Bko6-+xLh1m9P@02?b!C<W
zcN_kh&R~(*l_=hp2H&l!_+2LDzxO0mWA4PlA2MYJPl2n9=jT6am^_YVP;_xL3Znp$
zMa|JD#lC9al%h(MWYZe!HQ%x6DM>y<dgv*Ol~DByPhei)?aCoSL{Pvn{ekt+5irG)
zO4P@jpQxHs{gAtiM}G7;XZ7KxPO+4)l#)3h;NAGem<G1>4aQmKiR=dL&sqZ&*;I$r
z6B`OHgS1eP{K5DLUXID!rAtyn`s$VI*RNb#W5A<h|54TtMAoTjPrHf+*Vo*xpp)))
z^-g)EdazvUo5SOBho@a&Kli8qdlSudcM3MS$09{UBvZaI%+Ig6&)vkHJ#@GmYOnSj
z3~<FUvVBOUbl5bfqmzOm7H_^EAem~UDNG<Y_wCLh!u`dNlP<WGoMXXE<4}R>(cSUs
z;>D0yJ{WL1WT_6|veuo|YNEvbi7}f)9=QCgdoy2S#hhBstiapKqg)1T1#I^D7Hox8
z^o$nX+3lakUDo?1hA+`lBIoVNb7d|fs|a)OdEDW!0p3ry5>v9nDM2M6j-|Sv=(G|U
zp!AzyFiJ5bzG$@vxguv^H$J@k5oQ^8v?_P7<}nF`mTT-M+Y?oFpYDy&98?QMsqJus
z;+AS{xv{3$*~iF)%)tcxlu4`tOH|>Vwv6|&zo+8ZFfD9-v1#SG9nNv#$I7fv`hU3L
zlS}SD{QSY@gGXyJ|C{!K(@^DQX5dBJHN-f)a{USm80X%Bl@A_{5#UT(qqwfWDjvmD
z$TeHMZsr_FSo5kW)dGH6EC98-3RT)McrS%Z`J91Lv$wiIWdq0euqq`WpiVZxw}{L~
z`@rm->|N^}=Bb(2DS!->C3Af->7(i>8sri6q!sa^xIC`9>V}Mr*MC(>K~!htwA9RW
zesLTyKB!N5Yks^TYO8+l>E+MDJnN^;jeNm?NKyf%(cl`vgwXJ6X%}9Wta7s#2AQup
zMy&o-|4liF<>}Gn#kJ;QXm(xhTh&y8!KJgJuQFfDar0`IAC_(-Kbi-6Z8Pk;^+~SK
z4SCep8L*V%!NbF^1(*%DBg;V{QXzOpS><m^=xhu>Jw7}+8vV}`Vy7qg60$=)dJzbm
zqK}53JYYIy_oI|=w78|xu;odL3dU)ot@|bfFW$2ppnaOs0T*iKojIe<0p6J&$vKcL
zE*n$;I6kTMc!C=Y3P^FYO|byN6zts<WT@k}WK=mf7hkzL4~Hp#7znj|%(u!F=q_Jl
zX&zM}i7O6}%Wm@StrX-_Yy$KUG%9*|qrg$+QZW|MfiL-{I5flih61IPYV~T}HMWx;
z9Ce{CD;MabPmh!Cc!)Ep7s2>$v%W=!iK2c6Uu@j!;(H?=aosf`l6sVI3s)3tey|F<
z*A8;!%B54a+Q6lcr`|MQq!Vv0F$!?RW9i_J^oQz}rax7+H2tZXrC*G9r&P;qKC|}X
zrJa5EH#EF8pO(tkS0X!$*`l)X>ah13t5$sWi^=XTF2`12uDi&hp8v1L18&6-K8iR(
zKipfry+~^8%6sX?x+Vz|8qEgZqPjba8_rp3kFedYU#AR8InYNu3n@zhUqcHr(p`58
zR@wO%;T&;(g3g}a(*agGYN4x6CQg%>LrQBDuUY%(#GuJ^ruc?%hsx6M3BBzHRSNTd
zL^Q~c1UPKdR)4Q;Sele2B6e#zl|usFs7EM0j()J#qYO+W|Ni(n8hVGLOQP2AOFP&n
zEZ8^{S*<AY<|a?4$O4H!c$p9xWU;)X8^b!!*XoBumI?!uB8Ub#1<#r@!wn^^`S$Hv
z=gH9n4$kg%v+8BjW~c8<v?UMy6xcL{)`e!Nf#G({m<6@6$OlU)n{3pQE(WcwyWCwY
zNoi{?@iH!JwK{o@?m$quO(E~FodqT?QQJBloJn=6Swe6WnPIq#b3RX)>i|RN_%-F@
z(v)A&rpv){v<*$JHpnDl-Zo7hQ9LM`eB=Of$$O|cp~&<qOH)h76zFKx*D*f8dBz2J
zCG>+r)~s_zN=S>4_6E7^qTolMczg!BOK6SUt>_Ku@;D!D_97$r!YJ3A?25a!G{GiE
z+r?GG7>PiTG>_z-Zb$3ju4E-8oc@rqK%xpvE_^xVc$N;uq$wFIz08z2aIOrNtxWGY
z5nyJ`Tt`UtIi_@SZJX?HK@ro4i}seSp_oRgnF$*0de0;ayy_-4PKS^RgE~s2du?oY
zS#1g$Z0-aDqJ7G|2tk?@^q>!-avEQb>Zp(noqbO2*>cB;UDbx+9H(+dCXsNca4Fkz
zC6CEWSPziZ@#8`~2@;i6i`Sja9scDhx*sQkIVk;bE}qoIAlgQ-anLXTkr@TTAKqbc
zyEwsQeuKF8uwszS?8|0)-w%-{%K(-8h^08L{uC-D<-jIjFuq2pXC{-jAM{X48$o<e
z#}SThJ7t3uu@rCvHAeZjXtsL?0?$Rh&R@mn(kqa+u-<`rZ_|Y}moC>TR-3r=d31_3
zZ>WrB01{%=Yo1v5)@-=$wQl%tF&$gL7C2P!Y)!t2uXeBJo~F$nx6_Yih@+l$_V!Qq
zJ^{aX`J!I69t0@3W!&nm)vY`CTeWb--dIx)DXh(6sHzhy?WAjE?0O*mz<`<vWsxz>
z?qly5w}AL3(a@Wpn>G(>*ggQS2PF@6m5>|2wPV?M93QC%wSRhfRi}DXb^TW!mL|<T
zY0+EvK9@k^zguKpI8M=j``Z1j!Pfn)UMcJXoFg4lVw)cNtdt2;MHFf~lAgs})K6oF
z^PsXB5!?0O<^T^LY<~KAtGcm@C1R4%b+x$4u8)Y;Nd5uMXmfuYS*2o@H;*_vQ7Z*U
zcn1ELC4<Alhzuh0>WkaAMn~uc`N#0#$>OPhY=L5p52`<ho4Gu(UX0u2n&_rnUGR6B
z-Z5Ap9oU%+k}lfNY#9%{I029LIdlOquaHLP|CPb9>Q6oh$i72?Q3ByG8sl8;<>Lay
zO`J6&n2xisfGq8|)%kG%mPEgn8mbb5%y+7tT2~`|-y+iCDmpp5L^@#ALVv^G{<?fi
z>Hl)~h{LaJx{Ggl45<uQKo4a?<onGnR*j2d$UKBmS^q$zr~7eyy%6&G>2qFE3C-ku
zMwT*IG>CfI@uPHUhs<{h_biC)NWN9aJIl5~@8!S<Dl|%`((%Jt@Jvy(zNFh@$y2_P
z0#+P;nqpx>MR8Hu{F<U^Y%^7IlFvy7<uq{qt^-Y>I%1+aFgQiP*KcG`eHlV)8DNiE
zUv*?e;L8yp(hdLy7Dv@~p=@2h0JwUVE1Ds}u-JaIwQz{&<$Yu_-`GD^l?|hV+ly-&
zT~?VciaXaZmxP$T3Iw`4)&WJ1baV84*4bX0;&bys;zv{g5f|`l5J-+g!OD2)LL4o1
zz`nYXK-IPYnHryL<-`^=K0BA8L=_L@yGbL`ZvEf$I=H+aC0X+}8>HKlCn$kRIO$*m
zp~|^$9y8ShMFMsWqy!*Y{)$bv`=6j=i5xmo>)VlbgaL%HZ1&XUKcLzB4eZk>H=d0T
zyEgXmM(>>NP_r#7qa7je9qoh8T;Yu-60&M3!vwrTZ%Zc&j4tJEv*c`@zq$!qji@&E
zU3Px3+z#O-n<=l8&Noml(^duHA(irN+TbPl0czc1a6hY!=ruUvWrK8jjmA}#GeF4%
z-5;~KE_(J)jpYY%TC}*1D$!Xh@nRRAXb2YDc0xFgEf~Dvb`w<vs2Vdx1eKn|rNX1~
zXz+hrkFHBO0($P3xzcuj24t`!bw0b9Mm}CoehO#hihH2*7C2jFKro<F&{pl1)@jx)
z-6dLQ@z_wD2Y_sdW86}s`mBy~kV4dF8d`D6VL%J*YSCv!6JvIUZHl*xm?ZY9e9zvu
z*#^c`BZ3|2-5sbsxIfv`;fX>={+KeY7oa?I=erC+afxP_9KYpbP)yexF-Nci*-1a`
zol3il6maqTOl?7G;BS20iK&Vzagg}a5hK;Ml(PxOFLhp|Kv;#(^=m9GP3L%cWm9Kr
zA$CGr!uC0!38XkgJK2+??TEM)SYXCr;FktH>YTg4BUxVpGg?V7(^uFSRW6KI6Bx^9
znCpCEC(PFtwG)z9&Rd-OA{nUUPqvtW29`(J?CdsWJ5%Am`K>T6J18Mo8OV_j&VZDm
z)JEs9$^uB9DTCwbp;&p9hm=_XT)}KaCH&=&y*{A!sJkbPk%BHd+F@&-#Gm-L2dVl_
zdrj)Lp4Vw83j5<6EB(BYPOPNxd8(C{1WW(7Q7L4L<}KlokZzYf5%k{`A}(M>yuq4!
zZ>71>c1pUGPHYYDq?`z3w4{$%nb0;4$>Wt!Wv{JN-Ku!wYQ<d6<J_mTz_l@)#+J?<
z)q$|eBIt>GZ}$-Mjo=MJHP~v#2+P#sl@BV`PORB-8EQQnKii)Q#BC|l&D*a`bm4RX
zwg>Ga13(t#aM$Cdo)h>p8;Sr$ShZuIl_sP)dHvT+W%cN@S<*8~-s&AFqG!q!0hR5U
z-UX?sD@~iZUT_&}AvIBnzr;$JCU^n(kjfZIg;DS+0pBnpPE`;~(8{OmMfOipzEL)b
z1PSeP@Q6*gcRCsq`-2)Gh%&rPTNIG;DS5?$lbBu$82)OIA5PBMs!;4YfRRo`<B(AY
z2#G;P>b*KWp+JO6;qc8j)H%&j>aL9oIM=I#0&TT1z$j1msv@E5?l+&mJddsS^;LAB
zp#Nh|>02#mNpG63b=<eSc=6%fZ&fK8YO8qqTeP||VXXRPlaPvX|03U6oj<e0c8ao)
z+eNVC`5)?h(YHCL)a|7}IiR9`6AGtVcSI>@=-W&J=E#M;yR7NeaR-9W?rj3tsoVw6
z3q<J+bUcliWa#U3zVkF6uPeo?Q7q(=%X`LfZlx1WaI%G#RM$vbdl5<ZNaz3QpS7q@
zk5OLu+zLzelNlbWe~6Xdg437C43@TwBuvNIm<u{a2V*pX|C6XNQYb}6>KCli8l+SZ
zF-m^-UdqBGy>>hBb6#gQ1;^sS)OoFZHisKa<_CnI9#&Kxx*11Mq*vlMQB3K#Sb0S7
zl}mDE$OAaeS2WS^_qtN=%7q4UWkTEZtN!bkK0RG&+<~E0Cwxketb^`JU1C}?s3CjI
zkqeJd4^Qd4l)hZe4;dx}Mh;u621}}}D$Ok_h7f$?msp-S<c_zkD+=KOXHrHwQV*YU
zWwqH)QDutu)m&@{^z3*!MQl;hwKynwyjXy{is#0#vPq(?m%oo-66dyCeRwsWXBF@>
zGWZ%tQf8$C3FF5yO*tz<xY;60IjiWUIWDXC;MztX`8XuJ)#NRwW`X!rD&Xx}y*a$N
zh0=jb`VPHwybrZ*UB{h3QAe*U5PpJ}|0i~j10nOuOZ9{$+AD^Y!pur@$w-zm(|7}g
zA25~j1Q`C#a$>$k_9!TJjAzZxtdC+ERHwC;DsgJ<UZ&A%;sv3uvnZsqF}(7v&WC+*
zWvKt4bJ#E60hqbFPtkvfNbNjXDHwiZNR{&koEbDZR&g1jrWm!Zaw$v+$S7q1uoAC!
zp~dlVPhnx#kI0qN=|y&`cNNe43f!t-f_tQSDWI35-^8FvaKjc%cheWx#-bTV(Gq2b
znMZ{*eTm5HJAcmJ`{?kHsa%Qi|IG&<e4yi@c`1_0LII2z28Z<mU$TVKKrokd<b?pg
zu4PVV3xuP$wOx{O*BhgIxSlbc2BXzIdDlr)Mba{dzwCT9V@RpAnu_&VbsxR++>yQF
z+3S6$nu3@WZ4NooMS4*oSkRK}p~M)IttI$lv>Hh?JO2T^?bs)fu?bCBhx^Y?Nb3ZB
z1un5WH|-|zNxs*;5zpI|{uFvq&W#|#okPHt)5jzWKgL6h1B-yxWN~PtZ@Wt>AQv5l
z-MydFJA3Wp=oeP&tQQQE7NlV(^)NEP?~gzHJsE5}lNm=M9vprAYf55R#O5t(0ZRcp
zRVbiOY(--Qs!NF&ad1G5aROk<-pnFz6iMkwjANt4B;FmKVP28L-Y*bVi!bYpG?W&p
zSl-$-49lQH6bGq6?DZH$tO$Lo(aBfrN_TbL7i8oWr3^+>f3vh!Fp$18gEj7QM9O!x
z=3>VXOfEi>rV1%V$P3MJHq-=E>Np~bZc>JR^34&2nHJZOe4f=RYoiC08VGH(2W0DE
zi4b7rvplsb#+F#nE*vDUGFd_d>({X*F+RqU<$VN1i8>WbqJXj9R#Uu@@U?)WtDIZc
zqOzlFJmb@)>ndQS5R1qW1Z<<A^L#NSZs<x59{}!wb~rr_1t<5FO(QF{2UwU{+YlEZ
zk4V7JbkG%(S_2OU;fw5<`*Z|okbhv~5|yBh%p-J<Dx$)`433yFE1CVhH2(P4q<pfK
zKK}4uz=*0gKlp%6b%)I>S(4DU#B3rAkFmgja;2hPl*ztjGrJOLy}ye{=$nhgx*}pc
z-(CBY0Fc?sF@!`Lan+7KUxy_~$aMqcf~bGCj4E7iR@RSTjwq1<AR79`>+hHvLGpSd
zv8&ZdxoDOj>EJ`Trp+NhW+NshxJ$<~gCr*hOs(oBz*x2Xs@=;0ZPWP)y3GsE`i{b!
zpo=(f^wHPT<<8R<TO6#rDD9qS!D7}tymD3WqI{4lLr(tcRIDh4l_e;Y8^TS+9#<GC
zse*Or<|{p!=m2+Shp5$Tn-QTTC{&#<Ne;}%&!;L=Gv}a+z+CB3$E}(@*{dOrnkNld
zQ`{yO*aXXcu3Li-qipGrFy2We8I;oVR?SfGcxO7^*D(_E5e6Nm`D(|McXri}p%~to
zO~c?EX?Z>@MrFfEA4t0w#)V|h3ND>rjaFL<^}|~uGCw3nTsqmSv<S#rN#o?E$epUI
zA7m<3HSPDUM~l^rRPvI%v)Bm*AYpwdi^I_OP8Mt*czF1Uy5yR=56?KSVWE8QB^v>&
zx;}=u7vI|iCbNTDaMx)~<Kfrz_3><e`1RbbrqI3R-AcNNoHL?SLl9D9jt{7(_=;+}
zcemQo^Wi4RzC(L8YY|77K_D=g<a?)w$1$Z+u9#syqVLI|hW7h`%I7~3HVTruuga!7
z?UNgHwXk!juY@rROB`WQCf1o#;}lhpinVvUAqhMVx~u}E5wm-KOUEjpc&S=buhu@6
z**Y|~;e2L7*tAfPy+^H|P{b<>jW}%870^Uz7G@>{cC3y@%@n5MNvJ0e?o{BcE5;FN
z5m9y46R|)Ly~{aH3A{}@0z_F?#G9Z&c<`NDgZqwM6bK+ubX;gv?u@F<<i+S}ZPp~o
zdbJPNDq4b$0dszkbD--GeT@#midK5Wq=bK4uU+1==3@<8V+PiLk@f%CU!*!DlW45P
z9>0!=S~>(bq4d6)87F8L<$WaUw^~tx)@{9s^EH&g`)q@HaP2RSBQevJCaB1K&S0${
zUb&4(>OGM4u#y4PK492IdKw;#6du+-FfH(8c5?O32<v?>gPH4}M%U;)UpoW3$e*`+
zYIU^j>f|x?TU-BBzqOT+j^rk5Tf69~erwZKqbOXmZLRlIHzBLd{jn6H0#j1FfYLJi
zt<@=q7k+Z>L;Vj9>*R;ddV?g5jb`ozfnWIGN|V_x%(T)qYoo9oOtB)@J}m{iM_WVr
zzOkd$FI#()cYAhjgrFypQB~8mi<eLj18qrq5|U!2p>xg>^+@1{xJJ9*Yh^CZGU{!A
z1Q%#Fnym`y|5Mp}xZa(3-%d&IVavj|d9Z@m{J8R@FKt;-H@oBG-E1>T?|o7;qU2q#
z5C$hQHqX%84%(BE62T;mR!Mn+6-8N(Ml3&A>vTVo9y`^=kq*7?bg$H&6Uo)Z2}YTK
zt&EjPZgMWD-iV$U&XvAmBdZy~#my#Z{7W<@Z92m7@vy*M6gvYMryjM_eo=>vC&~sP
z{!$u=?1^t(g7?KpdRM)45PHe)W{EmIc<`Tm^Kd_+d7F8t3T+xychF<_z0s!Nx^??N
z=?n?2fEYb(#tsg7xww`J6gpMDeQgL)N^L|F?(Iw|6p$@v>qX3pR3H&e6{VFztO9#T
zJ7OrS1#1W6Dl@C)keNsd(D|zyw^BxHwc9Uiw;AQnYh5T|kap3;V=mjaH%0f>ty00$
zJOI%?L&!gM+{yRPZw~(yWfD>-u&}Ohlo)ifZnk@JM4SigtLG`wTq;#f5e$v~DZu4f
zK9jEZQ9>#JB_Xl23ousbKYD4ead6(U`#LHoN)nE~CsK|;e*hahE<mi07LM~~7i79o
zQOm8Zdu+6MRTw5f57ssTGqU3_l^y%oTtZ>e0m*Ws?2q>z6Qlk@bemlx3g&WraSB+C
z;uK2CGP|$(rz7E=S#K_p<bb5j4E&y0XF)?k)&hUk4Nv~FAW3>k2WQ0Poc|Y)o=m*)
z-YGDs;Fo<2>bjYxmCU2G@^u(ZTPQ{`pWV2<{i|a!bWSvP?Z?iO*%g`L<R>DJvD9&E
z30}dFVmuDze*GQ&Un<4)%P^FxyhD(aW=TelIirFbJj7mL5)TPX*Rl-m+2zDgWC%4Y
z8E=j9Tdqn5&WROn{?Ts;&X6m#w#KILFIY~@GDTPXBAY{KhnYo%u=VWJH@teE`W7Au
zUPH0VTBu1k$moG{V7(E#-RS_oM&3dDg{b6gt-?Iva@CZ{I2Yg}dJ;;_kpo|CjcyZr
zL@74%g1R`$^_MXmT+I<GB+!ppAQW2gh&)Zn)5X5S-)dx2(<I>JrL3Ub|M8MASy`;Z
zO~USBrKA%~0c~p-L=$2NPq+gan5Q^EvIWS_fG6-3P%(Q4X`D}RxSi|oDLDJ@-=n)Q
zcgPU;9V6R2Jm5sGUN63y++u=TZJkKQ)r-;@Yk2I|A)<u>g<@?034mHI*ihzgshfzv
zhTu;fCAop3I9Ir&|EN?(rR@~a02kq#@Ay;>-6*f63mATJO4CI*rrnp)D~kBwY4Xqb
z*YTLW{H%+vWA&Z?*Y0z3Mm)to&3?tvqAmf`+aMC{ay8(x!U8b!NeU|D^nQzVbGNu(
zve9XCIyEhKM=M6(t#K7)%^!#)79H9vB+?Kh%?CJVtvknmHcqw_S5Wn*lTdBfjLaBN
zuK^Kcs@!5&Do6%)WQG*OOW*3+JP7A$TWx>&8*1gq^+V7Nk6b^h#456_5&N+}6|0k6
zpS60CNg9&;;n@C8)inssPca~hctoXH(=~lq5Gc?enIh?2z>-mpxWnf~*!e`EBxV><
zdj;Q%7|nKO<sM`*=q$<s4OQ_Eur{lN?nS3qHGT0EWr-ot0hKvqz)De9c*Ow&d^p3P
zk?;wpqaR*X1d7D81PdH53NT3JiL|bafD$FLi|n+}lRQ9INR^Me3WH$<!bKrh<}a0;
ziSX4zX<{h|id=Hi?rJ2!`l$}LTAvm&4m3$fseY5TL#jIi$f+j^*eC+b0C>BD4)NEr
zfEowq^+hCdGr=NQO|p<Phd}%&fN6XCiR<ez9}W72>xNO=3?wUB!%w0psqBbK&x^v&
zq9R_-GC~q*D+0mFp+L087|?TDZmAfJiMQ&R{Hz{W?lq4E^XfS+hod3>E_C0gtQP~x
zdZ!6R{XvQm$S#+`s21J9rO$tWbwS|naN?ST6G;(|6Oh(yuy#h)rujp17cTa2Z~st^
zFyMlmER@NwksPEbWs2<tx+cs!Q)-Mwar2J-aqv0f^W@u#E!wprjkVt|lzurEx+o)|
z<m47Hl?^GO?z0|fgt3D%0iqK42oi(<xm-BnQXqwb1hb8u*&?0<^!#-RcZy7dzlm4^
zB*(U}R-N2(5y!udP4yPs`gn;bl*B<zH+t?<g`_8B2aj<f3Rb#4iR#0K;|M0&pQ3ul
zUrCfM+RqG(1({s2Zi1UT&OBiD(u3yW5j;S^1^$wYDZ^)EB=2ZPWZqECQm|lXee55*
z<E7EzEoj^XT|l0;J|vQ$M42^`6zGifP-tF0l`}Y(_F~8BL};lBc-~cgsu)i9#%B)H
z#kc-aC5c(NtY3zwQrVZclqM^N2_-)T8nc)*l~Uy)v5*pEwK&NNZZWP>0w~5{GXBTJ
z8eFtYmPU@rz-t*ylfol*8CLHHSG}+exJ`0=iHERXDMjb<hnS<9#b!YQ);pXj;)`va
zJ(=FAwa~igYpaZlImE=4KGk0lfi)=|Eja~?_a4cBlL|#%4#*{oD_<UcV?)~m9MOI2
zWstj&l%iTa;O##6o)eg~o)9@HlQIybn)97G#HmOwu>zq0L$t=ZuU|Cy9-krXLk0&y
zxIWH{1uwZ55s@5$b56LH!ARl`9ElIHAz2i`k&G}fn%*MCF6@#~#ffMw7-?*?NIen}
z8$ZaK+%+movqisG11YFBZxD-}tcOyn$n0==d@>n184vE=alzyne~PNijy!IfP?&jC
zItrE6?K~OpFV;1L$#+p38twNmu%@l7)nw<Z#}4qy!!FdQH587J@52b{)0ZVK5?B#&
zD;!oh#*rCyj&aL+R)~B<NJZFNRPTpg9r=-)oqAAx>A<<lRQTLoeEdO7E{RFy1^QHX
zvyBRRdU$fYARaEol@J+}TT)oi-BSKjs|HPD+(Nc#Ic%v}q=uUz@a1ltLWd-ua$<C2
z68h-f%=CyYKy@K367fu1IvKHqnLwy5dlmgM)qAJx^mL+Kzo*`Rt9^w$m|GQRcX_5#
z=3VmV2PONKbAQ8?8Qi4Qe8&Oe$jxr}Zg1-$GfX`U-bW1}2N4q8SKJc)V>89p0`Z!=
z_7lB_ZgrB9te$39(6`P5YsR0>b%1sx15GjKKMof_*{CU?Dyk+KF@Y^_%@$1N{H#Gr
z=4@BrM@-Zy!*S+9(%&!Gfi`f^Iml>_02gEvaWWw^*fm*o!m{{&*~w4<K2JrTbVHH;
z$?-)E?_u3_;G1Tp^QgcOa{FC@0}RKO-&S&J&FA3#Z&B)<fRNDA;A;}<lB-r;1n!`#
zii4^E8yqfuBaKyCC2^@PN<|QKHp%j;pjbg7;e>~2hV%_hXHBmW3<3?1<yO9%%|snh
z!7e^DqDGN>D9m~Q+50K;QI98hP>PeUHec51n$W$>%!Rd<z<Gp;(@-#5x;kFk-_=PX
z)|4>$0IKqQHEkHhR;h{zangL(jY>y@UXsz;d3OSPj+~ecIO%-XAq7p*x;$D7o+>b#
zCehub)dmXry|`VMFk`ecuU<OQP;!^9sBRw{qek%I#FFVVb=>YZOZ1SDSV$?Ov<4m|
zLdQ?hosxFPUrb;MMT57XryK%I8clbBZM3$?FsVPxX7AKdaw8zn%x9%svQ--h+kB{_
ztyaFX`L1kG=>(od&SuB>Dz0y$N(X!p&-!K1=;{M7G<-2G+YpLJ%!Id8Ru#P0SJJm-
z|5l{W_6jAwQ$u*q&11}C)mjUoT?~H(!!d+Zzd$;u6qh8fu6SRs>G7B(cfoj+*NdtN
zE432G7hDIqd;p)Q7687TT(0oLSA0B|<FoH6F}Q4ANk1=Yzhzrpyt|4AhIQaR83)b+
zvq4}Av;bO?z2KyPnOVgIBnL!BovI-CIEpA0c1M>>OvsovUlAm9$lMXW7s>9DSei&+
zp1BZ%$eSVxqI{ZhNeRti-Af|5DfYd*wooxHsVr3h7Q~O#ssg*EIuUWs!kz6>M2JbJ
zsE+W!Uk&a<-wF#-1ZLsBM$i87D#byGqO)V*nidvILh*bri9EbM81Ea9aPn5|20=*E
z&C|hneu_pT6NTAQ^n~DrQ_4(3<>`rBw_>>Yje^j)F9I43za@5I@?y}*Y65c4mZJbQ
zDJ`Me0^zjn9+BA3DM=H;@XMW>!;M<(^Oam0253N@0y$ucnm`8>{8+XFzsG}}LjvQj
zZg!jAyIkN@kvZ4mq3Q192uZ#A*>wAu<2ABO>fgWgsf%t-c6R9v2Vwt}q7OGMFtb%h
zy@t;87v+zKf86@~!D!h%F7gW9NDR}u+0Ar;Zl;j<^B;?u5iE324T&XJNln3IU~t{g
z$|Jess}FLJ*|mXChe6(okb8-h9UL>RDqW9q_91o#&u>A?ljA{z9X!S%vVFLiIB$(J
SFikc&h!b!rCudO>{Qm<4ARaOR

literal 0
HcmV?d00001


From 3e0d1ddb10f26b8fa2255179cb3d6c8479800a0e Mon Sep 17 00:00:00 2001
From: NiceDevil <17103076+nicedevil007@users.noreply.github.com>
Date: Mon, 8 Jun 2026 17:41:28 +0200
Subject: [PATCH 09/68] web/elements/ak-dual-select: fix inverted pagination
 arrow colors in dark theme (#22608)

The dark theme overrides in ak-pagination assigned the disabled color
variable to the active button and the active color variable to the
overridden disabled-color custom property. As a result, the active arrow
appeared muted and the disabled arrow appeared highlighted on the first
and last pages of paginated lists.

Swap the two values so the active arrow uses the m-plain color and the
disabled custom property keeps the m-plain disabled color.

Closes #22607

Co-authored-by: nicedevil007 <nicedevil007@users.noreply.github.com>
---
 web/src/elements/ak-dual-select/components/ak-pagination.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/web/src/elements/ak-dual-select/components/ak-pagination.ts b/web/src/elements/ak-dual-select/components/ak-pagination.ts
index ebafbd2555..96d42c6bcc 100644
--- a/web/src/elements/ak-dual-select/components/ak-pagination.ts
+++ b/web/src/elements/ak-dual-select/components/ak-pagination.ts
@@ -18,8 +18,8 @@ export class AkPagination extends CustomEmitterElement<DualSelectEventType>(AKEl
         css`
             :host([theme="dark"]) {
                 .pf-c-pagination__nav-control .pf-c-button {
-                    color: var(--pf-c-button--m-plain--disabled--Color);
-                    --pf-c-button--disabled--Color: var(--pf-c-button--m-plain--Color);
+                    color: var(--pf-c-button--m-plain--Color);
+                    --pf-c-button--disabled--Color: var(--pf-c-button--m-plain--disabled--Color);
                 }
 
                 .pf-c-pagination__nav-control .pf-c-button:disabled {

From c5028c88a5eac5229199f7256210c49decb3ecf4 Mon Sep 17 00:00:00 2001
From: Ken Sternberg
 <133134217+kensternberg-authentik@users.noreply.github.com>
Date: Mon, 8 Jun 2026 09:20:45 -0700
Subject: [PATCH 10/68] web/maintenance: eliminate the need for DEFAULT_CONFIG
 boilerplate everywhere (#22892)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* ## What

         window.authentik.flow = {
             "layout": "{{ flow.layout }}",
    +        "background": "{{ flow.background }}",
    +        "title": "{{ flow.title }}",
         };

Amends the `flow.html` template and `GlobalAuthentik` parser to include new parameters, `background` and `title`, in the flow-specific part of the configuration written to the HTML `<head>` object, and to provide those parameters to client code.

## Why

The `layout` is start-up critical: it tells the Flow interface how the admin wants the Flow page to look, and allows the HTML and CSS to be pre-aligned to that condition. `layout` is determined on a per-Flow bases, not a per-Stage basis; Flows are derived from a tuple of `(Brand, Application?)`, where the opening policy *may* direct a user to a different flow if the user reached authentik via a redirect from a specific application, but will otherwise fall back to the default Flow for the Brand.

The `background` is a field that is required if the `Flow`’s layout is of type `frame_background`; in this case, the part of the viewport not dedicated to the FlowExecutor is reserved for an `<iframe>` that will be filled in with whatever the administrator specifies. Although this gives it the same priority as `layout` (whether it’s provided or undefined) for describing the [chrome](https://developer.mozilla.org/en-US/docs/Glossary/Chrome) around a challenge, it is currently not provided to the application in the start-up config; it is provided in the `challenge` and renders the IFrame as part of the initial challenge.

This patch fixes that; if `layout` is provided, `background` ought to be as well, even if it’s empty. The execution of a Challenge ought not have any influence over the look and feel of the Flow-defined appearance *around* that Challenge.

I have added `title` as well; with that, all of the current theme-and-appearance related configuration details are placed into `<head>` and can be removed from the FlowExecutor.

Server-side, `background` is currently specified: `background = FileField(blank=True, default="")` which is … interesting since we also appear to store URLs in it. I don’t see anything in the FlowSerializer that would change that from a client’s point of view.

This patch furthers the effort to separate flow execution from flow presentation.

- \[🐰\] The code has been formatted (`make web`)

* web/maintenance: eliminate the need for DEFAULT_CONFIG boilerplate everywhere

# Promise:

There is only one file change in the entire PR. I promise. It is `./web/src/common/api/client.ts`.

Every other change is mechanical.

# What

Replace the repetitive boilerplate of importing DEFAULT_CONFIG everywhere by replacing it with an enclosing function that does both instantiation and configuration for you.

# How !?!?!?! (I hear you cry)

Read the `client.ts` file. It shows you the new mechanism.

# Mechanical update:

Every other change to the source code was performed with the following seven-line script: use `prettier --print-width 400` to ensure all the construction expressions would be single-line (they weren’t necessarily always so); identify the files that used `DEFAULT_CONFIG`, replace their `import` statements, replace their instantiation expressions, then clean up the debris.

    $ ./node_modules/.bin/prettier --cache --write -u . --print-width 400
    $ rg -l 'import.*\{ DEFAULT_CONFIG \}' ./src > client-only.txt
    $ perl -pi.bak -e 's{import \{ DEFAULT_CONFIG \} from "\#common/api/config"}{import \{ aki \} from "#common/api/client"}' $(cat client-only.txt )
    $ perl -pi.bak -e 's{new ([A-Z][A-Za-z]+Api)\(DEFAULT_CONFIG\)}{aki(\1)}g' $(cat client-only.txt )
    $ rm client-only.txt
    $ find . -name '*.bak' -exec rm {} \;
    $ npm run prettier
---
 .../admin-overview/TopApplicationsTable.ts    |  4 +-
 .../admin-overview/cards/FipsStatusCard.ts    |  4 +-
 .../admin-overview/cards/SystemStatusCard.ts  | 10 +--
 .../admin-overview/cards/VersionStatusCard.ts |  4 +-
 .../admin-overview/cards/WorkerStatusCard.ts  |  4 +-
 .../charts/AdminLoginAuthorizeChart.ts        |  4 +-
 .../admin-overview/charts/AdminModelPerDay.ts |  4 +-
 .../charts/OutpostStatusChart.ts              |  4 +-
 .../admin-overview/charts/SyncStatusChart.ts  | 26 +++----
 .../admin/admin-settings/AdminSettingsForm.ts |  4 +-
 .../admin/admin-settings/AdminSettingsPage.ts | 10 +--
 web/src/admin/ak-about-modal.ts               |  4 +-
 web/src/admin/ak-admin-debug-page.ts          |  4 +-
 .../applications/ApplicationAuthorizeChart.ts |  4 +-
 .../ApplicationCheckAccessForm.ts             |  4 +-
 web/src/admin/applications/ApplicationForm.ts |  4 +-
 .../admin/applications/ApplicationListPage.ts | 10 +--
 .../admin/applications/ApplicationViewPage.ts |  8 +--
 .../admin/applications/ak-provider-table.ts   |  4 +-
 .../components/ak-provider-search-input.ts    |  4 +-
 .../ApplicationEntitlementForm.ts             |  8 +--
 .../ApplicationEntitlementPage.ts             |  8 +--
 .../wizard/ak-application-wizard.ts           |  4 +-
 ...ak-application-wizard-edit-binding-step.ts |  8 +--
 .../ak-application-wizard-submit-step.ts      | 10 +--
 ...k-application-wizard-provider-for-oauth.ts |  4 +-
 web/src/admin/blueprints/BlueprintForm.ts     | 13 ++--
 .../admin/blueprints/BlueprintImportForm.ts   |  8 +--
 web/src/admin/blueprints/BlueprintListPage.ts | 12 ++--
 web/src/admin/brands/BrandForm.ts             | 10 ++-
 web/src/admin/brands/BrandListPage.ts         |  8 +--
 web/src/admin/brands/Certificates.ts          |  6 +-
 web/src/admin/common/ak-core-group-search.ts  |  4 +-
 .../common/ak-crypto-certificate-search.ts    |  6 +-
 .../admin/common/ak-flow-search/FlowSearch.ts |  6 +-
 .../ak-flow-search/ak-flow-search.stories.ts  |  7 +-
 .../ak-crypto-certificate-search.stories.ts   |  7 +-
 .../admin/crypto/CertificateGenerateForm.ts   |  4 +-
 .../admin/crypto/CertificateKeyPairForm.ts    |  8 +--
 .../crypto/CertificateKeyPairListPage.ts      |  8 +--
 .../admin/endpoints/DeviceAccessGroupForm.ts  |  8 +--
 .../endpoints/DeviceAccessGroupsListPage.ts   |  8 +--
 .../ak-endpoints-device-group-search.ts       |  4 +-
 .../endpoints/connectors/ConnectorViewPage.ts |  4 +-
 .../endpoints/connectors/ConnectorWizard.ts   |  4 +-
 .../connectors/ConnectorsListPage.ts          | 10 ++-
 .../connectors/agent/AgentConnectorForm.ts    |  8 +--
 .../connectors/agent/AgentConnectorSetup.ts   |  7 +-
 .../agent/AgentConnectorViewPage.ts           |  4 +-
 .../endpoints/connectors/agent/ConfigModal.ts |  4 +-
 .../connectors/agent/EnrollmentTokenForm.ts   |  8 +--
 .../agent/EnrollmentTokenListPage.ts          |  4 +-
 .../connectors/fleet/FleetConnectorForm.ts    |  8 +--
 .../fleet/FleetConnectorViewPage.ts           |  4 +-
 .../gdtc/GoogleChromeConnectorForm.ts         |  8 +--
 .../gdtc/GoogleChromeConnectorViewPage.ts     |  4 +-
 .../endpoints/devices/BoundDeviceUsersList.ts |  4 +-
 .../admin/endpoints/devices/DeviceAddHowTo.ts | 10 +--
 web/src/admin/endpoints/devices/DeviceForm.ts |  6 +-
 .../admin/endpoints/devices/DeviceListPage.ts | 12 ++--
 .../devices/DeviceUserBindingForm.ts          |  8 +--
 .../admin/endpoints/devices/DeviceViewPage.ts |  4 +-
 .../admin/enterprise/EnterpriseLicenseForm.ts |  4 +-
 .../enterprise/EnterpriseLicenseListPage.ts   | 18 ++---
 web/src/admin/events/DataExportListPage.ts    |  8 +--
 web/src/admin/events/EventListPage.ts         |  6 +-
 web/src/admin/events/EventViewPage.ts         | 10 +--
 web/src/admin/events/EventVolumeChart.ts      |  4 +-
 web/src/admin/events/ObjectChangelog.ts       |  4 +-
 web/src/admin/events/RuleForm.ts              | 12 ++--
 web/src/admin/events/RuleFormHelpers.ts       |  6 +-
 web/src/admin/events/RuleListPage.ts          |  8 +--
 web/src/admin/events/SimpleEventTable.ts      |  4 +-
 web/src/admin/events/TransportForm.ts         | 20 +++---
 web/src/admin/events/TransportListPage.ts     | 12 ++--
 web/src/admin/files/FileListPage.ts           |  8 +--
 web/src/admin/files/FileUploadForm.ts         |  4 +-
 web/src/admin/flows/BoundStagesList.ts        |  4 +-
 web/src/admin/flows/FlowDiagram.ts            |  4 +-
 web/src/admin/flows/FlowForm.ts               |  4 +-
 web/src/admin/flows/FlowListPage.ts           | 15 ++--
 web/src/admin/flows/FlowViewPage.ts           | 29 ++++----
 web/src/admin/flows/StageBindingForm.ts       | 12 ++--
 web/src/admin/groups/GroupListPage.ts         |  8 +--
 web/src/admin/groups/GroupViewPage.ts         |  4 +-
 web/src/admin/groups/RelatedGroupList.ts      |  8 +--
 web/src/admin/groups/RelatedUserList.ts       | 12 ++--
 web/src/admin/groups/ak-group-form.ts         | 12 ++--
 web/src/admin/groups/ak-group-member-table.ts |  4 +-
 web/src/admin/lifecycle/LifecycleRuleForm.ts  |  8 +--
 .../admin/lifecycle/LifecycleRuleListPage.ts  |  8 +--
 .../admin/lifecycle/ObjectLifecyclePage.ts    |  4 +-
 web/src/admin/lifecycle/ObjectReviewForm.ts   |  4 +-
 web/src/admin/lifecycle/ReviewListPage.ts     |  4 +-
 web/src/admin/outposts/OutpostForm.ts         | 19 +++---
 web/src/admin/outposts/OutpostHealthSimple.ts |  4 +-
 web/src/admin/outposts/OutpostListPage.ts     | 10 +--
 web/src/admin/outposts/OutpostViewPage.ts     |  4 +-
 .../outposts/ServiceConnectionDockerForm.ts   |  8 +--
 .../ServiceConnectionKubernetesForm.ts        |  8 +--
 .../outposts/ServiceConnectionListPage.ts     | 10 +--
 .../outposts/ak-service-connection-wizard.ts  |  4 +-
 web/src/admin/policies/BoundPoliciesList.ts   |  8 +--
 web/src/admin/policies/PolicyBindingForm.ts   | 18 +++--
 web/src/admin/policies/PolicyListPage.ts      | 10 +--
 web/src/admin/policies/PolicyTestForm.ts      |  6 +-
 web/src/admin/policies/ak-policy-wizard.ts    |  4 +-
 .../admin/policies/dummy/DummyPolicyForm.ts   |  8 +--
 .../event_matcher/EventMatcherPolicyForm.ts   | 16 ++---
 .../admin/policies/expiry/ExpiryPolicyForm.ts |  8 +--
 .../expression/ExpressionPolicyForm.ts        |  8 +--
 web/src/admin/policies/geoip/CountryCache.ts  | 12 ++--
 .../admin/policies/geoip/GeoIPPolicyForm.ts   |  8 +--
 .../policies/password/PasswordPolicyForm.ts   |  8 +--
 .../policies/reputation/ReputationListPage.ts |  8 +--
 .../reputation/ReputationPolicyForm.ts        |  8 +--
 .../UniquePasswordPolicyForm.ts               |  8 +--
 .../PropertyMappingListPage.ts                |  8 +--
 .../PropertyMappingNotification.ts            |  8 +--
 ...pertyMappingProviderGoogleWorkspaceForm.ts | 14 ++--
 ...opertyMappingProviderMicrosoftEntraForm.ts | 18 ++---
 .../PropertyMappingProviderRACForm.ts         |  8 +--
 .../PropertyMappingProviderRadiusForm.ts      |  8 +--
 .../PropertyMappingProviderSAMLForm.ts        |  8 +--
 .../PropertyMappingProviderSCIMForm.ts        |  8 +--
 .../PropertyMappingProviderScopeForm.ts       |  8 +--
 .../PropertyMappingSourceKerberosForm.ts      |  8 +--
 .../PropertyMappingSourceLDAPForm.ts          |  8 +--
 .../PropertyMappingSourceOAuthForm.ts         |  8 +--
 .../PropertyMappingSourcePlexForm.ts          |  8 +--
 .../PropertyMappingSourceSAMLForm.ts          |  8 +--
 .../PropertyMappingSourceSCIMForm.ts          |  8 +--
 .../PropertyMappingSourceTelegramForm.ts      |  8 +--
 .../PropertyMappingTestForm.ts                |  8 +--
 .../ak-property-mapping-wizard.ts             |  4 +-
 web/src/admin/providers/ProviderListPage.ts   | 10 ++-
 web/src/admin/providers/ProviderViewPage.ts   |  4 +-
 web/src/admin/providers/ak-provider-wizard.ts |  4 +-
 .../GoogleWorkspaceProviderForm.ts            | 12 ++--
 .../GoogleWorkspaceProviderFormHelpers.ts     |  8 +--
 .../GoogleWorkspaceProviderGroupList.ts       | 10 ++-
 .../GoogleWorkspaceProviderUserList.ts        | 10 ++-
 .../GoogleWorkspaceProviderViewPage.ts        |  8 +--
 .../admin/providers/ldap/LDAPProviderForm.ts  |  8 +--
 .../providers/ldap/LDAPProviderFormHelpers.ts |  8 +--
 .../providers/ldap/LDAPProviderViewPage.ts    | 16 ++---
 .../MicrosoftEntraProviderForm.ts             | 12 ++--
 .../MicrosoftEntraProviderFormHelpers.ts      |  8 +--
 .../MicrosoftEntraProviderGroupList.ts        | 10 ++-
 .../MicrosoftEntraProviderPropertyMappings.ts |  6 +-
 .../MicrosoftEntraProviderUserList.ts         | 10 ++-
 .../MicrosoftEntraProviderViewPage.ts         |  8 +--
 .../providers/oauth2/OAuth2ProviderForm.ts    | 12 ++--
 .../oauth2/OAuth2ProviderFormHelpers.ts       |  8 +--
 .../oauth2/OAuth2ProviderViewPage.ts          | 12 ++--
 .../oauth2/OAuth2ProvidersProvider.ts         |  6 +-
 .../admin/providers/oauth2/OAuth2Sources.ts   |  6 +-
 .../providers/proxy/ProxyProviderForm.ts      |  8 +--
 .../proxy/ProxyProviderFormHelpers.ts         |  8 +--
 .../providers/proxy/ProxyProviderViewPage.ts  |  4 +-
 .../providers/rac/ConnectionTokenList.ts      |  8 +--
 web/src/admin/providers/rac/EndpointForm.ts   |  8 +--
 web/src/admin/providers/rac/EndpointList.ts   |  8 +--
 .../admin/providers/rac/RACProviderForm.ts    |  8 +--
 .../providers/rac/RACProviderFormHelpers.ts   |  8 +--
 .../providers/rac/RACProviderViewPage.ts      |  4 +-
 .../providers/radius/RadiusProviderForm.ts    |  8 +--
 .../radius/RadiusProviderFormHelpers.ts       |  8 +--
 .../radius/RadiusProviderViewPage.ts          |  4 +-
 .../admin/providers/saml/SAMLProviderForm.ts  |  8 +--
 .../providers/saml/SAMLProviderFormForm.ts    | 16 +++--
 .../providers/saml/SAMLProviderFormHelpers.ts |  8 +--
 .../providers/saml/SAMLProviderImportForm.ts  |  4 +-
 .../providers/saml/SAMLProviderViewPage.ts    | 68 ++++++++-----------
 .../admin/providers/scim/SCIMProviderForm.ts  |  8 +--
 .../providers/scim/SCIMProviderFormForm.ts    |  4 +-
 .../providers/scim/SCIMProviderFormHelpers.ts | 12 ++--
 .../providers/scim/SCIMProviderGroupList.ts   |  8 +--
 .../providers/scim/SCIMProviderUserList.ts    |  8 +--
 .../providers/scim/SCIMProviderViewPage.ts    | 12 ++--
 .../providers/ssf/SSFProviderFormPage.ts      |  8 +--
 .../providers/ssf/SSFProviderViewPage.ts      |  4 +-
 web/src/admin/providers/ssf/StreamTable.ts    |  6 +-
 .../wsfed/WSFederationProviderForm.ts         |  8 +--
 .../wsfed/WSFederationProviderFormForm.ts     |  4 +-
 .../wsfed/WSFederationProviderViewPage.ts     | 40 +++++------
 .../admin/rbac/ak-initial-permissions-form.ts | 12 ++--
 .../admin/rbac/ak-initial-permissions-list.ts | 10 ++-
 .../admin/rbac/ak-rbac-permission-table.ts    |  4 +-
 .../ak-rbac-role-object-permission-form.ts    |  8 +--
 .../ak-rbac-role-object-permission-table.ts   | 10 ++-
 web/src/admin/roles/ak-related-role-table.ts  |  6 +-
 ...-role-assigned-global-permissions-table.ts |  8 +--
 ...-role-assigned-object-permissions-table.ts |  8 +--
 web/src/admin/roles/ak-role-form.ts           |  8 +--
 web/src/admin/roles/ak-role-list.ts           |  8 +--
 .../admin/roles/ak-role-permission-form.ts    |  4 +-
 web/src/admin/roles/ak-role-view.ts           |  4 +-
 web/src/admin/sources/SourceListPage.ts       |  8 +--
 web/src/admin/sources/SourceViewPage.ts       |  4 +-
 web/src/admin/sources/ak-source-wizard.ts     |  4 +-
 .../sources/kerberos/KerberosSourceForm.ts    |  8 +--
 .../kerberos/KerberosSourceFormHelpers.ts     |  8 +--
 .../kerberos/KerberosSourceViewPage.ts        |  8 +--
 web/src/admin/sources/ldap/LDAPSourceForm.ts  | 12 ++--
 .../sources/ldap/LDAPSourceFormHelpers.ts     |  8 +--
 .../admin/sources/ldap/LDAPSourceGroupForm.ts |  8 +--
 .../admin/sources/ldap/LDAPSourceGroupList.ts |  6 +-
 .../admin/sources/ldap/LDAPSourceUserForm.ts  |  8 +--
 .../admin/sources/ldap/LDAPSourceUserList.ts  |  6 +-
 .../admin/sources/ldap/LDAPSourceViewPage.ts  |  8 +--
 .../admin/sources/oauth/OAuthSourceDiagram.ts |  4 +-
 .../admin/sources/oauth/OAuthSourceForm.ts    | 10 +--
 .../sources/oauth/OAuthSourceFormHelpers.ts   |  8 +--
 .../sources/oauth/OAuthSourceViewPage.ts      |  4 +-
 web/src/admin/sources/plex/PlexSourceForm.ts  |  8 +--
 .../sources/plex/PlexSourceFormHelpers.ts     |  8 +--
 .../admin/sources/plex/PlexSourceViewPage.ts  |  4 +-
 web/src/admin/sources/saml/SAMLSourceForm.ts  |  8 +--
 .../sources/saml/SAMLSourceFormHelpers.ts     |  8 +--
 .../admin/sources/saml/SAMLSourceViewPage.ts  |  6 +-
 web/src/admin/sources/scim/SCIMSourceForm.ts  |  8 +--
 .../sources/scim/SCIMSourceFormHelpers.ts     |  8 +--
 .../admin/sources/scim/SCIMSourceGroups.ts    |  4 +-
 web/src/admin/sources/scim/SCIMSourceUsers.ts |  4 +-
 .../admin/sources/scim/SCIMSourceViewPage.ts  |  4 +-
 .../sources/telegram/TelegramSourceForm.ts    |  8 +--
 .../telegram/TelegramSourceFormHelpers.ts     |  8 +--
 .../telegram/TelegramSourceViewPage.ts        |  4 +-
 web/src/admin/stages/StageListPage.ts         |  8 +--
 .../AccountLockdownStageForm.ts               |  4 +-
 web/src/admin/stages/ak-stage-wizard.ts       |  4 +-
 .../AuthenticatorDuoStageForm.ts              | 12 ++--
 .../authenticator_duo/DuoDeviceImportForm.ts  | 10 +--
 .../AuthenticatorEmailStageForm.ts            | 14 ++--
 .../AuthenticatorEndpointGDTCStageForm.ts     |  8 +--
 .../AuthenticatorSMSStageForm.ts              | 19 +++---
 .../AuthenticatorStaticStageForm.ts           | 12 ++--
 .../AuthenticatorTOTPStageForm.ts             | 12 ++--
 .../AuthenticatorValidateStageForm.ts         | 10 +--
 .../AuthenticatorValidateStageFormHelpers.ts  | 10 ++-
 .../AuthenticatorWebAuthnStageForm.ts         | 14 ++--
 .../admin/stages/captcha/CaptchaStageForm.ts  |  4 +-
 .../admin/stages/consent/ConsentStageForm.ts  |  8 +--
 web/src/admin/stages/deny/DenyStageForm.ts    |  8 +--
 web/src/admin/stages/dummy/DummyStageForm.ts  |  8 +--
 web/src/admin/stages/email/EmailStageForm.ts  | 10 +--
 .../stages/endpoint/EndpointStageForm.ts      | 12 ++--
 .../identification/IdentificationStageForm.ts | 21 +++---
 .../IdentificationStageFormHelpers.ts         |  6 +-
 .../admin/stages/invitation/InvitationForm.ts |  8 +--
 .../stages/invitation/InvitationListLink.ts   |  4 +-
 .../stages/invitation/InvitationListPage.ts   | 10 +--
 .../invitation/InvitationSendEmailForm.ts     |  8 +--
 .../stages/invitation/InvitationStageForm.ts  |  8 +--
 .../wizard/InvitationWizardDetailsStep.ts     | 10 ++-
 .../wizard/InvitationWizardEmailStep.ts       |  8 +--
 .../wizard/InvitationWizardFlowStep.ts        |  4 +-
 web/src/admin/stages/mtls/MTLSStageForm.ts    |  8 +--
 .../stages/password/PasswordStageForm.ts      | 12 ++--
 web/src/admin/stages/prompt/PromptForm.ts     | 10 +--
 web/src/admin/stages/prompt/PromptListPage.ts | 10 ++-
 .../admin/stages/prompt/PromptStageForm.ts    |  8 +--
 .../stages/prompt/PromptStageFormHelpers.ts   | 10 +--
 .../stages/redirect/RedirectStageForm.ts      | 12 ++--
 .../admin/stages/source/SourceStageForm.ts    | 10 +--
 .../stages/user_delete/UserDeleteStageForm.ts |  8 +--
 .../stages/user_login/UserLoginStageForm.ts   |  8 +--
 .../stages/user_logout/UserLogoutStageForm.ts |  8 +--
 .../stages/user_write/UserWriteStageForm.ts   | 12 ++--
 web/src/admin/tokens/TokenForm.ts             | 10 +--
 web/src/admin/tokens/TokenListPage.ts         |  8 +--
 web/src/admin/users/ServiceAccountForm.ts     |  8 +--
 web/src/admin/users/UserActiveForm.ts         |  4 +-
 web/src/admin/users/UserApplicationTable.ts   |  4 +-
 .../admin/users/UserBulkRevokeSessionsForm.ts |  8 +--
 web/src/admin/users/UserChart.ts              |  4 +-
 web/src/admin/users/UserDevicesTable.ts       |  6 +-
 web/src/admin/users/UserForm.ts               |  6 +-
 web/src/admin/users/UserImpersonateForm.ts    |  6 +-
 web/src/admin/users/UserListPage.ts           |  4 +-
 web/src/admin/users/UserPasswordForm.ts       |  4 +-
 web/src/admin/users/UserRecoveryLinkForm.ts   |  4 +-
 web/src/admin/users/UserResetEmailForm.ts     |  6 +-
 web/src/admin/users/UserViewPage.ts           |  4 +-
 web/src/admin/users/ak-user-group-table.ts    |  4 +-
 web/src/admin/users/ak-user-role-table.ts     |  4 +-
 .../admin/users/oauth/UserAccessTokenList.ts  |  8 +--
 .../admin/users/oauth/UserRefreshTokenList.ts |  8 +--
 web/src/common/api/client.ts                  | 47 +++++++++++++
 web/src/common/api/config.ts                  |  3 +
 web/src/common/helpers/plex.ts                |  4 +-
 web/src/common/users.ts                       |  6 +-
 web/src/components/ak-event-info.ts           |  4 +-
 web/src/components/ak-file-search-input.ts    |  4 +-
 web/src/components/ak-nav-buttons.ts          |  4 +-
 .../stories/ak-radio-input.stories.ts         |  7 +-
 .../stories/ak-slug-input.stories.ts          |  7 +-
 .../stories/ak-text-input.stories.ts          |  7 +-
 web/src/components/sync/SyncObjectForm.ts     |  6 +-
 .../buttons/IconEnrollmentTokenCopyButton.ts  |  5 +-
 .../elements/buttons/IconTokenCopyButton.ts   |  4 +-
 .../ak-token-copy-button.stories.ts           |  4 +-
 .../TokenCopyButton/ak-token-copy-button.ts   |  4 +-
 .../commands/ak-command-palette-user-modal.ts |  4 +-
 .../controllers/BrandContextController.ts     |  4 +-
 .../controllers/ConfigContextController.ts    |  4 +-
 .../controllers/LicenseContextController.ts   |  4 +-
 .../NotificationsContextController.ts         |  4 +-
 .../controllers/SessionContextController.ts   |  4 +-
 .../controllers/VersionContextController.ts   |  4 +-
 web/src/elements/decorators/listen.ts         |  4 +-
 .../stories/ak-search-select-view.stories.ts  |  7 +-
 .../elements/forms/stories/Radio.stories.ts   |  7 +-
 web/src/elements/mixins/notifications.ts      |  6 +-
 web/src/elements/router/RouteMatch.ts         |  4 +-
 web/src/elements/tasks/ScheduleForm.ts        |  6 +-
 web/src/elements/tasks/ScheduleList.ts        |  6 +-
 web/src/elements/tasks/TaskList.ts            |  8 +--
 web/src/elements/user/SessionList.ts          |  8 +--
 web/src/elements/user/UserConsentList.ts      |  8 +--
 web/src/elements/user/UserReputationList.ts   |  8 +--
 .../elements/user/sources/SourceSettings.ts   |  4 +-
 .../user/sources/SourceSettingsOAuth.ts       |  5 +-
 .../user/sources/SourceSettingsPlex.ts        |  6 +-
 .../user/sources/SourceSettingsSAML.ts        |  5 +-
 .../user/sources/SourceSettingsTelegram.ts    |  6 +-
 web/src/flow/FlowExecutor.ts                  |  4 +-
 web/src/flow/inspector/FlowInspector.ts       |  4 +-
 web/src/flow/sources/plex/PlexLoginInit.ts    |  4 +-
 .../AuthenticatorDuoStage.ts                  |  6 +-
 .../AuthenticatorValidateStage.ts             |  4 +-
 web/src/flow/stages/captcha/CaptchaStage.ts   |  4 +-
 web/src/rac/index.entrypoint.ts               |  4 +-
 .../RACLaunchEndpointModal.ts                 |  4 +-
 web/src/user/LibraryPage/ak-library.ts        |  4 +-
 .../user/user-settings/UserSettingsPage.ts    |  4 +-
 .../details/UserSettingsFlowExecutor.ts       |  6 +-
 .../user/user-settings/mfa/MFADeviceForm.ts   | 16 ++---
 .../user/user-settings/mfa/MFADevicesPage.ts  |  7 +-
 .../user-settings/tokens/UserTokenForm.ts     |  8 +--
 .../user-settings/tokens/UserTokenList.ts     |  6 +-
 342 files changed, 1262 insertions(+), 1420 deletions(-)
 create mode 100644 web/src/common/api/client.ts

diff --git a/web/src/admin/admin-overview/TopApplicationsTable.ts b/web/src/admin/admin-overview/TopApplicationsTable.ts
index a46f1974ce..5629d51119 100644
--- a/web/src/admin/admin-overview/TopApplicationsTable.ts
+++ b/web/src/admin/admin-overview/TopApplicationsTable.ts
@@ -1,6 +1,6 @@
 import "#elements/Spinner";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { AKElement } from "#elements/Base";
 
@@ -20,7 +20,7 @@ export class TopApplicationsTable extends AKElement {
     static styles: CSSResult[] = [PFTable];
 
     firstUpdated(): void {
-        new EventsApi(DEFAULT_CONFIG)
+        aki(EventsApi)
             .eventsEventsTopPerUserList({
                 action: "authorize_application",
                 topN: 11,
diff --git a/web/src/admin/admin-overview/cards/FipsStatusCard.ts b/web/src/admin/admin-overview/cards/FipsStatusCard.ts
index 4ed25f3239..7cd6329e9e 100644
--- a/web/src/admin/admin-overview/cards/FipsStatusCard.ts
+++ b/web/src/admin/admin-overview/cards/FipsStatusCard.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { AdminStatus, AdminStatusCard } from "#admin/admin-overview/cards/AdminStatusCard";
 
@@ -19,7 +19,7 @@ export class FipsStatusCard extends AdminStatusCard<SystemInfo> {
     protected statusSummary?: string;
 
     async getPrimaryValue(): Promise<SystemInfo> {
-        return new AdminApi(DEFAULT_CONFIG).adminSystemRetrieve();
+        return aki(AdminApi).adminSystemRetrieve();
     }
 
     setStatus(summary: string, content: StatusContent): Promise<AdminStatus> {
diff --git a/web/src/admin/admin-overview/cards/SystemStatusCard.ts b/web/src/admin/admin-overview/cards/SystemStatusCard.ts
index 82507b790f..5f2dabd88a 100644
--- a/web/src/admin/admin-overview/cards/SystemStatusCard.ts
+++ b/web/src/admin/admin-overview/cards/SystemStatusCard.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { SlottedTemplateResult } from "#elements/types";
 
@@ -22,7 +22,7 @@ export class SystemStatusCard extends AdminStatusCard<SystemInfo> {
 
     async getPrimaryValue(): Promise<SystemInfo> {
         this.now = new Date();
-        let status = await new AdminApi(DEFAULT_CONFIG).adminSystemRetrieve();
+        let status = await aki(AdminApi).adminSystemRetrieve();
         if (
             !status.embeddedOutpostDisabled &&
             (status.embeddedOutpostHost === "" || !status.embeddedOutpostHost.includes("http"))
@@ -32,7 +32,7 @@ export class SystemStatusCard extends AdminStatusCard<SystemInfo> {
             // (yes it's called host and requires a URL, i know)
             // TODO: Improve this in OOB flow
             await this.setOutpostHost();
-            status = await new AdminApi(DEFAULT_CONFIG).adminSystemRetrieve();
+            status = await aki(AdminApi).adminSystemRetrieve();
         }
         return status;
     }
@@ -40,7 +40,7 @@ export class SystemStatusCard extends AdminStatusCard<SystemInfo> {
     // Called on fresh installations and whenever the embedded outpost is deleted
     // automatically send the login URL when the user first visits the admin dashboard.
     async setOutpostHost(): Promise<void> {
-        const outposts = await new OutpostsApi(DEFAULT_CONFIG).outpostsInstancesList({
+        const outposts = await aki(OutpostsApi).outpostsInstancesList({
             managedIexact: "goauthentik.io/outposts/embedded",
         });
         if (outposts.results.length < 1) {
@@ -48,7 +48,7 @@ export class SystemStatusCard extends AdminStatusCard<SystemInfo> {
         }
         const outpost = outposts.results[0];
         outpost.config.authentik_host = window.location.origin;
-        await new OutpostsApi(DEFAULT_CONFIG).outpostsInstancesUpdate({
+        await aki(OutpostsApi).outpostsInstancesUpdate({
             uuid: outpost.pk,
             outpostRequest: outpost,
         });
diff --git a/web/src/admin/admin-overview/cards/VersionStatusCard.ts b/web/src/admin/admin-overview/cards/VersionStatusCard.ts
index 12b9fed247..14cac1dd31 100644
--- a/web/src/admin/admin-overview/cards/VersionStatusCard.ts
+++ b/web/src/admin/admin-overview/cards/VersionStatusCard.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { AdminStatus, AdminStatusCard } from "#admin/admin-overview/cards/AdminStatusCard";
 import Styles from "#admin/admin-overview/cards/VersionStatusCard.css";
@@ -17,7 +17,7 @@ export class VersionStatusCard extends AdminStatusCard<Version> {
     public override label = msg("Version");
 
     getPrimaryValue(): Promise<Version> {
-        return new AdminApi(DEFAULT_CONFIG).adminVersionRetrieve();
+        return aki(AdminApi).adminVersionRetrieve();
     }
 
     getStatus(value: Version): Promise<AdminStatus> {
diff --git a/web/src/admin/admin-overview/cards/WorkerStatusCard.ts b/web/src/admin/admin-overview/cards/WorkerStatusCard.ts
index a83798d4cb..b26646c37a 100644
--- a/web/src/admin/admin-overview/cards/WorkerStatusCard.ts
+++ b/web/src/admin/admin-overview/cards/WorkerStatusCard.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { AdminStatus, AdminStatusCard } from "#admin/admin-overview/cards/AdminStatusCard";
 
@@ -14,7 +14,7 @@ export class WorkersStatusCard extends AdminStatusCard<Worker[]> {
     public override label = msg("Workers");
 
     getPrimaryValue(): Promise<Worker[]> {
-        return new TasksApi(DEFAULT_CONFIG).tasksWorkersList();
+        return aki(TasksApi).tasksWorkersList();
     }
 
     getStatus(value: Worker[]): Promise<AdminStatus> {
diff --git a/web/src/admin/admin-overview/charts/AdminLoginAuthorizeChart.ts b/web/src/admin/admin-overview/charts/AdminLoginAuthorizeChart.ts
index 23cba7d5e5..792c3e4abd 100644
--- a/web/src/admin/admin-overview/charts/AdminLoginAuthorizeChart.ts
+++ b/web/src/admin/admin-overview/charts/AdminLoginAuthorizeChart.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { EventChart } from "#elements/charts/EventChart";
 
@@ -12,7 +12,7 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-charts-admin-login-authorization")
 export class AdminLoginAuthorizeChart extends EventChart {
     async apiRequest(): Promise<EventVolume[]> {
-        return new EventsApi(DEFAULT_CONFIG).eventsEventsVolumeList({
+        return aki(EventsApi).eventsEventsVolumeList({
             actions: [
                 EventActions.AuthorizeApplication,
                 EventActions.Login,
diff --git a/web/src/admin/admin-overview/charts/AdminModelPerDay.ts b/web/src/admin/admin-overview/charts/AdminModelPerDay.ts
index 310a1149e3..78e9e2a922 100644
--- a/web/src/admin/admin-overview/charts/AdminModelPerDay.ts
+++ b/web/src/admin/admin-overview/charts/AdminModelPerDay.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { EventChart } from "#elements/charts/EventChart";
 
@@ -26,7 +26,7 @@ export class AdminModelPerDay extends EventChart {
     query?: EventsEventsVolumeListRequest;
 
     async apiRequest(): Promise<EventVolume[]> {
-        return new EventsApi(DEFAULT_CONFIG).eventsEventsVolumeList({
+        return aki(EventsApi).eventsEventsVolumeList({
             action: this.action,
             historyDays: 30,
             ...this.query,
diff --git a/web/src/admin/admin-overview/charts/OutpostStatusChart.ts b/web/src/admin/admin-overview/charts/OutpostStatusChart.ts
index e84980bdba..1098bb0077 100644
--- a/web/src/admin/admin-overview/charts/OutpostStatusChart.ts
+++ b/web/src/admin/admin-overview/charts/OutpostStatusChart.ts
@@ -1,6 +1,6 @@
 import "#elements/forms/ConfirmationForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { AKChart } from "#elements/charts/Chart";
 import { actionToColor } from "#elements/charts/EventChart";
@@ -34,7 +34,7 @@ export class OutpostStatusChart extends AKChart<SummarizedSyncStatus[]> {
     }
 
     async apiRequest(): Promise<SummarizedSyncStatus[]> {
-        const api = new OutpostsApi(DEFAULT_CONFIG);
+        const api = aki(OutpostsApi);
         const outposts = await api.outpostsInstancesList({});
         const outpostStats: SummarizedSyncStatus[] = [];
         await Promise.all(
diff --git a/web/src/admin/admin-overview/charts/SyncStatusChart.ts b/web/src/admin/admin-overview/charts/SyncStatusChart.ts
index d74d567737..7b979b9d17 100644
--- a/web/src/admin/admin-overview/charts/SyncStatusChart.ts
+++ b/web/src/admin/admin-overview/charts/SyncStatusChart.ts
@@ -1,6 +1,6 @@
 import "#elements/forms/ConfirmationForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { AKChart } from "#elements/charts/Chart";
 import { actionToColor } from "#elements/charts/EventChart";
@@ -113,10 +113,10 @@ export class SyncStatusChart extends AKChart<SummarizedSyncStatus[]> {
         const statuses = [
             await this.fetchStatus(
                 () => {
-                    return new ProvidersApi(DEFAULT_CONFIG).providersScimList();
+                    return aki(ProvidersApi).providersScimList();
                 },
                 (element) => {
-                    return new ProvidersApi(DEFAULT_CONFIG).providersScimSyncStatusRetrieve({
+                    return aki(ProvidersApi).providersScimSyncStatusRetrieve({
                         id: element.pk,
                     });
                 },
@@ -124,12 +124,10 @@ export class SyncStatusChart extends AKChart<SummarizedSyncStatus[]> {
             ),
             await this.fetchStatus(
                 () => {
-                    return new ProvidersApi(DEFAULT_CONFIG).providersGoogleWorkspaceList();
+                    return aki(ProvidersApi).providersGoogleWorkspaceList();
                 },
                 (element) => {
-                    return new ProvidersApi(
-                        DEFAULT_CONFIG,
-                    ).providersGoogleWorkspaceSyncStatusRetrieve({
+                    return aki(ProvidersApi).providersGoogleWorkspaceSyncStatusRetrieve({
                         id: element.pk,
                     });
                 },
@@ -137,12 +135,10 @@ export class SyncStatusChart extends AKChart<SummarizedSyncStatus[]> {
             ),
             await this.fetchStatus(
                 () => {
-                    return new ProvidersApi(DEFAULT_CONFIG).providersMicrosoftEntraList();
+                    return aki(ProvidersApi).providersMicrosoftEntraList();
                 },
                 (element) => {
-                    return new ProvidersApi(
-                        DEFAULT_CONFIG,
-                    ).providersMicrosoftEntraSyncStatusRetrieve({
+                    return aki(ProvidersApi).providersMicrosoftEntraSyncStatusRetrieve({
                         id: element.pk,
                     });
                 },
@@ -150,10 +146,10 @@ export class SyncStatusChart extends AKChart<SummarizedSyncStatus[]> {
             ),
             await this.fetchStatus(
                 () => {
-                    return new SourcesApi(DEFAULT_CONFIG).sourcesLdapList();
+                    return aki(SourcesApi).sourcesLdapList();
                 },
                 (element) => {
-                    return new SourcesApi(DEFAULT_CONFIG).sourcesLdapSyncStatusRetrieve({
+                    return aki(SourcesApi).sourcesLdapSyncStatusRetrieve({
                         slug: element.slug,
                     });
                 },
@@ -161,10 +157,10 @@ export class SyncStatusChart extends AKChart<SummarizedSyncStatus[]> {
             ),
             await this.fetchStatus(
                 () => {
-                    return new SourcesApi(DEFAULT_CONFIG).sourcesKerberosList();
+                    return aki(SourcesApi).sourcesKerberosList();
                 },
                 (element) => {
-                    return new SourcesApi(DEFAULT_CONFIG).sourcesKerberosSyncStatusRetrieve({
+                    return aki(SourcesApi).sourcesKerberosSyncStatusRetrieve({
                         slug: element.slug,
                     });
                 },
diff --git a/web/src/admin/admin-settings/AdminSettingsForm.ts b/web/src/admin/admin-settings/AdminSettingsForm.ts
index 69dbd4e177..e2558ba2f4 100644
--- a/web/src/admin/admin-settings/AdminSettingsForm.ts
+++ b/web/src/admin/admin-settings/AdminSettingsForm.ts
@@ -12,7 +12,7 @@ import "#elements/Alert";
 
 import { akFooterLinkInput, IFooterLinkInput } from "./AdminSettingsFooterLinks.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { Form } from "#elements/forms/Form";
 import { SlottedTemplateResult } from "#elements/types";
@@ -51,7 +51,7 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
     }
 
     async send(settingsRequest: SettingsRequest): Promise<Settings> {
-        const result = await new AdminApi(DEFAULT_CONFIG).adminSettingsUpdate({
+        const result = await aki(AdminApi).adminSettingsUpdate({
             settingsRequest,
         });
 
diff --git a/web/src/admin/admin-settings/AdminSettingsPage.ts b/web/src/admin/admin-settings/AdminSettingsPage.ts
index bfc90f452c..655fafb867 100644
--- a/web/src/admin/admin-settings/AdminSettingsPage.ts
+++ b/web/src/admin/admin-settings/AdminSettingsPage.ts
@@ -7,7 +7,7 @@ import "#elements/buttons/ModalButton";
 import "#elements/buttons/SpinnerButton/ak-spinner-button";
 import "#elements/forms/ModalForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { AKElement } from "#elements/Base";
 
@@ -57,9 +57,11 @@ export class AdminSettingsPage extends AKElement {
     }
 
     #refresh = () => {
-        return new AdminApi(DEFAULT_CONFIG).adminSettingsRetrieve().then((settings) => {
-            this.settings = settings;
-        });
+        return aki(AdminApi)
+            .adminSettingsRetrieve()
+            .then((settings) => {
+                this.settings = settings;
+            });
     };
 
     render() {
diff --git a/web/src/admin/ak-about-modal.ts b/web/src/admin/ak-about-modal.ts
index be67d50450..d75bb2ab91 100644
--- a/web/src/admin/ak-about-modal.ts
+++ b/web/src/admin/ak-about-modal.ts
@@ -1,6 +1,6 @@
 import "#elements/ak-progress-bar";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { globalAK } from "#common/global";
 
 import { asInvoker } from "#elements/dialogs";
@@ -80,7 +80,7 @@ export class AboutModal extends WithLicenseSummary(WithBrandConfig(AKModal)) {
 
     public static open = asInvoker(AboutModal);
 
-    #api = new AdminApi(DEFAULT_CONFIG);
+    #api = aki(AdminApi);
 
     protected canDebug = globalAK().config.capabilities.includes(CapabilitiesEnum.CanDebug);
 
diff --git a/web/src/admin/ak-admin-debug-page.ts b/web/src/admin/ak-admin-debug-page.ts
index b89517f1f8..b18dd94efd 100644
--- a/web/src/admin/ak-admin-debug-page.ts
+++ b/web/src/admin/ak-admin-debug-page.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { parseAPIResponseError, pluckErrorDetail } from "#common/errors/network";
 import { MessageLevel } from "#common/messages";
 
@@ -46,7 +46,7 @@ export class DebugPage extends AKElement {
                             <button
                                 class="pf-c-button pf-m-primary"
                                 @click=${() => {
-                                    new AdminApi(DEFAULT_CONFIG)
+                                    aki(AdminApi)
                                         .adminSystemCreate()
                                         .then(() => {
                                             showMessage({
diff --git a/web/src/admin/applications/ApplicationAuthorizeChart.ts b/web/src/admin/applications/ApplicationAuthorizeChart.ts
index 04b12ffa11..24fb8edce9 100644
--- a/web/src/admin/applications/ApplicationAuthorizeChart.ts
+++ b/web/src/admin/applications/ApplicationAuthorizeChart.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { EventChart } from "#elements/charts/EventChart";
 
@@ -15,7 +15,7 @@ export class ApplicationAuthorizeChart extends EventChart {
     applicationId!: string;
 
     async apiRequest(): Promise<EventVolume[]> {
-        return new EventsApi(DEFAULT_CONFIG).eventsEventsVolumeList({
+        return aki(EventsApi).eventsEventsVolumeList({
             action: EventActions.AuthorizeApplication,
             contextAuthorizedApp: this.applicationId.replaceAll("-", ""),
         });
diff --git a/web/src/admin/applications/ApplicationCheckAccessForm.ts b/web/src/admin/applications/ApplicationCheckAccessForm.ts
index df7c4a5aa5..25be8eab6b 100644
--- a/web/src/admin/applications/ApplicationCheckAccessForm.ts
+++ b/web/src/admin/applications/ApplicationCheckAccessForm.ts
@@ -3,7 +3,7 @@ import "#elements/events/LogViewer";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PFSize } from "#common/enums";
 import { APIMessage, MessageLevel } from "#common/messages";
 
@@ -34,7 +34,7 @@ export class ApplicationCheckAccessForm extends Form<{ forUser: number }> {
 
     static styles: CSSResult[] = [...super.styles, PFDescriptionList];
 
-    #api = new CoreApi(DEFAULT_CONFIG);
+    #api = aki(CoreApi);
 
     public override size = PFSize.XLarge;
 
diff --git a/web/src/admin/applications/ApplicationForm.ts b/web/src/admin/applications/ApplicationForm.ts
index 452cecca83..16f2c00fed 100644
--- a/web/src/admin/applications/ApplicationForm.ts
+++ b/web/src/admin/applications/ApplicationForm.ts
@@ -15,7 +15,7 @@ import "#admin/applications/ak-provider-table";
 import "#admin/applications/components/ak-backchannel-input";
 import "#admin/applications/components/ak-provider-search-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 import { WithCapabilitiesConfig } from "#elements/mixins/capabilities";
@@ -38,7 +38,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
  */
 @customElement("ak-application-form")
 export class ApplicationForm extends WithCapabilitiesConfig(ModelForm<Application, string>) {
-    #api = new CoreApi(DEFAULT_CONFIG);
+    #api = aki(CoreApi);
 
     public static override verboseName = msg("Application");
     public static override verboseNamePlural = msg("Applications");
diff --git a/web/src/admin/applications/ApplicationListPage.ts b/web/src/admin/applications/ApplicationListPage.ts
index f888e8351c..858108a1f6 100644
--- a/web/src/admin/applications/ApplicationListPage.ts
+++ b/web/src/admin/applications/ApplicationListPage.ts
@@ -8,7 +8,7 @@ import "#elements/forms/ModalForm";
 import "#elements/dialogs/ak-modal";
 import "#admin/applications/ApplicationForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButton } from "#elements/dialogs";
 import { WithBrandConfig } from "#elements/mixins/branding";
@@ -62,7 +62,7 @@ export class ApplicationListPage extends WithBrandConfig(TablePage<Application>)
     public order = "name";
 
     async apiEndpoint(): Promise<PaginatedResponse<Application>> {
-        return new CoreApi(DEFAULT_CONFIG).coreApplicationsList({
+        return aki(CoreApi).coreApplicationsList({
             ...(await this.defaultEndpointConfig()),
             superuserFullList: true,
         });
@@ -106,12 +106,12 @@ export class ApplicationListPage extends WithBrandConfig(TablePage<Application>)
             object-label=${msg("Application(s)")}
             .objects=${this.selectedElements}
             .usedBy=${(item: Application) => {
-                return new CoreApi(DEFAULT_CONFIG).coreApplicationsUsedByList({
+                return aki(CoreApi).coreApplicationsUsedByList({
                     slug: item.slug,
                 });
             }}
             .delete=${(item: Application) => {
-                return new CoreApi(DEFAULT_CONFIG).coreApplicationsDestroy({
+                return aki(CoreApi).coreApplicationsDestroy({
                     slug: item.slug,
                 });
             }}
@@ -228,7 +228,7 @@ export class ApplicationListPage extends WithBrandConfig(TablePage<Application>)
                 errorMessage=${msg("Failed to delete application cache")}
                 action=${msg("Clear Cache")}
                 .onConfirm=${() => {
-                    return new PoliciesApi(DEFAULT_CONFIG).policiesAllCacheClearCreate();
+                    return aki(PoliciesApi).policiesAllCacheClearCreate();
                 }}
             >
                 <span slot="header">${msg("Clear Application cache")}</span>
diff --git a/web/src/admin/applications/ApplicationViewPage.ts b/web/src/admin/applications/ApplicationViewPage.ts
index 3920ba5290..a7504ceecc 100644
--- a/web/src/admin/applications/ApplicationViewPage.ts
+++ b/web/src/admin/applications/ApplicationViewPage.ts
@@ -12,7 +12,7 @@ import "#elements/Tabs";
 import "#elements/buttons/SpinnerButton/ak-spinner-button";
 import "#admin/applications/ApplicationEvents";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { APIError, parseAPIResponseError, pluckErrorDetail } from "#common/errors/network";
 
 import { AKElement } from "#elements/Base";
@@ -94,7 +94,7 @@ export class ApplicationViewPage extends WithLicenseSummary(AKElement) {
     //#region Lifecycle
 
     protected fetchIsMissingOutpost(providersByPk: Array<number>) {
-        new OutpostsApi(DEFAULT_CONFIG)
+        aki(OutpostsApi)
             .outpostsInstancesList({
                 providersByPk,
                 pageSize: 1,
@@ -107,7 +107,7 @@ export class ApplicationViewPage extends WithLicenseSummary(AKElement) {
     }
 
     protected fetchApplication(slug: string) {
-        new CoreApi(DEFAULT_CONFIG)
+        aki(CoreApi)
             .coreApplicationsRetrieve({ slug })
             .then((app) => {
                 this.application = app;
@@ -120,7 +120,7 @@ export class ApplicationViewPage extends WithLicenseSummary(AKElement) {
                 ) {
                     this.fetchIsMissingOutpost([app.provider || 0]);
                 }
-                return new EventsApi(DEFAULT_CONFIG)
+                return aki(EventsApi)
                     .eventsEventsStatsRetrieve({
                         action: EventActions.AuthorizeApplication,
                         contextAuthorizedApp: app.pk.replaceAll("-", ""),
diff --git a/web/src/admin/applications/ak-provider-table.ts b/web/src/admin/applications/ak-provider-table.ts
index 1942bcccbb..8cb3233f67 100644
--- a/web/src/admin/applications/ak-provider-table.ts
+++ b/web/src/admin/applications/ak-provider-table.ts
@@ -1,6 +1,6 @@
 import "#elements/buttons/SpinnerButton/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -23,7 +23,7 @@ export class ProviderTable extends Table<Provider> {
     public override order = "name";
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<Provider>> {
-        return new ProvidersApi(DEFAULT_CONFIG).providersAllList({
+        return aki(ProvidersApi).providersAllList({
             ...(await this.defaultEndpointConfig()),
             backchannel: this.backchannel,
         });
diff --git a/web/src/admin/applications/components/ak-provider-search-input.ts b/web/src/admin/applications/components/ak-provider-search-input.ts
index 24457d1f75..c7e4f6ba03 100644
--- a/web/src/admin/applications/components/ak-provider-search-input.ts
+++ b/web/src/admin/applications/components/ak-provider-search-input.ts
@@ -1,7 +1,7 @@
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { groupBy } from "#common/utils";
 
 import { AKElement } from "#elements/Base";
@@ -75,7 +75,7 @@ export class AkProviderInput extends AKElement {
         const args: ProvidersAllListRequest = {
             ordering: "name",
         };
-        const api = new ProvidersApi(DEFAULT_CONFIG);
+        const api = aki(ProvidersApi);
         if (query !== undefined) {
             args.search = query;
         }
diff --git a/web/src/admin/applications/entitlements/ApplicationEntitlementForm.ts b/web/src/admin/applications/entitlements/ApplicationEntitlementForm.ts
index 9b7cbf6376..648f2cbdab 100644
--- a/web/src/admin/applications/entitlements/ApplicationEntitlementForm.ts
+++ b/web/src/admin/applications/entitlements/ApplicationEntitlementForm.ts
@@ -3,7 +3,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/Radio";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 
@@ -20,7 +20,7 @@ import PFContent from "@patternfly/patternfly/components/Content/content.css";
 @customElement("ak-application-entitlement-form")
 export class ApplicationEntitlementForm extends ModelForm<ApplicationEntitlement, string> {
     async loadInstance(pk: string): Promise<ApplicationEntitlement> {
-        return new CoreApi(DEFAULT_CONFIG).coreApplicationEntitlementsRetrieve({
+        return aki(CoreApi).coreApplicationEntitlementsRetrieve({
             pbmUuid: pk,
         });
     }
@@ -42,12 +42,12 @@ export class ApplicationEntitlementForm extends ModelForm<ApplicationEntitlement
             data.app = this.targetPk;
         }
         if (this.instance?.pbmUuid) {
-            return new CoreApi(DEFAULT_CONFIG).coreApplicationEntitlementsUpdate({
+            return aki(CoreApi).coreApplicationEntitlementsUpdate({
                 pbmUuid: this.instance.pbmUuid || "",
                 applicationEntitlementRequest: data,
             });
         }
-        return new CoreApi(DEFAULT_CONFIG).coreApplicationEntitlementsCreate({
+        return aki(CoreApi).coreApplicationEntitlementsCreate({
             applicationEntitlementRequest: data,
         });
     }
diff --git a/web/src/admin/applications/entitlements/ApplicationEntitlementPage.ts b/web/src/admin/applications/entitlements/ApplicationEntitlementPage.ts
index 9a09f9871c..151a727818 100644
--- a/web/src/admin/applications/entitlements/ApplicationEntitlementPage.ts
+++ b/web/src/admin/applications/entitlements/ApplicationEntitlementPage.ts
@@ -6,7 +6,7 @@ import "#elements/Tabs";
 import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PFSize } from "#common/enums";
 import { PolicyBindingCheckTarget } from "#common/policies/utils";
 
@@ -34,7 +34,7 @@ export class ApplicationEntitlementsPage extends Table<ApplicationEntitlement> {
     protected override searchEnabled = true;
 
     async apiEndpoint(): Promise<PaginatedResponse<ApplicationEntitlement>> {
-        return new CoreApi(DEFAULT_CONFIG).coreApplicationEntitlementsList({
+        return aki(CoreApi).coreApplicationEntitlementsList({
             ...(await this.defaultEndpointConfig()),
             app: this.app || "",
         });
@@ -52,12 +52,12 @@ export class ApplicationEntitlementsPage extends Table<ApplicationEntitlement> {
             object-label=${msg("Application entitlement(s)")}
             .objects=${this.selectedElements}
             .usedBy=${(item: ApplicationEntitlement) => {
-                return new CoreApi(DEFAULT_CONFIG).coreApplicationEntitlementsUsedByList({
+                return aki(CoreApi).coreApplicationEntitlementsUsedByList({
                     pbmUuid: item.pbmUuid || "",
                 });
             }}
             .delete=${(item: ApplicationEntitlement) => {
-                return new CoreApi(DEFAULT_CONFIG).coreApplicationEntitlementsDestroy({
+                return aki(CoreApi).coreApplicationEntitlementsDestroy({
                     pbmUuid: item.pbmUuid || "",
                 });
             }}
diff --git a/web/src/admin/applications/wizard/ak-application-wizard.ts b/web/src/admin/applications/wizard/ak-application-wizard.ts
index 5701d34630..9229664a4e 100644
--- a/web/src/admin/applications/wizard/ak-application-wizard.ts
+++ b/web/src/admin/applications/wizard/ak-application-wizard.ts
@@ -6,7 +6,7 @@ import "#admin/applications/wizard/steps/ak-application-wizard-provider-choice-s
 import "#admin/applications/wizard/steps/ak-application-wizard-provider-step";
 import "#admin/applications/wizard/steps/ak-application-wizard-submit-step";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { assertEveryPresent } from "#common/utils";
 
 import { listen } from "#elements/decorators/listen";
@@ -56,7 +56,7 @@ export const providerTypePriority: ProviderModelNameEnum[] = [
 
 @customElement("ak-application-wizard")
 export class AKApplicationWizard extends CreateWizard {
-    #api = new ProvidersApi(DEFAULT_CONFIG);
+    #api = aki(ProvidersApi);
 
     public static override verboseName = msg("Application");
     public static override verboseNamePlural = msg("Applications");
diff --git a/web/src/admin/applications/wizard/steps/ak-application-wizard-edit-binding-step.ts b/web/src/admin/applications/wizard/steps/ak-application-wizard-edit-binding-step.ts
index 5008013bac..24f35f7a4a 100644
--- a/web/src/admin/applications/wizard/steps/ak-application-wizard-edit-binding-step.ts
+++ b/web/src/admin/applications/wizard/steps/ak-application-wizard-edit-binding-step.ts
@@ -8,7 +8,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/ak-search-select-ez";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import {
     createPassFailOptions,
     PolicyBindingCheckTarget,
@@ -100,7 +100,7 @@ export class ApplicationWizardEditBindingStep extends ApplicationWizardStep<Poli
             case PolicyBindingCheckTarget.Policy:
                 return {
                     fetchObjects: async (query) => {
-                        const policies = await new PoliciesApi(DEFAULT_CONFIG).policiesAllList(
+                        const policies = await aki(PoliciesApi).policiesAllList(
                             withQuery(query, {
                                 ordering: "name",
                             }),
@@ -117,7 +117,7 @@ export class ApplicationWizardEditBindingStep extends ApplicationWizardStep<Poli
             case PolicyBindingCheckTarget.Group:
                 return {
                     fetchObjects: async (query) => {
-                        const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(
+                        const groups = await aki(CoreApi).coreGroupsList(
                             withQuery(query, {
                                 ordering: "name",
                                 includeUsers: false,
@@ -133,7 +133,7 @@ export class ApplicationWizardEditBindingStep extends ApplicationWizardStep<Poli
             case PolicyBindingCheckTarget.User:
                 return {
                     fetchObjects: async (query) => {
-                        const users = await new CoreApi(DEFAULT_CONFIG).coreUsersList(
+                        const users = await aki(CoreApi).coreUsersList(
                             withQuery(query, {
                                 ordering: "username",
                             }),
diff --git a/web/src/admin/applications/wizard/steps/ak-application-wizard-submit-step.ts b/web/src/admin/applications/wizard/steps/ak-application-wizard-submit-step.ts
index 2bacaa752f..5e72978313 100644
--- a/web/src/admin/applications/wizard/steps/ak-application-wizard-submit-step.ts
+++ b/web/src/admin/applications/wizard/steps/ak-application-wizard-submit-step.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 import { parseAPIResponseError } from "#common/errors/network";
 
@@ -109,9 +109,9 @@ export class ApplicationWizardSubmitStep extends CustomEmitterElement(Applicatio
 
     async sendSAMLMetadataImport() {
         const providerData = this.wizard.provider as ProvidersSamlImportMetadataCreateRequest;
-        const providersApi = new ProvidersApi(DEFAULT_CONFIG);
-        const coreApi = new CoreApi(DEFAULT_CONFIG);
-        const policiesApi = new PoliciesApi(DEFAULT_CONFIG);
+        const providersApi = aki(ProvidersApi);
+        const coreApi = aki(CoreApi);
+        const policiesApi = aki(PoliciesApi);
 
         try {
             // Step 1: Import SAML metadata to create the provider
@@ -204,7 +204,7 @@ export class ApplicationWizardSubmitStep extends CustomEmitterElement(Applicatio
             policyBindings: (this.wizard.bindings ?? []).map(cleanBinding),
         };
 
-        return new CoreApi(DEFAULT_CONFIG)
+        return aki(CoreApi)
             .coreTransactionalApplicationsUpdate({
                 transactionApplicationRequest: request,
             })
diff --git a/web/src/admin/applications/wizard/steps/providers/ak-application-wizard-provider-for-oauth.ts b/web/src/admin/applications/wizard/steps/providers/ak-application-wizard-provider-for-oauth.ts
index d4a11985c2..f436495c1d 100644
--- a/web/src/admin/applications/wizard/steps/providers/ak-application-wizard-provider-for-oauth.ts
+++ b/web/src/admin/applications/wizard/steps/providers/ak-application-wizard-provider-for-oauth.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ApplicationWizardProviderForm } from "#admin/applications/wizard/steps/providers/ApplicationWizardProviderForm";
 import { ApplicationTransactionValidationError } from "#admin/applications/wizard/steps/providers/shared";
@@ -25,7 +25,7 @@ export class ApplicationWizardOauth2ProviderForm extends ApplicationWizardProvid
 
     constructor() {
         super();
-        new SourcesApi(DEFAULT_CONFIG)
+        aki(SourcesApi)
             .sourcesOauthList({
                 ordering: "name",
                 hasJwks: true,
diff --git a/web/src/admin/blueprints/BlueprintForm.ts b/web/src/admin/blueprints/BlueprintForm.ts
index 99c3e2a53c..72df4bfa1f 100644
--- a/web/src/admin/blueprints/BlueprintForm.ts
+++ b/web/src/admin/blueprints/BlueprintForm.ts
@@ -6,7 +6,7 @@ import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { docLink } from "#common/global";
 
 import { ModelForm } from "#elements/forms/ModelForm";
@@ -44,7 +44,7 @@ export class BlueprintForm extends ModelForm<BlueprintInstance, string> {
     }
 
     async loadInstance(pk: string): Promise<BlueprintInstance> {
-        const inst = await new ManagedApi(DEFAULT_CONFIG).managedBlueprintsRetrieve({
+        const inst = await aki(ManagedApi).managedBlueprintsRetrieve({
             instanceUuid: pk,
         });
         if (inst.path?.startsWith("oci://")) {
@@ -66,12 +66,12 @@ export class BlueprintForm extends ModelForm<BlueprintInstance, string> {
 
     async send(data: BlueprintInstance): Promise<BlueprintInstance> {
         if (this.instance?.pk) {
-            return new ManagedApi(DEFAULT_CONFIG).managedBlueprintsUpdate({
+            return aki(ManagedApi).managedBlueprintsUpdate({
                 instanceUuid: this.instance.pk,
                 blueprintInstanceRequest: data,
             });
         }
-        return new ManagedApi(DEFAULT_CONFIG).managedBlueprintsCreate({
+        return aki(ManagedApi).managedBlueprintsCreate({
             blueprintInstanceRequest: data,
         });
     }
@@ -112,9 +112,8 @@ export class BlueprintForm extends ModelForm<BlueprintInstance, string> {
                                   .fetchObjects=${async (
                                       query?: string,
                                   ): Promise<BlueprintFile[]> => {
-                                      const items = await new ManagedApi(
-                                          DEFAULT_CONFIG,
-                                      ).managedBlueprintsAvailableList();
+                                      const items =
+                                          await aki(ManagedApi).managedBlueprintsAvailableList();
                                       return items.filter((item) =>
                                           query ? item.path.includes(query) : true,
                                       );
diff --git a/web/src/admin/blueprints/BlueprintImportForm.ts b/web/src/admin/blueprints/BlueprintImportForm.ts
index 6efd31d32a..b54fde1d78 100644
--- a/web/src/admin/blueprints/BlueprintImportForm.ts
+++ b/web/src/admin/blueprints/BlueprintImportForm.ts
@@ -3,7 +3,7 @@ import "#elements/events/LogViewer";
 import "#elements/forms/HorizontalFormElement";
 import "#components/ak-toggle-group";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PFSize } from "#common/enums";
 
 import { Form } from "#elements/forms/Form";
@@ -69,7 +69,7 @@ export class BlueprintImportForm extends Form<ManagedBlueprintsImportCreateReque
             }
             data.file = file;
         }
-        const result = await new ManagedApi(DEFAULT_CONFIG).managedBlueprintsImportCreate(data);
+        const result = await aki(ManagedApi).managedBlueprintsImportCreate(data);
         if (!result.success) {
             this.result = result;
             throw new PreventFormSubmit("Failed to import blueprint");
@@ -152,9 +152,7 @@ export class BlueprintImportForm extends Form<ManagedBlueprintsImportCreateReque
                       <ak-search-select
                           placeholder=${msg("Select a blueprint...")}
                           .fetchObjects=${async (query?: string): Promise<BlueprintFile[]> => {
-                              const items = await new ManagedApi(
-                                  DEFAULT_CONFIG,
-                              ).managedBlueprintsAvailableList();
+                              const items = await aki(ManagedApi).managedBlueprintsAvailableList();
                               return items.filter((item) =>
                                   query ? item.path.includes(query) : true,
                               );
diff --git a/web/src/admin/blueprints/BlueprintListPage.ts b/web/src/admin/blueprints/BlueprintListPage.ts
index fc3d54d680..9b93b75f9c 100644
--- a/web/src/admin/blueprints/BlueprintListPage.ts
+++ b/web/src/admin/blueprints/BlueprintListPage.ts
@@ -10,7 +10,7 @@ import "#elements/tasks/TaskList";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 import "#elements/ak-mdx/ak-mdx";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 import { docLink } from "#common/global";
 
@@ -79,9 +79,7 @@ export class BlueprintListPage extends TablePage<BlueprintInstance> {
     public override order = "name";
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<BlueprintInstance>> {
-        return new ManagedApi(DEFAULT_CONFIG).managedBlueprintsList(
-            await this.defaultEndpointConfig(),
-        );
+        return aki(ManagedApi).managedBlueprintsList(await this.defaultEndpointConfig());
     }
 
     protected override columns: TableColumn[] = [
@@ -101,12 +99,12 @@ export class BlueprintListPage extends TablePage<BlueprintInstance> {
                 return [{ key: msg("Name"), value: item.name }];
             }}
             .usedBy=${(item: BlueprintInstance) => {
-                return new ManagedApi(DEFAULT_CONFIG).managedBlueprintsUsedByList({
+                return aki(ManagedApi).managedBlueprintsUsedByList({
                     instanceUuid: item.pk,
                 });
             }}
             .delete=${(item: BlueprintInstance) => {
-                return new ManagedApi(DEFAULT_CONFIG).managedBlueprintsDestroy({
+                return aki(ManagedApi).managedBlueprintsDestroy({
                     instanceUuid: item.pk,
                 });
             }}
@@ -172,7 +170,7 @@ export class BlueprintListPage extends TablePage<BlueprintInstance> {
                     class="pf-m-plain"
                     label=${msg(str`Apply "${item.name}" blueprint`)}
                     .apiRequest=${() => {
-                        return new ManagedApi(DEFAULT_CONFIG)
+                        return aki(ManagedApi)
                             .managedBlueprintsApplyCreate({
                                 instanceUuid: item.pk,
                             })
diff --git a/web/src/admin/brands/BrandForm.ts b/web/src/admin/brands/BrandForm.ts
index 272b899314..c35ca70a31 100644
--- a/web/src/admin/brands/BrandForm.ts
+++ b/web/src/admin/brands/BrandForm.ts
@@ -11,7 +11,7 @@ import "#components/ak-text-input";
 import "#components/ak-switch-input";
 import "#components/ak-file-search-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { DefaultBrand } from "#common/ui/config";
 
 import { ModelForm } from "#elements/forms/ModelForm";
@@ -44,8 +44,8 @@ export class BrandForm extends ModelForm<Brand, string> {
     public static override verboseName = msg("Brand");
     public static override verboseNamePlural = msg("Brands");
 
-    #coreAPI = new CoreApi(DEFAULT_CONFIG);
-    #flowsAPI = new FlowsApi(DEFAULT_CONFIG);
+    #coreAPI = aki(CoreApi);
+    #flowsAPI = aki(FlowsApi);
 
     @state()
     protected lockdownFlowAuthentication: AuthenticationEnum | null = null;
@@ -217,9 +217,7 @@ export class BrandForm extends ModelForm<Brand, string> {
                                 if (query !== undefined) {
                                     args.search = query;
                                 }
-                                const users = await new CoreApi(
-                                    DEFAULT_CONFIG,
-                                ).coreApplicationsList(args);
+                                const users = await aki(CoreApi).coreApplicationsList(args);
 
                                 return users.results;
                             }}
diff --git a/web/src/admin/brands/BrandListPage.ts b/web/src/admin/brands/BrandListPage.ts
index 75b6cb7b03..f8a784d61b 100644
--- a/web/src/admin/brands/BrandListPage.ts
+++ b/web/src/admin/brands/BrandListPage.ts
@@ -6,7 +6,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButton, ModalInvokerButton } from "#elements/dialogs";
 import { PaginatedResponse, TableColumn } from "#elements/table/Table";
@@ -36,7 +36,7 @@ export class BrandListPage extends TablePage<Brand> {
     order = "domain";
 
     async apiEndpoint(): Promise<PaginatedResponse<Brand>> {
-        return new CoreApi(DEFAULT_CONFIG).coreBrandsList(await this.defaultEndpointConfig());
+        return aki(CoreApi).coreBrandsList(await this.defaultEndpointConfig());
     }
 
     protected override rowLabel(item: Brand): string | null {
@@ -60,12 +60,12 @@ export class BrandListPage extends TablePage<Brand> {
                 return [{ key: msg("Domain"), value: item.domain }];
             }}
             .usedBy=${(item: Brand) => {
-                return new CoreApi(DEFAULT_CONFIG).coreBrandsUsedByList({
+                return aki(CoreApi).coreBrandsUsedByList({
                     brandUuid: item.brandUuid,
                 });
             }}
             .delete=${(item: Brand) => {
-                return new CoreApi(DEFAULT_CONFIG).coreBrandsDestroy({
+                return aki(CoreApi).coreBrandsDestroy({
                     brandUuid: item.brandUuid,
                 });
             }}
diff --git a/web/src/admin/brands/Certificates.ts b/web/src/admin/brands/Certificates.ts
index ca7d8d39ca..bc679d64ff 100644
--- a/web/src/admin/brands/Certificates.ts
+++ b/web/src/admin/brands/Certificates.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import {
     DataProvider,
@@ -17,7 +17,7 @@ export const certificateProvider: DataProvider = async (
     page = 1,
     search = "",
 ): Promise<DataProvision> => {
-    return new CryptoApi(DEFAULT_CONFIG)
+    return aki(CryptoApi)
         .cryptoCertificatekeypairsList({
             ordering: "name",
             pageSize: 20,
@@ -41,7 +41,7 @@ export function certificateSelector(
     }
 
     return async () => {
-        const pm = new CryptoApi(DEFAULT_CONFIG);
+        const pm = aki(CryptoApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 pm.cryptoCertificatekeypairsRetrieve({ kpUuid: instanceId }),
diff --git a/web/src/admin/common/ak-core-group-search.ts b/web/src/admin/common/ak-core-group-search.ts
index 10f58ad9a7..fd66166455 100644
--- a/web/src/admin/common/ak-core-group-search.ts
+++ b/web/src/admin/common/ak-core-group-search.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { AKElement } from "#elements/Base";
 import { ISearchSelect } from "#elements/forms/SearchSelect/ak-search-select";
@@ -17,7 +17,7 @@ async function fetchObjects(query?: string): Promise<Group[]> {
     if (query !== undefined) {
         args.search = query;
     }
-    const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(args);
+    const groups = await aki(CoreApi).coreGroupsList(args);
     return groups.results;
 }
 
diff --git a/web/src/admin/common/ak-crypto-certificate-search.ts b/web/src/admin/common/ak-crypto-certificate-search.ts
index ccb44a1f79..48147fbe37 100644
--- a/web/src/admin/common/ak-crypto-certificate-search.ts
+++ b/web/src/admin/common/ak-crypto-certificate-search.ts
@@ -1,6 +1,6 @@
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { AKElement } from "#elements/Base";
 import { ISearchSelect } from "#elements/forms/SearchSelect/ak-search-select";
@@ -115,9 +115,7 @@ export class AkCryptoCertificateSearch extends CustomListenerElement(AKElement)
         if (this.allowedKeyTypes?.length) {
             args.keyType = this.allowedKeyTypes;
         }
-        const certificates = await new CryptoApi(DEFAULT_CONFIG).cryptoCertificatekeypairsList(
-            args,
-        );
+        const certificates = await aki(CryptoApi).cryptoCertificatekeypairsList(args);
         return certificates.results;
     };
 
diff --git a/web/src/admin/common/ak-flow-search/FlowSearch.ts b/web/src/admin/common/ak-flow-search/FlowSearch.ts
index ac99a30f0e..9b1d294084 100644
--- a/web/src/admin/common/ak-flow-search/FlowSearch.ts
+++ b/web/src/admin/common/ak-flow-search/FlowSearch.ts
@@ -1,6 +1,6 @@
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { AKElement } from "#elements/Base";
 import type { HorizontalFormElement } from "#elements/forms/HorizontalFormElement";
@@ -132,7 +132,9 @@ export abstract class FlowSearch<T extends Flow> extends CustomListenerElement(A
             ...(query ? { search: query } : {}),
         };
 
-        return new FlowsApi(DEFAULT_CONFIG).flowsInstancesList(args).then((flows) => flows.results);
+        return aki(FlowsApi)
+            .flowsInstancesList(args)
+            .then((flows) => flows.results);
     };
 
     /**
diff --git a/web/src/admin/common/ak-flow-search/ak-flow-search.stories.ts b/web/src/admin/common/ak-flow-search/ak-flow-search.stories.ts
index d4342b4945..0fa9a330be 100644
--- a/web/src/admin/common/ak-flow-search/ak-flow-search.stories.ts
+++ b/web/src/admin/common/ak-flow-search/ak-flow-search.stories.ts
@@ -101,11 +101,8 @@ const container = (testItem: TemplateResult) => {
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 const displayChange = (ev: any) => {
-    document.getElementById("message-pad")!.innerText = `Value selected: ${JSON.stringify(
-        ev.target.value,
-        null,
-        2,
-    )}`;
+    document.getElementById("message-pad")!.innerText =
+        `Value selected: ${JSON.stringify(ev.target.value, null, 2)}`;
 };
 
 export const Default = () =>
diff --git a/web/src/admin/common/stories/ak-crypto-certificate-search.stories.ts b/web/src/admin/common/stories/ak-crypto-certificate-search.stories.ts
index 582de0e3b4..45501e0315 100644
--- a/web/src/admin/common/stories/ak-crypto-certificate-search.stories.ts
+++ b/web/src/admin/common/stories/ak-crypto-certificate-search.stories.ts
@@ -77,11 +77,8 @@ export const CryptoCertificateSearch = () => {
     const showMessage = (ev: CustomEvent<any>) => {
         const detail = ev.detail;
         delete detail.target;
-        document.getElementById("message-pad")!.innerText = `Event: ${JSON.stringify(
-            detail,
-            null,
-            2,
-        )}`;
+        document.getElementById("message-pad")!.innerText =
+            `Event: ${JSON.stringify(detail, null, 2)}`;
     };
 
     return container(
diff --git a/web/src/admin/crypto/CertificateGenerateForm.ts b/web/src/admin/crypto/CertificateGenerateForm.ts
index 898501cd72..0c5a85820a 100644
--- a/web/src/admin/crypto/CertificateGenerateForm.ts
+++ b/web/src/admin/crypto/CertificateGenerateForm.ts
@@ -3,7 +3,7 @@ import "#components/ak-number-input";
 import "#elements/forms/Radio";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { Form } from "#elements/forms/Form";
 
@@ -30,7 +30,7 @@ export class CryptoCertificateGenerateForm extends Form<CertificateGenerationReq
     }
 
     async send(data: CertificateGenerationRequest): Promise<CertificateKeyPair> {
-        return new CryptoApi(DEFAULT_CONFIG).cryptoCertificatekeypairsGenerateCreate({
+        return aki(CryptoApi).cryptoCertificatekeypairsGenerateCreate({
             certificateGenerationRequest: data,
         });
     }
diff --git a/web/src/admin/crypto/CertificateKeyPairForm.ts b/web/src/admin/crypto/CertificateKeyPairForm.ts
index 5a19e1431c..5c92f89536 100644
--- a/web/src/admin/crypto/CertificateKeyPairForm.ts
+++ b/web/src/admin/crypto/CertificateKeyPairForm.ts
@@ -3,7 +3,7 @@ import "#components/ak-text-input";
 import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 
@@ -23,7 +23,7 @@ export class CryptoCertificateForm extends ModelForm<CertificateKeyPair, string>
     public static override submittingVerb = msg("Importing");
 
     loadInstance(pk: string): Promise<CertificateKeyPair> {
-        return new CryptoApi(DEFAULT_CONFIG).cryptoCertificatekeypairsRetrieve({
+        return aki(CryptoApi).cryptoCertificatekeypairsRetrieve({
             kpUuid: pk,
         });
     }
@@ -36,12 +36,12 @@ export class CryptoCertificateForm extends ModelForm<CertificateKeyPair, string>
 
     async send(data: CertificateKeyPair): Promise<CertificateKeyPair> {
         if (this.instance) {
-            return new CryptoApi(DEFAULT_CONFIG).cryptoCertificatekeypairsPartialUpdate({
+            return aki(CryptoApi).cryptoCertificatekeypairsPartialUpdate({
                 kpUuid: this.instance.pk || "",
                 patchedCertificateKeyPairRequest: data,
             });
         }
-        return new CryptoApi(DEFAULT_CONFIG).cryptoCertificatekeypairsCreate({
+        return aki(CryptoApi).cryptoCertificatekeypairsCreate({
             certificateKeyPairRequest: data as unknown as CertificateKeyPairRequest,
         });
     }
diff --git a/web/src/admin/crypto/CertificateKeyPairListPage.ts b/web/src/admin/crypto/CertificateKeyPairListPage.ts
index a33b495004..a9499a2fec 100644
--- a/web/src/admin/crypto/CertificateKeyPairListPage.ts
+++ b/web/src/admin/crypto/CertificateKeyPairListPage.ts
@@ -7,7 +7,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModalInvokerButton } from "#elements/dialogs";
 import { PFColor } from "#elements/Label";
@@ -46,7 +46,7 @@ export class CertificateKeyPairListPage extends TablePage<CertificateKeyPair> {
     public override order = "name";
 
     async apiEndpoint(): Promise<PaginatedResponse<CertificateKeyPair>> {
-        return new CryptoApi(DEFAULT_CONFIG).cryptoCertificatekeypairsList({
+        return aki(CryptoApi).cryptoCertificatekeypairsList({
             ...(await this.defaultEndpointConfig()),
         });
     }
@@ -71,12 +71,12 @@ export class CertificateKeyPairListPage extends TablePage<CertificateKeyPair> {
                 ];
             }}
             .usedBy=${(item: CertificateKeyPair) => {
-                return new CryptoApi(DEFAULT_CONFIG).cryptoCertificatekeypairsUsedByList({
+                return aki(CryptoApi).cryptoCertificatekeypairsUsedByList({
                     kpUuid: item.pk,
                 });
             }}
             .delete=${(item: CertificateKeyPair) => {
-                return new CryptoApi(DEFAULT_CONFIG).cryptoCertificatekeypairsDestroy({
+                return aki(CryptoApi).cryptoCertificatekeypairsDestroy({
                     kpUuid: item.pk,
                 });
             }}
diff --git a/web/src/admin/endpoints/DeviceAccessGroupForm.ts b/web/src/admin/endpoints/DeviceAccessGroupForm.ts
index 1870f98868..b8c620c7ae 100644
--- a/web/src/admin/endpoints/DeviceAccessGroupForm.ts
+++ b/web/src/admin/endpoints/DeviceAccessGroupForm.ts
@@ -1,7 +1,7 @@
 import "#components/ak-text-input";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PFSize } from "#common/enums";
 
 import { ModelForm } from "#elements/forms/ModelForm";
@@ -27,7 +27,7 @@ export class DeviceAccessGroupForm extends WithBrandConfig(ModelForm<DeviceAcces
     public override size = PFSize.Small;
 
     protected override loadInstance(pk: string): Promise<DeviceAccessGroup> {
-        return new EndpointsApi(DEFAULT_CONFIG).endpointsDeviceAccessGroupsRetrieve({
+        return aki(EndpointsApi).endpointsDeviceAccessGroupsRetrieve({
             pbmUuid: pk,
         });
     }
@@ -40,13 +40,13 @@ export class DeviceAccessGroupForm extends WithBrandConfig(ModelForm<DeviceAcces
 
     protected override async send(data: DeviceAccessGroup): Promise<DeviceAccessGroup> {
         if (this.instance) {
-            return new EndpointsApi(DEFAULT_CONFIG).endpointsDeviceAccessGroupsPartialUpdate({
+            return aki(EndpointsApi).endpointsDeviceAccessGroupsPartialUpdate({
                 pbmUuid: this.instance.pbmUuid,
                 patchedDeviceAccessGroupRequest: data,
             });
         }
 
-        return new EndpointsApi(DEFAULT_CONFIG).endpointsDeviceAccessGroupsCreate({
+        return aki(EndpointsApi).endpointsDeviceAccessGroupsCreate({
             deviceAccessGroupRequest: data as unknown as DeviceAccessGroupRequest,
         });
     }
diff --git a/web/src/admin/endpoints/DeviceAccessGroupsListPage.ts b/web/src/admin/endpoints/DeviceAccessGroupsListPage.ts
index f3e92aa06a..3851e773ab 100644
--- a/web/src/admin/endpoints/DeviceAccessGroupsListPage.ts
+++ b/web/src/admin/endpoints/DeviceAccessGroupsListPage.ts
@@ -4,7 +4,7 @@ import "#admin/endpoints/DeviceAccessGroupForm";
 import "#admin/policies/BoundPoliciesList";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButton, ModalInvokerButton } from "#elements/dialogs";
 import { PaginatedResponse, TableColumn } from "#elements/table/Table";
@@ -36,7 +36,7 @@ export class DeviceAccessGroupsListPage extends TablePage<DeviceAccessGroup> {
     public override expandable = true;
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<DeviceAccessGroup>> {
-        return new EndpointsApi(DEFAULT_CONFIG).endpointsDeviceAccessGroupsList(
+        return aki(EndpointsApi).endpointsDeviceAccessGroupsList(
             await this.defaultEndpointConfig(),
         );
     }
@@ -70,12 +70,12 @@ export class DeviceAccessGroupsListPage extends TablePage<DeviceAccessGroup> {
                 return [{ key: msg("Name"), value: item.name }];
             }}
             .usedBy=${(item: DeviceAccessGroup) => {
-                return new EndpointsApi(DEFAULT_CONFIG).endpointsDeviceAccessGroupsUsedByList({
+                return aki(EndpointsApi).endpointsDeviceAccessGroupsUsedByList({
                     pbmUuid: item.pbmUuid,
                 });
             }}
             .delete=${(item: DeviceAccessGroup) => {
-                return new EndpointsApi(DEFAULT_CONFIG).endpointsDeviceAccessGroupsDestroy({
+                return aki(EndpointsApi).endpointsDeviceAccessGroupsDestroy({
                     pbmUuid: item.pbmUuid,
                 });
             }}
diff --git a/web/src/admin/endpoints/ak-endpoints-device-group-search.ts b/web/src/admin/endpoints/ak-endpoints-device-group-search.ts
index aa07fcf69e..82316035a1 100644
--- a/web/src/admin/endpoints/ak-endpoints-device-group-search.ts
+++ b/web/src/admin/endpoints/ak-endpoints-device-group-search.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { AKElement } from "#elements/Base";
 import { ISearchSelect } from "#elements/forms/SearchSelect/ak-search-select";
@@ -21,7 +21,7 @@ async function fetchObjects(query?: string): Promise<DeviceAccessGroup[]> {
     if (query !== undefined) {
         args.search = query;
     }
-    const groups = await new EndpointsApi(DEFAULT_CONFIG).endpointsDeviceAccessGroupsList(args);
+    const groups = await aki(EndpointsApi).endpointsDeviceAccessGroupsList(args);
     return groups.results;
 }
 
diff --git a/web/src/admin/endpoints/connectors/ConnectorViewPage.ts b/web/src/admin/endpoints/connectors/ConnectorViewPage.ts
index 69c831ab9e..5d6dc26839 100644
--- a/web/src/admin/endpoints/connectors/ConnectorViewPage.ts
+++ b/web/src/admin/endpoints/connectors/ConnectorViewPage.ts
@@ -4,7 +4,7 @@ import "#admin/endpoints/connectors/gdtc/GoogleChromeConnectorViewPage";
 import "#elements/EmptyState";
 import "#elements/buttons/SpinnerButton/ak-spinner-button";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { AKElement } from "#elements/Base";
 
@@ -22,7 +22,7 @@ import PFPage from "@patternfly/patternfly/components/Page/page.css";
 export class ConnectorViewPage extends AKElement {
     @property({ type: String })
     set connectorID(value: string) {
-        new EndpointsApi(DEFAULT_CONFIG)
+        aki(EndpointsApi)
             .endpointsConnectorsRetrieve({
                 connectorUuid: value,
             })
diff --git a/web/src/admin/endpoints/connectors/ConnectorWizard.ts b/web/src/admin/endpoints/connectors/ConnectorWizard.ts
index 4f99fc578d..e952427f60 100644
--- a/web/src/admin/endpoints/connectors/ConnectorWizard.ts
+++ b/web/src/admin/endpoints/connectors/ConnectorWizard.ts
@@ -6,7 +6,7 @@ import "#elements/wizard/FormWizardPage";
 import "#elements/wizard/TypeCreateWizardPage";
 import "#elements/wizard/Wizard";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { SlottedTemplateResult } from "#elements/types";
 import { CreateWizard } from "#elements/wizard/CreateWizard";
@@ -19,7 +19,7 @@ import { customElement } from "@lit/reactive-element/decorators/custom-element.j
 
 @customElement("ak-endpoint-connector-wizard")
 export class AKEndpointConnectorWizard extends CreateWizard {
-    #api = new EndpointsApi(DEFAULT_CONFIG);
+    #api = aki(EndpointsApi);
 
     public static override verboseName = msg("Endpoint Connector");
     public static override verboseNamePlural = msg("Endpoint Connectors");
diff --git a/web/src/admin/endpoints/connectors/ConnectorsListPage.ts b/web/src/admin/endpoints/connectors/ConnectorsListPage.ts
index 1ab16fe315..d057ce9d0c 100644
--- a/web/src/admin/endpoints/connectors/ConnectorsListPage.ts
+++ b/web/src/admin/endpoints/connectors/ConnectorsListPage.ts
@@ -5,7 +5,7 @@ import "#admin/endpoints/connectors/gdtc/GoogleChromeConnectorForm";
 import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButtonByTagName, ModalInvokerButton } from "#elements/dialogs";
 import { PaginatedResponse, TableColumn } from "#elements/table/Table";
@@ -39,9 +39,7 @@ export class ConnectorsListPage extends TablePage<Connector> {
     public override checkbox = true;
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<Connector>> {
-        return new EndpointsApi(DEFAULT_CONFIG).endpointsConnectorsList(
-            await this.defaultEndpointConfig(),
-        );
+        return aki(EndpointsApi).endpointsConnectorsList(await this.defaultEndpointConfig());
     }
 
     protected override row(item: Connector): SlottedTemplateResult[] {
@@ -67,12 +65,12 @@ export class ConnectorsListPage extends TablePage<Connector> {
                 return [{ key: msg("Name"), value: item.name }];
             }}
             .usedBy=${(item: Connector) => {
-                return new EndpointsApi(DEFAULT_CONFIG).endpointsConnectorsUsedByList({
+                return aki(EndpointsApi).endpointsConnectorsUsedByList({
                     connectorUuid: item.connectorUuid!,
                 });
             }}
             .delete=${(item: Connector) => {
-                return new EndpointsApi(DEFAULT_CONFIG).endpointsConnectorsDestroy({
+                return aki(EndpointsApi).endpointsConnectorsDestroy({
                     connectorUuid: item.connectorUuid!,
                 });
             }}
diff --git a/web/src/admin/endpoints/connectors/agent/AgentConnectorForm.ts b/web/src/admin/endpoints/connectors/agent/AgentConnectorForm.ts
index 45ee532c70..7dde141f9f 100644
--- a/web/src/admin/endpoints/connectors/agent/AgentConnectorForm.ts
+++ b/web/src/admin/endpoints/connectors/agent/AgentConnectorForm.ts
@@ -9,7 +9,7 @@ import "#admin/common/ak-crypto-certificate-search";
 import "#elements/utils/TimeDeltaHelp";
 import "#elements/ak-dual-select/ak-dual-select-dynamic-selected-provider";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 import { WithBrandConfig } from "#elements/mixins/branding";
@@ -35,7 +35,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-endpoints-connector-agent-form")
 export class AgentConnectorForm extends WithBrandConfig(ModelForm<AgentConnector, string>) {
     loadInstance(pk: string): Promise<AgentConnector> {
-        return new EndpointsApi(DEFAULT_CONFIG).endpointsAgentsConnectorsRetrieve({
+        return aki(EndpointsApi).endpointsAgentsConnectorsRetrieve({
             connectorUuid: pk,
         });
     }
@@ -48,12 +48,12 @@ export class AgentConnectorForm extends WithBrandConfig(ModelForm<AgentConnector
 
     async send(data: AgentConnector): Promise<AgentConnector> {
         if (this.instance) {
-            return new EndpointsApi(DEFAULT_CONFIG).endpointsAgentsConnectorsPartialUpdate({
+            return aki(EndpointsApi).endpointsAgentsConnectorsPartialUpdate({
                 connectorUuid: this.instance.connectorUuid!,
                 patchedAgentConnectorRequest: data,
             });
         }
-        return new EndpointsApi(DEFAULT_CONFIG).endpointsAgentsConnectorsCreate({
+        return aki(EndpointsApi).endpointsAgentsConnectorsCreate({
             agentConnectorRequest: data as unknown as AgentConnectorRequest,
         });
     }
diff --git a/web/src/admin/endpoints/connectors/agent/AgentConnectorSetup.ts b/web/src/admin/endpoints/connectors/agent/AgentConnectorSetup.ts
index 407a45ea33..ebc34d919d 100644
--- a/web/src/admin/endpoints/connectors/agent/AgentConnectorSetup.ts
+++ b/web/src/admin/endpoints/connectors/agent/AgentConnectorSetup.ts
@@ -2,7 +2,7 @@ import "#elements/buttons/ActionButton/ak-action-button";
 import "#elements/forms/SearchSelect/index";
 import "#admin/endpoints/connectors/agent/ConfigModal";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -122,9 +122,8 @@ export class AgentConnectorSetup extends AKElement {
                             if (query !== undefined) {
                                 args.search = query;
                             }
-                            const token = await new EndpointsApi(
-                                DEFAULT_CONFIG,
-                            ).endpointsAgentsEnrollmentTokensList(args);
+                            const token =
+                                await aki(EndpointsApi).endpointsAgentsEnrollmentTokensList(args);
                             return token.results;
                         }}
                         .renderElement=${(token: EnrollmentToken): string => {
diff --git a/web/src/admin/endpoints/connectors/agent/AgentConnectorViewPage.ts b/web/src/admin/endpoints/connectors/agent/AgentConnectorViewPage.ts
index c0890f6f77..136e3a2c61 100644
--- a/web/src/admin/endpoints/connectors/agent/AgentConnectorViewPage.ts
+++ b/web/src/admin/endpoints/connectors/agent/AgentConnectorViewPage.ts
@@ -4,7 +4,7 @@ import "#admin/rbac/ak-rbac-object-permission-page";
 import "#admin/endpoints/connectors/agent/EnrollmentTokenListPage";
 import "#admin/endpoints/connectors/agent/AgentConnectorSetup";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { APIError, parseAPIResponseError } from "#common/errors/network";
 
 import { AKElement } from "#elements/Base";
@@ -37,7 +37,7 @@ export class AgentConnectorViewPage extends AKElement {
     static styles: CSSResult[] = [PFCard, PFPage, PFGrid, PFButton, PFDescriptionList];
 
     protected fetchDevice(id: string) {
-        new EndpointsApi(DEFAULT_CONFIG)
+        aki(EndpointsApi)
             .endpointsAgentsConnectorsRetrieve({ connectorUuid: id })
             .then((conn) => {
                 this.connector = conn;
diff --git a/web/src/admin/endpoints/connectors/agent/ConfigModal.ts b/web/src/admin/endpoints/connectors/agent/ConfigModal.ts
index 7b5d474789..eb8d399429 100644
--- a/web/src/admin/endpoints/connectors/agent/ConfigModal.ts
+++ b/web/src/admin/endpoints/connectors/agent/ConfigModal.ts
@@ -2,7 +2,7 @@ import "#elements/CodeMirror";
 import "#elements/buttons/ActionButton/index";
 import "#elements/Expand";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { downloadFile } from "#common/download";
 import { parseAPIResponseError, pluckErrorDetail } from "#common/errors/network";
 import { MessageLevel } from "#common/messages";
@@ -52,7 +52,7 @@ export class ConfigModal extends ModalButton {
         super.connectedCallback();
         this.addEventListener("ak-modal-show", () => {
             if (!this.request) return;
-            new EndpointsApi(DEFAULT_CONFIG)
+            aki(EndpointsApi)
                 .endpointsAgentsConnectorsMdmConfigCreate(this.request)
                 .then((e) => {
                     this.config = e;
diff --git a/web/src/admin/endpoints/connectors/agent/EnrollmentTokenForm.ts b/web/src/admin/endpoints/connectors/agent/EnrollmentTokenForm.ts
index 78dd70805c..d8392b348b 100644
--- a/web/src/admin/endpoints/connectors/agent/EnrollmentTokenForm.ts
+++ b/web/src/admin/endpoints/connectors/agent/EnrollmentTokenForm.ts
@@ -5,7 +5,7 @@ import "#components/ak-number-input";
 import "#components/ak-switch-input";
 import "#admin/endpoints/ak-endpoints-device-group-search";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { dateTimeLocal } from "#common/temporal";
 
 import { ModelForm } from "#elements/forms/ModelForm";
@@ -29,7 +29,7 @@ const EXPIRATION_DURATION = 30 * 60 * 1000; // 30 minutes
  */
 @customElement("ak-endpoints-agent-enrollment-token-form")
 export class EnrollmentTokenForm extends WithBrandConfig(ModelForm<EnrollmentToken, string>) {
-    #api = new EndpointsApi(DEFAULT_CONFIG);
+    #api = aki(EndpointsApi);
 
     public static override verboseName = msg("Enrollment Token");
     public static override verboseNamePlural = msg("Enrollment Tokens");
@@ -49,9 +49,7 @@ export class EnrollmentTokenForm extends WithBrandConfig(ModelForm<EnrollmentTok
     }
 
     async loadInstance(pk: string): Promise<EnrollmentToken> {
-        const token = await new EndpointsApi(
-            DEFAULT_CONFIG,
-        ).endpointsAgentsEnrollmentTokensRetrieve({
+        const token = await aki(EndpointsApi).endpointsAgentsEnrollmentTokensRetrieve({
             tokenUuid: pk,
         });
 
diff --git a/web/src/admin/endpoints/connectors/agent/EnrollmentTokenListPage.ts b/web/src/admin/endpoints/connectors/agent/EnrollmentTokenListPage.ts
index 17d75c75ff..f14daaf1e0 100644
--- a/web/src/admin/endpoints/connectors/agent/EnrollmentTokenListPage.ts
+++ b/web/src/admin/endpoints/connectors/agent/EnrollmentTokenListPage.ts
@@ -6,7 +6,7 @@ import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 import "#components/ak-status-label";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEnrollmentTokenCopyButton } from "#elements/buttons/IconEnrollmentTokenCopyButton";
 import { IconEditButton, ModalInvokerButton } from "#elements/dialogs";
@@ -24,7 +24,7 @@ import { customElement, property } from "lit/decorators.js";
 
 @customElement("ak-endpoints-agent-enrollment-token-list")
 export class EnrollmentTokenListPage extends Table<EnrollmentToken> {
-    #api = new EndpointsApi(DEFAULT_CONFIG);
+    #api = aki(EndpointsApi);
 
     protected override searchEnabled = true;
     protected emptyStateMessage = msg("No enrollment tokens found for this connector.");
diff --git a/web/src/admin/endpoints/connectors/fleet/FleetConnectorForm.ts b/web/src/admin/endpoints/connectors/fleet/FleetConnectorForm.ts
index 79ec4fa375..629cb2d741 100644
--- a/web/src/admin/endpoints/connectors/fleet/FleetConnectorForm.ts
+++ b/web/src/admin/endpoints/connectors/fleet/FleetConnectorForm.ts
@@ -3,7 +3,7 @@ import "#components/ak-switch-input";
 import "#components/ak-text-input";
 import "#elements/forms/FormGroup";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 
@@ -16,7 +16,7 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-endpoints-connector-fleet-form")
 export class FleetConnectorForm extends ModelForm<FleetConnector, string> {
     loadInstance(pk: string): Promise<FleetConnector> {
-        return new EndpointsApi(DEFAULT_CONFIG).endpointsFleetConnectorsRetrieve({
+        return aki(EndpointsApi).endpointsFleetConnectorsRetrieve({
             connectorUuid: pk,
         });
     }
@@ -29,12 +29,12 @@ export class FleetConnectorForm extends ModelForm<FleetConnector, string> {
 
     async send(data: FleetConnector): Promise<FleetConnector> {
         if (this.instance) {
-            return new EndpointsApi(DEFAULT_CONFIG).endpointsFleetConnectorsPartialUpdate({
+            return aki(EndpointsApi).endpointsFleetConnectorsPartialUpdate({
                 connectorUuid: this.instance.connectorUuid!,
                 patchedFleetConnectorRequest: data,
             });
         }
-        return new EndpointsApi(DEFAULT_CONFIG).endpointsFleetConnectorsCreate({
+        return aki(EndpointsApi).endpointsFleetConnectorsCreate({
             fleetConnectorRequest: data as unknown as FleetConnectorRequest,
         });
     }
diff --git a/web/src/admin/endpoints/connectors/fleet/FleetConnectorViewPage.ts b/web/src/admin/endpoints/connectors/fleet/FleetConnectorViewPage.ts
index c0cb062ac2..c7648b44c4 100644
--- a/web/src/admin/endpoints/connectors/fleet/FleetConnectorViewPage.ts
+++ b/web/src/admin/endpoints/connectors/fleet/FleetConnectorViewPage.ts
@@ -5,7 +5,7 @@ import "#admin/rbac/ObjectPermissionModal";
 import "#elements/tasks/ScheduleList";
 import "#elements/tasks/TaskList";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { APIError, parseAPIResponseError } from "#common/errors/network";
 
 import { AKElement } from "#elements/Base";
@@ -41,7 +41,7 @@ export class FleetConnectorViewPage extends AKElement {
     static styles: CSSResult[] = [PFCard, PFPage, PFGrid, PFButton, PFDescriptionList];
 
     protected fetchDevice(id: string) {
-        new EndpointsApi(DEFAULT_CONFIG)
+        aki(EndpointsApi)
             .endpointsFleetConnectorsRetrieve({ connectorUuid: id })
             .then((conn) => {
                 this.connector = conn;
diff --git a/web/src/admin/endpoints/connectors/gdtc/GoogleChromeConnectorForm.ts b/web/src/admin/endpoints/connectors/gdtc/GoogleChromeConnectorForm.ts
index 6e83d3786c..69e4f38445 100644
--- a/web/src/admin/endpoints/connectors/gdtc/GoogleChromeConnectorForm.ts
+++ b/web/src/admin/endpoints/connectors/gdtc/GoogleChromeConnectorForm.ts
@@ -4,7 +4,7 @@ import "#components/ak-text-input";
 import "#elements/forms/FormGroup";
 import "#elements/CodeMirror";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 
@@ -17,7 +17,7 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-endpoints-connector-gdtc-form")
 export class GoogleChromeConnectorForm extends ModelForm<GoogleChromeConnector, string> {
     loadInstance(pk: string): Promise<GoogleChromeConnector> {
-        return new EndpointsApi(DEFAULT_CONFIG).endpointsGoogleChromeConnectorsRetrieve({
+        return aki(EndpointsApi).endpointsGoogleChromeConnectorsRetrieve({
             connectorUuid: pk,
         });
     }
@@ -30,12 +30,12 @@ export class GoogleChromeConnectorForm extends ModelForm<GoogleChromeConnector,
 
     async send(data: GoogleChromeConnector): Promise<GoogleChromeConnector> {
         if (this.instance) {
-            return new EndpointsApi(DEFAULT_CONFIG).endpointsGoogleChromeConnectorsPartialUpdate({
+            return aki(EndpointsApi).endpointsGoogleChromeConnectorsPartialUpdate({
                 connectorUuid: this.instance.connectorUuid!,
                 patchedGoogleChromeConnectorRequest: data,
             });
         }
-        return new EndpointsApi(DEFAULT_CONFIG).endpointsGoogleChromeConnectorsCreate({
+        return aki(EndpointsApi).endpointsGoogleChromeConnectorsCreate({
             googleChromeConnectorRequest: data,
         });
     }
diff --git a/web/src/admin/endpoints/connectors/gdtc/GoogleChromeConnectorViewPage.ts b/web/src/admin/endpoints/connectors/gdtc/GoogleChromeConnectorViewPage.ts
index 2a887f94e5..214b11995b 100644
--- a/web/src/admin/endpoints/connectors/gdtc/GoogleChromeConnectorViewPage.ts
+++ b/web/src/admin/endpoints/connectors/gdtc/GoogleChromeConnectorViewPage.ts
@@ -5,7 +5,7 @@ import "#admin/rbac/ObjectPermissionModal";
 import "#elements/tasks/ScheduleList";
 import "#elements/tasks/TaskList";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { APIError, parseAPIResponseError } from "#common/errors/network";
 
 import { AKElement } from "#elements/Base";
@@ -38,7 +38,7 @@ export class GoogleChromeConnectorViewPage extends AKElement {
     static styles: CSSResult[] = [PFCard, PFPage, PFGrid, PFButton, PFDescriptionList];
 
     protected fetchDevice(id: string) {
-        new EndpointsApi(DEFAULT_CONFIG)
+        aki(EndpointsApi)
             .endpointsGoogleChromeConnectorsRetrieve({ connectorUuid: id })
             .then((conn) => {
                 this.connector = conn;
diff --git a/web/src/admin/endpoints/devices/BoundDeviceUsersList.ts b/web/src/admin/endpoints/devices/BoundDeviceUsersList.ts
index b757f1f440..e055c1026a 100644
--- a/web/src/admin/endpoints/devices/BoundDeviceUsersList.ts
+++ b/web/src/admin/endpoints/devices/BoundDeviceUsersList.ts
@@ -5,7 +5,7 @@ import "#components/ak-status-label";
 import "#elements/forms/ModalForm";
 import "#admin/endpoints/devices/DeviceUserBindingForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PolicyBindingCheckTarget, PolicyBindingCheckTargetToLabel } from "#common/policies/utils";
 
 import { PaginatedResponse, TableColumn } from "#elements/table/Table";
@@ -22,7 +22,7 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-bound-device-users-list")
 export class BoundDeviceUsersList extends BoundPoliciesList<DeviceUserBinding> {
     async apiEndpoint(): Promise<PaginatedResponse<DeviceUserBinding>> {
-        return new EndpointsApi(DEFAULT_CONFIG).endpointsDeviceBindingsList({
+        return aki(EndpointsApi).endpointsDeviceBindingsList({
             ...(await this.defaultEndpointConfig()),
             target: this.target || "",
         });
diff --git a/web/src/admin/endpoints/devices/DeviceAddHowTo.ts b/web/src/admin/endpoints/devices/DeviceAddHowTo.ts
index e9c26f9aa2..bf469dacb8 100644
--- a/web/src/admin/endpoints/devices/DeviceAddHowTo.ts
+++ b/web/src/admin/endpoints/devices/DeviceAddHowTo.ts
@@ -1,7 +1,7 @@
 import "#admin/endpoints/connectors/agent/AgentConnectorSetup";
 import "#elements/Tabs";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModalButton } from "#elements/buttons/ModalButton";
 
@@ -19,9 +19,11 @@ export class DeviceAddHowTo extends ModalButton {
     connectedCallback(): void {
         super.connectedCallback();
         this.addEventListener("ak-modal-show", () => {
-            new EndpointsApi(DEFAULT_CONFIG).endpointsConnectorsList().then((e) => {
-                this.connectors = e.results;
-            });
+            aki(EndpointsApi)
+                .endpointsConnectorsList()
+                .then((e) => {
+                    this.connectors = e.results;
+                });
         });
     }
 
diff --git a/web/src/admin/endpoints/devices/DeviceForm.ts b/web/src/admin/endpoints/devices/DeviceForm.ts
index 67b56ba4cc..81d6f1e813 100644
--- a/web/src/admin/endpoints/devices/DeviceForm.ts
+++ b/web/src/admin/endpoints/devices/DeviceForm.ts
@@ -5,7 +5,7 @@ import "#elements/utils/TimeDeltaHelp";
 import "#admin/endpoints/ak-endpoints-device-group-search";
 import "#elements/CodeMirror";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 
@@ -23,7 +23,7 @@ export class EndpointDeviceForm extends ModelForm<EndpointDevice, string> {
     public static override verboseName = msg("Device");
     public static override verboseNamePlural = msg("Devices");
     loadInstance(pk: string): Promise<EndpointDevice> {
-        return new EndpointsApi(DEFAULT_CONFIG).endpointsDevicesRetrieve({
+        return aki(EndpointsApi).endpointsDevicesRetrieve({
             deviceUuid: pk,
         });
     }
@@ -33,7 +33,7 @@ export class EndpointDeviceForm extends ModelForm<EndpointDevice, string> {
     }
 
     async send(data: EndpointDevice): Promise<EndpointDevice> {
-        return new EndpointsApi(DEFAULT_CONFIG).endpointsDevicesPartialUpdate({
+        return aki(EndpointsApi).endpointsDevicesPartialUpdate({
             deviceUuid: this.instance!.deviceUuid!,
             patchedEndpointDeviceRequest: data,
         });
diff --git a/web/src/admin/endpoints/devices/DeviceListPage.ts b/web/src/admin/endpoints/devices/DeviceListPage.ts
index 2f13cb2bca..d07fadd83e 100644
--- a/web/src/admin/endpoints/devices/DeviceListPage.ts
+++ b/web/src/admin/endpoints/devices/DeviceListPage.ts
@@ -2,7 +2,7 @@ import "#elements/cards/AggregateCard";
 import "#elements/forms/DeleteBulkForm";
 import "#admin/endpoints/devices/DeviceAddHowTo";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { modalInvoker } from "#elements/dialogs";
 import { PaginatedResponse, TableColumn, Timestamp } from "#elements/table/Table";
@@ -55,10 +55,8 @@ export class DeviceListPage extends TablePage<EndpointDevice> {
     summary?: DeviceSummary;
 
     async apiEndpoint(): Promise<PaginatedResponse<EndpointDevice>> {
-        this.summary = await new EndpointsApi(DEFAULT_CONFIG).endpointsDevicesSummaryRetrieve();
-        return new EndpointsApi(DEFAULT_CONFIG).endpointsDevicesList(
-            await this.defaultEndpointConfig(),
-        );
+        this.summary = await aki(EndpointsApi).endpointsDevicesSummaryRetrieve();
+        return aki(EndpointsApi).endpointsDevicesList(await this.defaultEndpointConfig());
     }
 
     protected renderEmpty(inner?: TemplateResult): SlottedTemplateResult {
@@ -153,12 +151,12 @@ export class DeviceListPage extends TablePage<EndpointDevice> {
                 return [{ key: msg("Name"), value: item.name }];
             }}
             .usedBy=${(item: EndpointDevice) => {
-                return new EndpointsApi(DEFAULT_CONFIG).endpointsDevicesUsedByList({
+                return aki(EndpointsApi).endpointsDevicesUsedByList({
                     deviceUuid: item.deviceUuid!,
                 });
             }}
             .delete=${(item: EndpointDevice) => {
-                return new EndpointsApi(DEFAULT_CONFIG).endpointsDevicesDestroy({
+                return aki(EndpointsApi).endpointsDevicesDestroy({
                     deviceUuid: item.deviceUuid!,
                 });
             }}
diff --git a/web/src/admin/endpoints/devices/DeviceUserBindingForm.ts b/web/src/admin/endpoints/devices/DeviceUserBindingForm.ts
index 413a928802..6e384f94a5 100644
--- a/web/src/admin/endpoints/devices/DeviceUserBindingForm.ts
+++ b/web/src/admin/endpoints/devices/DeviceUserBindingForm.ts
@@ -1,6 +1,6 @@
 import "#components/ak-switch-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PolicyBindingCheckTarget } from "#common/policies/utils";
 
 import { PolicyBindingForm } from "#admin/policies/PolicyBindingForm";
@@ -14,7 +14,7 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-device-binding-form")
 export class DeviceUserBindingForm extends PolicyBindingForm<DeviceUserBinding> {
     async loadInstance(pk: string): Promise<DeviceUserBinding> {
-        const binding = await new EndpointsApi(DEFAULT_CONFIG).endpointsDeviceBindingsRetrieve({
+        const binding = await aki(EndpointsApi).endpointsDeviceBindingsRetrieve({
             policyBindingUuid: pk,
         });
         if (binding?.policyObj) {
@@ -50,12 +50,12 @@ export class DeviceUserBindingForm extends PolicyBindingForm<DeviceUserBinding>
         }
 
         if (this.instance?.pk) {
-            return new EndpointsApi(DEFAULT_CONFIG).endpointsDeviceBindingsUpdate({
+            return aki(EndpointsApi).endpointsDeviceBindingsUpdate({
                 policyBindingUuid: this.instance.pk,
                 deviceUserBindingRequest: data,
             });
         }
-        return new EndpointsApi(DEFAULT_CONFIG).endpointsDeviceBindingsCreate({
+        return aki(EndpointsApi).endpointsDeviceBindingsCreate({
             deviceUserBindingRequest: data,
         });
     }
diff --git a/web/src/admin/endpoints/devices/DeviceViewPage.ts b/web/src/admin/endpoints/devices/DeviceViewPage.ts
index dc29ed4e62..24aee6d15a 100644
--- a/web/src/admin/endpoints/devices/DeviceViewPage.ts
+++ b/web/src/admin/endpoints/devices/DeviceViewPage.ts
@@ -8,7 +8,7 @@ import "#admin/endpoints/devices/facts/DeviceGroupTable";
 import "#admin/endpoints/devices/DeviceEvents";
 import "#elements/Tabs";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { APIError, parseAPIResponseError } from "#common/errors/network";
 
 import { AKElement } from "#elements/Base";
@@ -48,7 +48,7 @@ export class DeviceViewPage extends AKElement {
     static styles: CSSResult[] = [PFCard, PFPage, PFGrid, PFStack, PFButton, PFDescriptionList];
 
     protected fetchDevice(id: string) {
-        new EndpointsApi(DEFAULT_CONFIG)
+        aki(EndpointsApi)
             .endpointsDevicesRetrieve({ deviceUuid: id })
             .then((dev) => {
                 this.device = dev;
diff --git a/web/src/admin/enterprise/EnterpriseLicenseForm.ts b/web/src/admin/enterprise/EnterpriseLicenseForm.ts
index d07eeeeb8c..afb1d39d09 100644
--- a/web/src/admin/enterprise/EnterpriseLicenseForm.ts
+++ b/web/src/admin/enterprise/EnterpriseLicenseForm.ts
@@ -3,7 +3,7 @@ import "#components/ak-text-input";
 import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH_ENTERPRISE } from "#common/constants";
 
 import { ModelForm } from "#elements/forms/ModelForm";
@@ -23,7 +23,7 @@ export class EnterpriseLicenseForm extends ModelForm<License, string> {
     public static override createLabel = msg("Install");
     public static override submitVerb = msg("Install");
 
-    #api = new EnterpriseApi(DEFAULT_CONFIG);
+    #api = aki(EnterpriseApi);
 
     @state()
     protected installID: string | null = null;
diff --git a/web/src/admin/enterprise/EnterpriseLicenseListPage.ts b/web/src/admin/enterprise/EnterpriseLicenseListPage.ts
index 6a0bf437e3..8adfb6b058 100644
--- a/web/src/admin/enterprise/EnterpriseLicenseListPage.ts
+++ b/web/src/admin/enterprise/EnterpriseLicenseListPage.ts
@@ -8,7 +8,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { docLink } from "#common/global";
 
 import { IconEditButton, ModalInvokerButton } from "#elements/dialogs";
@@ -77,16 +77,12 @@ export class EnterpriseLicenseListPage extends TablePage<License> {
     protected installID?: string;
 
     async apiEndpoint(): Promise<PaginatedResponse<License>> {
-        this.forecast = await new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicenseForecastRetrieve();
-        this.summary = await new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicenseSummaryRetrieve({
+        this.forecast = await aki(EnterpriseApi).enterpriseLicenseForecastRetrieve();
+        this.summary = await aki(EnterpriseApi).enterpriseLicenseSummaryRetrieve({
             cached: false,
         });
-        this.installID = (
-            await new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicenseInstallIdRetrieve()
-        ).installId;
-        return new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicenseList(
-            await this.defaultEndpointConfig(),
-        );
+        this.installID = (await aki(EnterpriseApi).enterpriseLicenseInstallIdRetrieve()).installId;
+        return aki(EnterpriseApi).enterpriseLicenseList(await this.defaultEndpointConfig());
     }
 
     protected columns: TableColumn[] = [
@@ -124,12 +120,12 @@ export class EnterpriseLicenseListPage extends TablePage<License> {
                 ];
             }}
             .usedBy=${(item: License) => {
-                return new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicenseUsedByList({
+                return aki(EnterpriseApi).enterpriseLicenseUsedByList({
                     licenseUuid: item.licenseUuid,
                 });
             }}
             .delete=${(item: License) => {
-                return new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicenseDestroy({
+                return aki(EnterpriseApi).enterpriseLicenseDestroy({
                     licenseUuid: item.licenseUuid,
                 });
             }}
diff --git a/web/src/admin/events/DataExportListPage.ts b/web/src/admin/events/DataExportListPage.ts
index 1228b63bcd..fd3737ea08 100644
--- a/web/src/admin/events/DataExportListPage.ts
+++ b/web/src/admin/events/DataExportListPage.ts
@@ -7,7 +7,7 @@ import "#elements/tasks/TaskList";
 import "#components/ak-status-label";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PFColor } from "#elements/Label";
 import { PaginatedResponse, TableColumn, Timestamp } from "#elements/table/Table";
@@ -41,9 +41,7 @@ export class DataExportListPage extends TablePage<DataExport> {
     static styles = [...TablePage.styles, PFDescriptionList];
 
     async apiEndpoint(): Promise<PaginatedResponse<DataExport>> {
-        return new ReportsApi(DEFAULT_CONFIG).reportsExportsList(
-            await this.defaultEndpointConfig(),
-        );
+        return aki(ReportsApi).reportsExportsList(await this.defaultEndpointConfig());
     }
 
     protected columns: TableColumn[] = [
@@ -67,7 +65,7 @@ export class DataExportListPage extends TablePage<DataExport> {
                 ];
             }}
             .delete=${(item: DataExport) => {
-                return new ReportsApi(DEFAULT_CONFIG).reportsExportsDestroy({
+                return aki(ReportsApi).reportsExportsDestroy({
                     id: item.id,
                 });
             }}
diff --git a/web/src/admin/events/EventListPage.ts b/web/src/admin/events/EventListPage.ts
index 08304f7841..488d2e3780 100644
--- a/web/src/admin/events/EventListPage.ts
+++ b/web/src/admin/events/EventListPage.ts
@@ -5,7 +5,7 @@ import "#components/ak-event-info";
 import "#elements/Tabs";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EventWithContext } from "#common/events";
 import { actionToLabel } from "#common/labels";
 
@@ -49,7 +49,7 @@ export class EventListPage extends WithLicenseSummary(TablePage<Event>) {
     ];
 
     async apiEndpoint(): Promise<PaginatedResponse<Event>> {
-        return new EventsApi(DEFAULT_CONFIG).eventsEventsList(await this.defaultEndpointConfig());
+        return aki(EventsApi).eventsEventsList(await this.defaultEndpointConfig());
     }
 
     protected columns: TableColumn[] = [
@@ -124,7 +124,7 @@ export class EventListPage extends WithLicenseSummary(TablePage<Event>) {
         return html`${super.renderToolbar()}
             <ak-reports-export-button
                 .createExport=${(params: EventsEventsExportCreateRequest) => {
-                    return new EventsApi(DEFAULT_CONFIG).eventsEventsExportCreate(params);
+                    return aki(EventsApi).eventsEventsExportCreate(params);
                 }}
                 .exportParams=${() => this.defaultEndpointConfig()}
             ></ak-reports-export-button>`;
diff --git a/web/src/admin/events/EventViewPage.ts b/web/src/admin/events/EventViewPage.ts
index 03933f6dc1..de58756e03 100644
--- a/web/src/admin/events/EventViewPage.ts
+++ b/web/src/admin/events/EventViewPage.ts
@@ -1,6 +1,6 @@
 import "#components/ak-event-info";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EventWithContext } from "#common/events";
 import { actionToLabel } from "#common/labels";
 
@@ -34,9 +34,11 @@ export class EventViewPage extends AKElement {
     static styles: CSSResult[] = [PFGrid, PFDescriptionList, PFPage, PFContent, PFCard];
 
     fetchEvent(eventUuid: string) {
-        new EventsApi(DEFAULT_CONFIG).eventsEventsRetrieve({ eventUuid }).then((ev) => {
-            this.event = ev as EventWithContext;
-        });
+        aki(EventsApi)
+            .eventsEventsRetrieve({ eventUuid })
+            .then((ev) => {
+                this.event = ev as EventWithContext;
+            });
     }
 
     willUpdate(changedProperties: PropertyValues<this>) {
diff --git a/web/src/admin/events/EventVolumeChart.ts b/web/src/admin/events/EventVolumeChart.ts
index aa12f50215..9d420999b7 100644
--- a/web/src/admin/events/EventVolumeChart.ts
+++ b/web/src/admin/events/EventVolumeChart.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { EventChart } from "#elements/charts/EventChart";
 
@@ -39,7 +39,7 @@ export class EventVolumeChart extends EventChart {
     ];
 
     apiRequest(): Promise<EventVolume[]> {
-        return new EventsApi(DEFAULT_CONFIG).eventsEventsVolumeList({
+        return aki(EventsApi).eventsEventsVolumeList({
             historyDays: 7,
             ...this._query,
         });
diff --git a/web/src/admin/events/ObjectChangelog.ts b/web/src/admin/events/ObjectChangelog.ts
index ac0c7de294..8af7743658 100644
--- a/web/src/admin/events/ObjectChangelog.ts
+++ b/web/src/admin/events/ObjectChangelog.ts
@@ -4,7 +4,7 @@ import "#elements/buttons/Dropdown";
 import "#elements/buttons/ModalButton";
 import "#elements/buttons/SpinnerButton/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EventWithContext } from "#common/events";
 import { actionToLabel } from "#common/labels";
 
@@ -46,7 +46,7 @@ export class ObjectChangelog extends Table<Event> {
         if (this.targetModelName === "") {
             return Promise.reject();
         }
-        return new EventsApi(DEFAULT_CONFIG).eventsEventsList({
+        return aki(EventsApi).eventsEventsList({
             ...(await this.defaultEndpointConfig()),
             action: "model_",
             contextModelApp: appName,
diff --git a/web/src/admin/events/RuleForm.ts b/web/src/admin/events/RuleForm.ts
index dc40ab69a8..f87a0b25a4 100644
--- a/web/src/admin/events/RuleForm.ts
+++ b/web/src/admin/events/RuleForm.ts
@@ -7,7 +7,7 @@ import "#elements/forms/SearchSelect/index";
 
 import { eventTransportsProvider, eventTransportsSelector } from "./RuleFormHelpers.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { severityToLabel } from "#common/labels";
 
 import { ModelForm } from "#elements/forms/ModelForm";
@@ -36,13 +36,13 @@ export class RuleForm extends ModelForm<NotificationRule, string> {
     eventTransports?: PaginatedNotificationTransportList;
 
     loadInstance(pk: string): Promise<NotificationRule> {
-        return new EventsApi(DEFAULT_CONFIG).eventsRulesRetrieve({
+        return aki(EventsApi).eventsRulesRetrieve({
             pbmUuid: pk,
         });
     }
 
     async load(): Promise<void> {
-        this.eventTransports = await new EventsApi(DEFAULT_CONFIG).eventsTransportsList({
+        this.eventTransports = await aki(EventsApi).eventsTransportsList({
             ordering: "name",
         });
     }
@@ -55,12 +55,12 @@ export class RuleForm extends ModelForm<NotificationRule, string> {
 
     async send(data: NotificationRule): Promise<NotificationRule> {
         if (this.instance) {
-            return new EventsApi(DEFAULT_CONFIG).eventsRulesUpdate({
+            return aki(EventsApi).eventsRulesUpdate({
                 pbmUuid: this.instance.pk || "",
                 notificationRuleRequest: data,
             });
         }
-        return new EventsApi(DEFAULT_CONFIG).eventsRulesCreate({
+        return aki(EventsApi).eventsRulesCreate({
             notificationRuleRequest: data,
         });
     }
@@ -87,7 +87,7 @@ export class RuleForm extends ModelForm<NotificationRule, string> {
                             args.search = query;
                         }
 
-                        const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(args);
+                        const groups = await aki(CoreApi).coreGroupsList(args);
 
                         return groups.results;
                     }}
diff --git a/web/src/admin/events/RuleFormHelpers.ts b/web/src/admin/events/RuleFormHelpers.ts
index 9300388de9..668f34cd7f 100644
--- a/web/src/admin/events/RuleFormHelpers.ts
+++ b/web/src/admin/events/RuleFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DataProvider, DualSelectPair, DualSelectPairSource } from "#elements/ak-dual-select/types";
 
@@ -12,7 +12,7 @@ const transportToSelect = (transport: NotificationTransport): TransportSelect =>
 ];
 
 export const eventTransportsProvider: DataProvider = async (page = 1, search = "") => {
-    const eventTransports = await new EventsApi(DEFAULT_CONFIG).eventsTransportsList({
+    const eventTransports = await aki(EventsApi).eventsTransportsList({
         ordering: "name",
         pageSize: 20,
         search: search.trim(),
@@ -36,7 +36,7 @@ export function eventTransportsSelector(
     }
 
     return (async () => {
-        const transportsApi = new EventsApi(DEFAULT_CONFIG);
+        const transportsApi = aki(EventsApi);
         const transports = await Promise.allSettled(
             instanceTransports.map((instanceId) =>
                 transportsApi.eventsTransportsRetrieve({ uuid: instanceId }),
diff --git a/web/src/admin/events/RuleListPage.ts b/web/src/admin/events/RuleListPage.ts
index 27e4fd4069..09bfcfa40a 100644
--- a/web/src/admin/events/RuleListPage.ts
+++ b/web/src/admin/events/RuleListPage.ts
@@ -8,7 +8,7 @@ import "#elements/forms/ModalForm";
 import "#elements/tasks/TaskList";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { severityToLabel } from "#common/labels";
 
 import { IconEditButton, ModalInvokerButton } from "#elements/dialogs";
@@ -44,7 +44,7 @@ export class RuleListPage extends TablePage<NotificationRule> {
     public order = "name";
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<NotificationRule>> {
-        return new EventsApi(DEFAULT_CONFIG).eventsRulesList(await this.defaultEndpointConfig());
+        return aki(EventsApi).eventsRulesList(await this.defaultEndpointConfig());
     }
 
     protected columns: TableColumn[] = [
@@ -61,12 +61,12 @@ export class RuleListPage extends TablePage<NotificationRule> {
             object-label=${msg("Notification rule(s)")}
             .objects=${this.selectedElements}
             .usedBy=${(item: NotificationRule) => {
-                return new EventsApi(DEFAULT_CONFIG).eventsRulesUsedByList({
+                return aki(EventsApi).eventsRulesUsedByList({
                     pbmUuid: item.pk,
                 });
             }}
             .delete=${(item: NotificationRule) => {
-                return new EventsApi(DEFAULT_CONFIG).eventsRulesDestroy({
+                return aki(EventsApi).eventsRulesDestroy({
                     pbmUuid: item.pk,
                 });
             }}
diff --git a/web/src/admin/events/SimpleEventTable.ts b/web/src/admin/events/SimpleEventTable.ts
index 30448a32fe..732db5fcab 100644
--- a/web/src/admin/events/SimpleEventTable.ts
+++ b/web/src/admin/events/SimpleEventTable.ts
@@ -1,6 +1,6 @@
 import "#components/ak-event-info";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EventWithContext } from "#common/events";
 import { actionToLabel } from "#common/labels";
 
@@ -26,7 +26,7 @@ export abstract class SimpleEventTable extends Table<Event> {
     expandable = true;
 
     async apiEndpoint(): Promise<PaginatedResponse<Event>> {
-        return new EventsApi(DEFAULT_CONFIG).eventsEventsList({
+        return aki(EventsApi).eventsEventsList({
             ...(await this.defaultEndpointConfig()),
             pageSize: this.pageSize,
             ...(await this.apiParameters()),
diff --git a/web/src/admin/events/TransportForm.ts b/web/src/admin/events/TransportForm.ts
index 8656dddfaa..0470cd38f5 100644
--- a/web/src/admin/events/TransportForm.ts
+++ b/web/src/admin/events/TransportForm.ts
@@ -6,7 +6,7 @@ import "#elements/forms/Radio";
 import "#elements/forms/SearchSelect/index";
 import "#admin/common/ak-crypto-certificate-search";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 
@@ -32,7 +32,7 @@ export class TransportForm extends ModelForm<NotificationTransport, string> {
     public static override verboseNamePlural = msg("Notification Transports");
 
     loadInstance(pk: string): Promise<NotificationTransport> {
-        return new EventsApi(DEFAULT_CONFIG)
+        return aki(EventsApi)
             .eventsTransportsRetrieve({
                 uuid: pk,
             })
@@ -42,7 +42,7 @@ export class TransportForm extends ModelForm<NotificationTransport, string> {
             });
     }
     async load(): Promise<void> {
-        this.templates = await new StagesApi(DEFAULT_CONFIG).stagesEmailTemplatesList();
+        this.templates = await aki(StagesApi).stagesEmailTemplatesList();
     }
 
     templates?: TypeCreate[];
@@ -61,12 +61,12 @@ export class TransportForm extends ModelForm<NotificationTransport, string> {
 
     async send(data: NotificationTransport): Promise<NotificationTransport> {
         if (this.instance) {
-            return new EventsApi(DEFAULT_CONFIG).eventsTransportsUpdate({
+            return aki(EventsApi).eventsTransportsUpdate({
                 uuid: this.instance.pk || "",
                 notificationTransportRequest: data,
             });
         }
-        return new EventsApi(DEFAULT_CONFIG).eventsTransportsCreate({
+        return aki(EventsApi).eventsTransportsCreate({
             notificationTransportRequest: data,
         });
     }
@@ -177,9 +177,8 @@ export class TransportForm extends ModelForm<NotificationTransport, string> {
                         if (query !== undefined) {
                             args.search = query;
                         }
-                        const items = await new PropertymappingsApi(
-                            DEFAULT_CONFIG,
-                        ).propertymappingsNotificationList(args);
+                        const items =
+                            await aki(PropertymappingsApi).propertymappingsNotificationList(args);
                         return items.results;
                     }}
                     .renderElement=${(item: NotificationWebhookMapping) => item.name}
@@ -206,9 +205,8 @@ export class TransportForm extends ModelForm<NotificationTransport, string> {
                         if (query !== undefined) {
                             args.search = query;
                         }
-                        const items = await new PropertymappingsApi(
-                            DEFAULT_CONFIG,
-                        ).propertymappingsNotificationList(args);
+                        const items =
+                            await aki(PropertymappingsApi).propertymappingsNotificationList(args);
                         return items.results;
                     }}
                     .renderElement=${(item: NotificationWebhookMapping): string => {
diff --git a/web/src/admin/events/TransportListPage.ts b/web/src/admin/events/TransportListPage.ts
index 8cd1ad7bf8..ed4435560b 100644
--- a/web/src/admin/events/TransportListPage.ts
+++ b/web/src/admin/events/TransportListPage.ts
@@ -7,7 +7,7 @@ import "#elements/forms/ModalForm";
 import "#elements/tasks/TaskList";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButton, ModalInvokerButton } from "#elements/dialogs";
 import { PaginatedResponse, TableColumn } from "#elements/table/Table";
@@ -41,9 +41,7 @@ export class TransportListPage extends TablePage<NotificationTransport> {
     public override order = "name";
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<NotificationTransport>> {
-        return new EventsApi(DEFAULT_CONFIG).eventsTransportsList(
-            await this.defaultEndpointConfig(),
-        );
+        return aki(EventsApi).eventsTransportsList(await this.defaultEndpointConfig());
     }
 
     protected override columns: TableColumn[] = [
@@ -58,12 +56,12 @@ export class TransportListPage extends TablePage<NotificationTransport> {
             object-label=${msg("Notification transport(s)")}
             .objects=${this.selectedElements}
             .usedBy=${(item: NotificationTransport) => {
-                return new EventsApi(DEFAULT_CONFIG).eventsTransportsUsedByList({
+                return aki(EventsApi).eventsTransportsUsedByList({
                     uuid: item.pk,
                 });
             }}
             .delete=${(item: NotificationTransport) => {
-                return new EventsApi(DEFAULT_CONFIG).eventsTransportsDestroy({
+                return aki(EventsApi).eventsTransportsDestroy({
                     uuid: item.pk,
                 });
             }}
@@ -89,7 +87,7 @@ export class TransportListPage extends TablePage<NotificationTransport> {
                 <ak-action-button
                     class="pf-m-plain"
                     .apiRequest=${() => {
-                        return new EventsApi(DEFAULT_CONFIG).eventsTransportsTestCreate({
+                        return aki(EventsApi).eventsTransportsTestCreate({
                             uuid: item.pk || "",
                         });
                     }}
diff --git a/web/src/admin/files/FileListPage.ts b/web/src/admin/files/FileListPage.ts
index 35ff0762cb..090b127443 100644
--- a/web/src/admin/files/FileListPage.ts
+++ b/web/src/admin/files/FileListPage.ts
@@ -5,7 +5,7 @@ import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 import "#elements/EmptyState";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { createPaginatedResponse } from "#common/api/responses";
 import { docLink } from "#common/global";
 
@@ -43,7 +43,7 @@ export class FileListPage extends WithCapabilitiesConfig(TablePage<FileItem>) {
     public order: FileListOrderKey = "name";
 
     async apiEndpoint(): Promise<PaginatedResponse<FileItem>> {
-        const api = new AdminApi(DEFAULT_CONFIG);
+        const api = aki(AdminApi);
         // Cast necessary: API returns File objects but we only use name, url, and mimeType properties
         const items = (await api.adminFileList({
             usage: UsageEnum.Media,
@@ -77,12 +77,12 @@ export class FileListPage extends WithCapabilitiesConfig(TablePage<FileItem>) {
                 ];
             }}
             .usedBy=${(item: FileItem) => {
-                return new AdminApi(DEFAULT_CONFIG).adminFileUsedByList({
+                return aki(AdminApi).adminFileUsedByList({
                     name: item.name,
                 });
             }}
             .delete=${(item: FileItem) => {
-                return new AdminApi(DEFAULT_CONFIG).adminFileDestroy({
+                return aki(AdminApi).adminFileDestroy({
                     name: item.name,
                     usage: UsageEnum.Media,
                 });
diff --git a/web/src/admin/files/FileUploadForm.ts b/web/src/admin/files/FileUploadForm.ts
index 29760a0259..8f50621046 100644
--- a/web/src/admin/files/FileUploadForm.ts
+++ b/web/src/admin/files/FileUploadForm.ts
@@ -1,6 +1,6 @@
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { docLink } from "#common/global";
 import { MessageLevel } from "#common/messages";
 
@@ -80,7 +80,7 @@ export class FileUploadForm extends Form<Record<string, unknown>> {
             throw new PreventFormSubmit("Selected file not provided", this);
         }
 
-        const api = new AdminApi(DEFAULT_CONFIG);
+        const api = aki(AdminApi);
         const customName = typeof data.name === "string" ? data.name.trim() : "";
 
         // If custom name provided, append original file extension; otherwise use original filename
diff --git a/web/src/admin/flows/BoundStagesList.ts b/web/src/admin/flows/BoundStagesList.ts
index b709787357..7f8c78d4c4 100644
--- a/web/src/admin/flows/BoundStagesList.ts
+++ b/web/src/admin/flows/BoundStagesList.ts
@@ -5,7 +5,7 @@ import "#elements/Tabs";
 import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { modalInvoker } from "#elements/dialogs";
 import { IconPermissionButton } from "#elements/dialogs/components/IconPermissionButton";
@@ -25,7 +25,7 @@ import { customElement, property } from "lit/decorators.js";
 
 @customElement("ak-bound-stages-list")
 export class BoundStagesList extends Table<FlowStageBinding> {
-    protected flowsAPI = new FlowsApi(DEFAULT_CONFIG);
+    protected flowsAPI = aki(FlowsApi);
 
     public override expandable = true;
     public override checkbox = true;
diff --git a/web/src/admin/flows/FlowDiagram.ts b/web/src/admin/flows/FlowDiagram.ts
index 93be6b50ca..f2e93d7650 100644
--- a/web/src/admin/flows/FlowDiagram.ts
+++ b/web/src/admin/flows/FlowDiagram.ts
@@ -1,6 +1,6 @@
 import "#elements/EmptyState";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { Diagram } from "#elements/Diagram";
 
@@ -15,7 +15,7 @@ export class FlowDiagram extends Diagram {
 
     refreshHandler = (): void => {
         this.diagram = undefined;
-        new FlowsApi(DEFAULT_CONFIG)
+        aki(FlowsApi)
             .flowsInstancesDiagramRetrieve({
                 slug: this.flowSlug || "",
             })
diff --git a/web/src/admin/flows/FlowForm.ts b/web/src/admin/flows/FlowForm.ts
index 77881cdcca..6e0c65c44d 100644
--- a/web/src/admin/flows/FlowForm.ts
+++ b/web/src/admin/flows/FlowForm.ts
@@ -6,7 +6,7 @@ import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/Radio";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 import { WithCapabilitiesConfig } from "#elements/mixins/capabilities";
@@ -41,7 +41,7 @@ export class FlowForm extends WithCapabilitiesConfig(ModelForm<Flow, string>) {
     public static override verboseName = msg("Flow");
     public static override verboseNamePlural = msg("Flows");
 
-    #api = new FlowsApi(DEFAULT_CONFIG);
+    #api = aki(FlowsApi);
 
     protected override async loadInstance(pk: string): Promise<Flow> {
         return this.#api.flowsInstancesRetrieve({
diff --git a/web/src/admin/flows/FlowListPage.ts b/web/src/admin/flows/FlowListPage.ts
index a3a45d67fa..1210a7132a 100644
--- a/web/src/admin/flows/FlowListPage.ts
+++ b/web/src/admin/flows/FlowListPage.ts
@@ -6,7 +6,8 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { AndNext, DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
+import { AndNext } from "#common/api/config";
 import { docLink } from "#common/global";
 import { groupBy } from "#common/utils";
 
@@ -45,7 +46,7 @@ export class FlowListPage extends TablePage<Flow> {
     public override order = "slug";
 
     async apiEndpoint(): Promise<PaginatedResponse<Flow>> {
-        return new FlowsApi(DEFAULT_CONFIG).flowsInstancesList(await this.defaultEndpointConfig());
+        return aki(FlowsApi).flowsInstancesList(await this.defaultEndpointConfig());
     }
 
     groupBy(items: Flow[]): [string, Flow[]][] {
@@ -68,12 +69,12 @@ export class FlowListPage extends TablePage<Flow> {
             object-label=${msg("Flow(s)")}
             .objects=${this.selectedElements}
             .usedBy=${(item: Flow) => {
-                return new FlowsApi(DEFAULT_CONFIG).flowsInstancesUsedByList({
+                return aki(FlowsApi).flowsInstancesUsedByList({
                     slug: item.slug,
                 });
             }}
             .delete=${(item: Flow) => {
-                return new FlowsApi(DEFAULT_CONFIG).flowsInstancesDestroy({
+                return aki(FlowsApi).flowsInstancesDestroy({
                     slug: item.slug,
                 });
             }}
@@ -99,9 +100,7 @@ export class FlowListPage extends TablePage<Flow> {
                     aria-label=${msg(str`Execute "${item.name}"`)}
                     class="pf-c-button pf-m-plain"
                     @click=${() => {
-                        const finalURL = `${window.location.origin}/if/flow/${item.slug}/${AndNext(
-                            `${window.location.pathname}#${window.location.hash}`,
-                        )}`;
+                        const finalURL = `${window.location.origin}/if/flow/${item.slug}/${AndNext(`${window.location.pathname}#${window.location.hash}`)}`;
                         window.open(finalURL, "_blank");
                     }}
                 >
@@ -160,7 +159,7 @@ export class FlowListPage extends TablePage<Flow> {
                 errorMessage=${msg("Failed to delete flow cache")}
                 action=${msg("Clear Cache")}
                 .onConfirm=${() => {
-                    return new FlowsApi(DEFAULT_CONFIG).flowsInstancesCacheClearCreate();
+                    return aki(FlowsApi).flowsInstancesCacheClearCreate();
                 }}
             >
                 <span slot="header">${msg("Clear Flow cache")}</span>
diff --git a/web/src/admin/flows/FlowViewPage.ts b/web/src/admin/flows/FlowViewPage.ts
index 1d3bd92cab..9c7dfa644b 100644
--- a/web/src/admin/flows/FlowViewPage.ts
+++ b/web/src/admin/flows/FlowViewPage.ts
@@ -6,7 +6,8 @@ import "#admin/events/ObjectChangelog";
 import "#elements/Tabs";
 import "#elements/buttons/SpinnerButton/ak-spinner-button";
 
-import { AndNext, DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
+import { AndNext } from "#common/api/config";
 import { isResponseErrorLike } from "#common/errors/network";
 
 import { AKElement } from "#elements/Base";
@@ -58,9 +59,11 @@ export class FlowViewPage extends AKElement {
     ];
 
     fetchFlow(slug: string) {
-        new FlowsApi(DEFAULT_CONFIG).flowsInstancesRetrieve({ slug }).then((flow) => {
-            this.flow = flow;
-        });
+        aki(FlowsApi)
+            .flowsInstancesRetrieve({ slug })
+            .then((flow) => {
+                this.flow = flow;
+            });
     }
 
     willUpdate(changedProperties: PropertyValues<this>) {
@@ -121,11 +124,7 @@ export class FlowViewPage extends AKElement {
                                                 )}
                                                 class="pf-c-button pf-m-block pf-m-primary"
                                                 @click=${() => {
-                                                    const finalURL = `${
-                                                        window.location.origin
-                                                    }/if/flow/${this.flow.slug}/${AndNext(
-                                                        `${window.location.pathname}#${window.location.hash}`,
-                                                    )}`;
+                                                    const finalURL = `${window.location.origin}/if/flow/${this.flow.slug}/${AndNext(`${window.location.pathname}#${window.location.hash}`)}`;
                                                     window.open(finalURL, "_blank");
                                                 }}
                                             >
@@ -137,14 +136,12 @@ export class FlowViewPage extends AKElement {
                                                 )}
                                                 class="pf-c-button pf-m-block pf-m-secondary"
                                                 @click=${() => {
-                                                    new FlowsApi(DEFAULT_CONFIG)
+                                                    aki(FlowsApi)
                                                         .flowsInstancesExecuteRetrieve({
                                                             slug: this.flow.slug,
                                                         })
                                                         .then((link) => {
-                                                            const finalURL = `${link.link}${AndNext(
-                                                                `${window.location.pathname}#${window.location.hash}`,
-                                                            )}`;
+                                                            const finalURL = `${link.link}${AndNext(`${window.location.pathname}#${window.location.hash}`)}`;
                                                             window.open(finalURL, "_blank");
                                                         });
                                                 }}
@@ -157,14 +154,12 @@ export class FlowViewPage extends AKElement {
                                                 )}
                                                 class="pf-c-button pf-m-block pf-m-secondary"
                                                 @click=${() => {
-                                                    new FlowsApi(DEFAULT_CONFIG)
+                                                    aki(FlowsApi)
                                                         .flowsInstancesExecuteRetrieve({
                                                             slug: this.flow.slug,
                                                         })
                                                         .then((link) => {
-                                                            const finalURL = `${link.link}?${encodeURI(
-                                                                `inspector=open&next=/#${window.location.hash}`,
-                                                            )}`;
+                                                            const finalURL = `${link.link}?${encodeURI(`inspector=open&next=/#${window.location.hash}`)}`;
                                                             window.open(finalURL, "_blank");
                                                         })
                                                         .catch(async (error: unknown) => {
diff --git a/web/src/admin/flows/StageBindingForm.ts b/web/src/admin/flows/StageBindingForm.ts
index cbe25a7f73..0a507ce9de 100644
--- a/web/src/admin/flows/StageBindingForm.ts
+++ b/web/src/admin/flows/StageBindingForm.ts
@@ -4,7 +4,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/Radio";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { groupBy } from "#common/utils";
 
 import { ModelForm } from "#elements/forms/ModelForm";
@@ -60,7 +60,7 @@ export class StageBindingForm extends ModelForm<FlowStageBinding, string> {
     }
 
     async loadInstance(pk: string): Promise<FlowStageBinding> {
-        const binding = await new FlowsApi(DEFAULT_CONFIG).flowsBindingsRetrieve({
+        const binding = await aki(FlowsApi).flowsBindingsRetrieve({
             fsbUuid: pk,
         });
         return binding;
@@ -87,7 +87,7 @@ export class StageBindingForm extends ModelForm<FlowStageBinding, string> {
 
     send(data: FlowStageBinding): Promise<unknown> {
         if (this.instance?.pk) {
-            return new FlowsApi(DEFAULT_CONFIG).flowsBindingsPartialUpdate({
+            return aki(FlowsApi).flowsBindingsPartialUpdate({
                 fsbUuid: this.instance.pk,
                 patchedFlowStageBindingRequest: data,
             });
@@ -95,7 +95,7 @@ export class StageBindingForm extends ModelForm<FlowStageBinding, string> {
         if (this.targetPk) {
             data.target = this.targetPk;
         }
-        return new FlowsApi(DEFAULT_CONFIG).flowsBindingsCreate({
+        return aki(FlowsApi).flowsBindingsCreate({
             flowStageBindingRequest: data,
         });
     }
@@ -104,7 +104,7 @@ export class StageBindingForm extends ModelForm<FlowStageBinding, string> {
         if (this.instance?.pk) {
             return this.instance.order;
         }
-        const bindings = await new FlowsApi(DEFAULT_CONFIG).flowsBindingsList({
+        const bindings = await aki(FlowsApi).flowsBindingsList({
             target: this.targetPk || "",
         });
         const orders = bindings.results.map((binding) => binding.order);
@@ -139,7 +139,7 @@ export class StageBindingForm extends ModelForm<FlowStageBinding, string> {
                         if (query !== undefined) {
                             args.search = query;
                         }
-                        const stages = await new StagesApi(DEFAULT_CONFIG).stagesAllList(args);
+                        const stages = await aki(StagesApi).stagesAllList(args);
                         return stages.results;
                     }}
                     .groupBy=${(items: Stage[]) => {
diff --git a/web/src/admin/groups/GroupListPage.ts b/web/src/admin/groups/GroupListPage.ts
index 3baee8ec8c..fe2d7ce150 100644
--- a/web/src/admin/groups/GroupListPage.ts
+++ b/web/src/admin/groups/GroupListPage.ts
@@ -5,7 +5,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButton, ModalInvokerButton } from "#elements/dialogs";
 import { PaginatedResponse, TableColumn } from "#elements/table/Table";
@@ -40,7 +40,7 @@ export class GroupListPage extends TablePage<Group> {
     public order = "name";
 
     protected async apiEndpoint(): Promise<PaginatedResponse<Group>> {
-        return new CoreApi(DEFAULT_CONFIG).coreGroupsList({
+        return aki(CoreApi).coreGroupsList({
             ...(await this.defaultEndpointConfig()),
             includeUsers: false,
         });
@@ -59,12 +59,12 @@ export class GroupListPage extends TablePage<Group> {
             object-label=${msg("Group(s)")}
             .objects=${this.selectedElements}
             .usedBy=${(item: Group) => {
-                return new CoreApi(DEFAULT_CONFIG).coreGroupsUsedByList({
+                return aki(CoreApi).coreGroupsUsedByList({
                     groupUuid: item.pk,
                 });
             }}
             .delete=${(item: Group) => {
-                return new CoreApi(DEFAULT_CONFIG).coreGroupsDestroy({
+                return aki(CoreApi).coreGroupsDestroy({
                     groupUuid: item.pk,
                 });
             }}
diff --git a/web/src/admin/groups/GroupViewPage.ts b/web/src/admin/groups/GroupViewPage.ts
index 94e26d1550..966592c991 100644
--- a/web/src/admin/groups/GroupViewPage.ts
+++ b/web/src/admin/groups/GroupViewPage.ts
@@ -11,7 +11,7 @@ import "#elements/buttons/ActionButton/index";
 import "#elements/buttons/SpinnerButton/index";
 import "#elements/ak-mdx/ak-mdx";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -44,7 +44,7 @@ import PFSizing from "@patternfly/patternfly/utilities/Sizing/sizing.css";
 export class GroupViewPage extends WithLicenseSummary(AKElement) {
     @property({ type: String })
     set groupId(id: string) {
-        new CoreApi(DEFAULT_CONFIG)
+        aki(CoreApi)
             .coreGroupsRetrieve({
                 groupUuid: id,
                 includeUsers: false,
diff --git a/web/src/admin/groups/RelatedGroupList.ts b/web/src/admin/groups/RelatedGroupList.ts
index f773d78ded..f4f65446a8 100644
--- a/web/src/admin/groups/RelatedGroupList.ts
+++ b/web/src/admin/groups/RelatedGroupList.ts
@@ -5,7 +5,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/HorizontalFormElement";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { modalInvoker, renderModal } from "#elements/dialogs";
 import { AKFormSubmitEvent, Form } from "#elements/forms/Form";
@@ -40,7 +40,7 @@ export class RelatedGroupAdd extends Form<{ groups: string[] }> {
     protected async send(data: { groups: string[] }): Promise<unknown> {
         await Promise.all(
             data.groups.map((group) => {
-                return new CoreApi(DEFAULT_CONFIG).coreGroupsAddUserCreate({
+                return aki(CoreApi).coreGroupsAddUserCreate({
                     groupUuid: group,
                     userAccountRequest: {
                         pk: this.user?.pk || 0,
@@ -115,7 +115,7 @@ export class RelatedGroupList extends Table<Group> {
     targetUser?: User;
 
     async apiEndpoint(): Promise<PaginatedResponse<Group>> {
-        return new CoreApi(DEFAULT_CONFIG).coreGroupsList({
+        return aki(CoreApi).coreGroupsList({
             ...(await this.defaultEndpointConfig()),
             membersByPk: this.targetUser ? [this.targetUser.pk] : [],
             includeUsers: false,
@@ -140,7 +140,7 @@ export class RelatedGroupList extends Table<Group> {
             .objects=${this.selectedElements}
             .delete=${(item: Group) => {
                 if (!this.targetUser) return;
-                return new CoreApi(DEFAULT_CONFIG).coreGroupsRemoveUserCreate({
+                return aki(CoreApi).coreGroupsRemoveUserCreate({
                     groupUuid: item.pk,
                     userAccountRequest: {
                         pk: this.targetUser?.pk || 0,
diff --git a/web/src/admin/groups/RelatedUserList.ts b/web/src/admin/groups/RelatedUserList.ts
index 9a71ce90cc..61c3e70cb3 100644
--- a/web/src/admin/groups/RelatedUserList.ts
+++ b/web/src/admin/groups/RelatedUserList.ts
@@ -13,7 +13,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { formatDisambiguatedUserDisplayName } from "#common/users";
 
 import { IconEditButton, renderModal } from "#elements/dialogs";
@@ -71,14 +71,14 @@ export class AddRelatedUserForm extends Form<{ users: number[] }> {
         await Promise.all(
             data.users.map((userPk) => {
                 if (this.targetGroup) {
-                    return new CoreApi(DEFAULT_CONFIG).coreGroupsAddUserCreate({
+                    return aki(CoreApi).coreGroupsAddUserCreate({
                         groupUuid: this.targetGroup.pk,
                         userAccountRequest: {
                             pk: userPk,
                         },
                     });
                 } else if (this.targetRole) {
-                    return new RbacApi(DEFAULT_CONFIG).rbacRolesAddUserCreate({
+                    return aki(RbacApi).rbacRolesAddUserCreate({
                         uuid: this.targetRole.pk,
                         // TODO: Rename this.
                         userAccountSerializerForRoleRequest: {
@@ -198,7 +198,7 @@ export class RelatedUserList extends WithBrandConfig(WithCapabilitiesConfig(Tabl
     }
 
     protected async apiEndpoint(): Promise<PaginatedResponse<User>> {
-        const users = await new CoreApi(DEFAULT_CONFIG).coreUsersList({
+        const users = await aki(CoreApi).coreUsersList({
             ...(await this.defaultEndpointConfig()),
             ...(this.targetGroup && { groupsByPk: [this.targetGroup.pk] }),
             ...(this.targetRole && { rolesByPk: [this.targetRole.pk] }),
@@ -244,7 +244,7 @@ export class RelatedUserList extends WithBrandConfig(WithCapabilitiesConfig(Tabl
             }}
             .delete=${(item: User) => {
                 if (this.targetGroup) {
-                    return new CoreApi(DEFAULT_CONFIG).coreGroupsRemoveUserCreate({
+                    return aki(CoreApi).coreGroupsRemoveUserCreate({
                         groupUuid: this.targetGroup.pk,
                         userAccountRequest: {
                             pk: item.pk,
@@ -252,7 +252,7 @@ export class RelatedUserList extends WithBrandConfig(WithCapabilitiesConfig(Tabl
                     });
                 }
                 if (this.targetRole) {
-                    return new RbacApi(DEFAULT_CONFIG).rbacRolesRemoveUserCreate({
+                    return aki(RbacApi).rbacRolesRemoveUserCreate({
                         uuid: this.targetRole.pk,
                         userAccountSerializerForRoleRequest: {
                             pk: item.pk,
diff --git a/web/src/admin/groups/ak-group-form.ts b/web/src/admin/groups/ak-group-form.ts
index dc2dda4798..f499bc0085 100644
--- a/web/src/admin/groups/ak-group-form.ts
+++ b/web/src/admin/groups/ak-group-form.ts
@@ -8,7 +8,7 @@ import "#elements/forms/SearchSelect/index";
 import "#components/ak-text-input";
 import "#components/ak-switch-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DataProvision, DualSelectPair } from "#elements/ak-dual-select/types";
 import { ModelForm } from "#elements/forms/ModelForm";
@@ -47,7 +47,7 @@ export class GroupForm extends ModelForm<Group, string> {
     public static verboseNamePlural = msg("Groups");
 
     #fetchGroups = (page: number, search?: string): Promise<DataProvision> => {
-        return new CoreApi(DEFAULT_CONFIG)
+        return aki(CoreApi)
             .coreGroupsList({
                 page: page,
                 search: search,
@@ -60,7 +60,7 @@ export class GroupForm extends ModelForm<Group, string> {
             });
     };
     #fetchRoles = (page: number, search?: string): Promise<DataProvision> => {
-        return new RbacApi(DEFAULT_CONFIG)
+        return aki(RbacApi)
             .rbacRolesList({
                 page: page,
                 search: search,
@@ -74,7 +74,7 @@ export class GroupForm extends ModelForm<Group, string> {
     };
 
     loadInstance(pk: string): Promise<Group> {
-        return new CoreApi(DEFAULT_CONFIG).coreGroupsRetrieve({
+        return aki(CoreApi).coreGroupsRetrieve({
             groupUuid: pk,
             includeUsers: false,
             includeParents: true,
@@ -90,13 +90,13 @@ export class GroupForm extends ModelForm<Group, string> {
     async send(data: Group): Promise<Group> {
         data.attributes ??= {};
         if (this.instance?.pk) {
-            return new CoreApi(DEFAULT_CONFIG).coreGroupsPartialUpdate({
+            return aki(CoreApi).coreGroupsPartialUpdate({
                 groupUuid: this.instance.pk,
                 patchedGroupRequest: data,
             });
         }
         data.users = [];
-        return new CoreApi(DEFAULT_CONFIG).coreGroupsCreate({
+        return aki(CoreApi).coreGroupsCreate({
             groupRequest: data,
         });
     }
diff --git a/web/src/admin/groups/ak-group-member-table.ts b/web/src/admin/groups/ak-group-member-table.ts
index c665f18949..03ec7cf83f 100644
--- a/web/src/admin/groups/ak-group-member-table.ts
+++ b/web/src/admin/groups/ak-group-member-table.ts
@@ -1,7 +1,7 @@
 import "#components/ak-status-label";
 import "#elements/buttons/SpinnerButton/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn, Timestamp } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -57,7 +57,7 @@ export class GroupMemberSelectTable extends Table<User> {
             .with("active", () => ({ isActive: true }))
             .exhaustive();
 
-        return new CoreApi(DEFAULT_CONFIG).coreUsersList({
+        return aki(CoreApi).coreUsersList({
             ...(await this.defaultEndpointConfig()),
             ...userListRequestFilter,
             includeGroups: false,
diff --git a/web/src/admin/lifecycle/LifecycleRuleForm.ts b/web/src/admin/lifecycle/LifecycleRuleForm.ts
index ef97f191d7..1dafed159f 100644
--- a/web/src/admin/lifecycle/LifecycleRuleForm.ts
+++ b/web/src/admin/lifecycle/LifecycleRuleForm.ts
@@ -9,7 +9,7 @@ import "#components/ak-radio-input";
 import "#components/ak-number-input";
 import "#components/ak-switch-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DataProvision, DualSelectPair } from "#elements/ak-dual-select/types";
 import { ModelForm } from "#elements/forms/ModelForm";
@@ -91,9 +91,9 @@ export class LifecycleRuleForm extends ModelForm<LifecycleRule, string, Lifecycl
     #reviewerGroupsSelectRef = createRef<SearchSelect<Group>>();
     #reviewerUsersSelectRef = createRef<SearchSelect<Group>>();
 
-    #coreApi = new CoreApi(DEFAULT_CONFIG);
-    #lifecycleApi = new LifecycleApi(DEFAULT_CONFIG);
-    #rbacApi = new RbacApi(DEFAULT_CONFIG);
+    #coreApi = aki(CoreApi);
+    #lifecycleApi = aki(LifecycleApi);
+    #rbacApi = aki(RbacApi);
 
     @state()
     protected selectedContentType: ContentTypeEnum = ContentTypeEnum.AuthentikCoreApplication;
diff --git a/web/src/admin/lifecycle/LifecycleRuleListPage.ts b/web/src/admin/lifecycle/LifecycleRuleListPage.ts
index 5ea99420f0..704b29b5f2 100644
--- a/web/src/admin/lifecycle/LifecycleRuleListPage.ts
+++ b/web/src/admin/lifecycle/LifecycleRuleListPage.ts
@@ -9,7 +9,7 @@ import "#elements/forms/ModalForm";
 import "#elements/tasks/TaskList";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButton, ModalInvokerButton } from "#elements/dialogs";
 import { PaginatedResponse, TableColumn } from "#elements/table/Table";
@@ -38,9 +38,7 @@ export class LifecycleRuleListPage extends TablePage<LifecycleRule> {
     protected override searchEnabled = true;
 
     protected async apiEndpoint(): Promise<PaginatedResponse<LifecycleRule>> {
-        return new LifecycleApi(DEFAULT_CONFIG).lifecycleRulesList(
-            await this.defaultEndpointConfig(),
-        );
+        return aki(LifecycleApi).lifecycleRulesList(await this.defaultEndpointConfig());
     }
 
     protected override renderSectionBefore(): SlottedTemplateResult {
@@ -62,7 +60,7 @@ export class LifecycleRuleListPage extends TablePage<LifecycleRule> {
             .objects=${this.selectedElements}
             .delete=${(item: LifecycleRule) => {
                 if (item.id)
-                    return new LifecycleApi(DEFAULT_CONFIG).lifecycleRulesDestroy({
+                    return aki(LifecycleApi).lifecycleRulesDestroy({
                         id: item.id,
                     });
             }}
diff --git a/web/src/admin/lifecycle/ObjectLifecyclePage.ts b/web/src/admin/lifecycle/ObjectLifecyclePage.ts
index 0faa010a19..8fbf659a0f 100644
--- a/web/src/admin/lifecycle/ObjectLifecyclePage.ts
+++ b/web/src/admin/lifecycle/ObjectLifecyclePage.ts
@@ -1,7 +1,7 @@
 import "#admin/lifecycle/LifecyclePreviewBanner";
 import "#admin/lifecycle/ObjectReviewIteration";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 import { isResponseErrorLike } from "#common/errors/network";
 
@@ -66,7 +66,7 @@ export class ObjectLifecyclePage extends WithLicenseSummary(WithSession(AKElemen
         if (!this.model || !this.objectPk) {
             return Promise.resolve();
         }
-        return new LifecycleApi(DEFAULT_CONFIG)
+        return aki(LifecycleApi)
             .lifecycleIterationsListLatest({
                 contentType: this.model,
                 objectId: String(this.objectPk),
diff --git a/web/src/admin/lifecycle/ObjectReviewForm.ts b/web/src/admin/lifecycle/ObjectReviewForm.ts
index 6f135224f4..d60fcea827 100644
--- a/web/src/admin/lifecycle/ObjectReviewForm.ts
+++ b/web/src/admin/lifecycle/ObjectReviewForm.ts
@@ -1,7 +1,7 @@
 import "#components/ak-textarea-input";
 import "#elements/forms/ModalForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 
@@ -26,7 +26,7 @@ export class ObjectReviewForm extends ModelForm<Review, string, Review | null> {
     }
 
     protected send(data: Review): Promise<unknown> {
-        return new LifecycleApi(DEFAULT_CONFIG).lifecycleReviewsCreate({
+        return aki(LifecycleApi).lifecycleReviewsCreate({
             reviewRequest: data,
         });
     }
diff --git a/web/src/admin/lifecycle/ReviewListPage.ts b/web/src/admin/lifecycle/ReviewListPage.ts
index 2666dcb577..ec63dc7f04 100644
--- a/web/src/admin/lifecycle/ReviewListPage.ts
+++ b/web/src/admin/lifecycle/ReviewListPage.ts
@@ -9,7 +9,7 @@ import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 import "#admin/lifecycle/LifecyclePreviewBanner";
 import "#components/ak-switch-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, TableColumn } from "#elements/table/Table";
 import { TablePage } from "#elements/table/TablePage";
@@ -41,7 +41,7 @@ export class ReviewListPage extends TablePage<LifecycleIteration> {
     showOnlyMine = false;
 
     async apiEndpoint(): Promise<PaginatedResponse<LifecycleIteration>> {
-        return new LifecycleApi(DEFAULT_CONFIG).lifecycleIterationsListOpen({
+        return aki(LifecycleApi).lifecycleIterationsListOpen({
             ...(await this.defaultEndpointConfig()),
             userIsReviewer: this.showOnlyMine || undefined,
         });
diff --git a/web/src/admin/outposts/OutpostForm.ts b/web/src/admin/outposts/OutpostForm.ts
index 1b29ed9376..8f41e18259 100644
--- a/web/src/admin/outposts/OutpostForm.ts
+++ b/web/src/admin/outposts/OutpostForm.ts
@@ -5,7 +5,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 import "#components/ak-text-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { docLink } from "#common/global";
 import { groupBy } from "#common/utils";
 
@@ -40,7 +40,7 @@ interface ProviderBase {
     assignedApplicationName?: string | null;
 }
 
-const api = () => new ProvidersApi(DEFAULT_CONFIG);
+const api = () => aki(ProvidersApi);
 const providerListArgs = (page: number, search = "") => ({
     ordering: "name",
     applicationIsnull: false,
@@ -117,7 +117,7 @@ export class OutpostForm extends ModelForm<Outpost, string> {
     }
 
     async loadInstance(pk: string): Promise<Outpost> {
-        const o = await new OutpostsApi(DEFAULT_CONFIG).outpostsInstancesRetrieve({
+        const o = await aki(OutpostsApi).outpostsInstancesRetrieve({
             uuid: pk,
         });
         this.type = o.type || OutpostTypeEnum.Proxy;
@@ -126,9 +126,7 @@ export class OutpostForm extends ModelForm<Outpost, string> {
     }
 
     async load(): Promise<void> {
-        this.defaultConfig = await new OutpostsApi(
-            DEFAULT_CONFIG,
-        ).outpostsInstancesDefaultSettingsRetrieve();
+        this.defaultConfig = await aki(OutpostsApi).outpostsInstancesDefaultSettingsRetrieve();
         this.providers = providerProvider(this.type);
     }
 
@@ -140,12 +138,12 @@ export class OutpostForm extends ModelForm<Outpost, string> {
 
     async send(data: Outpost): Promise<Outpost> {
         if (this.instance) {
-            return new OutpostsApi(DEFAULT_CONFIG).outpostsInstancesUpdate({
+            return aki(OutpostsApi).outpostsInstancesUpdate({
                 uuid: this.instance.pk || "",
                 outpostRequest: data,
             });
         }
-        return new OutpostsApi(DEFAULT_CONFIG).outpostsInstancesCreate({
+        return aki(OutpostsApi).outpostsInstancesCreate({
             outpostRequest: data,
         });
     }
@@ -210,9 +208,8 @@ export class OutpostForm extends ModelForm<Outpost, string> {
                         if (query !== undefined) {
                             args.search = query;
                         }
-                        const items = await new OutpostsApi(
-                            DEFAULT_CONFIG,
-                        ).outpostsServiceConnectionsAllList(args);
+                        const items =
+                            await aki(OutpostsApi).outpostsServiceConnectionsAllList(args);
                         return items.results;
                     }}
                     .renderElement=${(item: ServiceConnection): string => {
diff --git a/web/src/admin/outposts/OutpostHealthSimple.ts b/web/src/admin/outposts/OutpostHealthSimple.ts
index 1e54014a1a..c8511b435f 100644
--- a/web/src/admin/outposts/OutpostHealthSimple.ts
+++ b/web/src/admin/outposts/OutpostHealthSimple.ts
@@ -1,6 +1,6 @@
 import "#elements/Spinner";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 import { formatElapsedTime } from "#common/temporal";
 
@@ -37,7 +37,7 @@ export class OutpostHealthSimpleElement extends AKElement {
 
     firstUpdated(): void {
         if (!this.outpostId) return;
-        new OutpostsApi(DEFAULT_CONFIG)
+        aki(OutpostsApi)
             .outpostsInstancesHealthList({
                 uuid: this.outpostId,
             })
diff --git a/web/src/admin/outposts/OutpostListPage.ts b/web/src/admin/outposts/OutpostListPage.ts
index 39d4961949..5fe1351c8e 100644
--- a/web/src/admin/outposts/OutpostListPage.ts
+++ b/web/src/admin/outposts/OutpostListPage.ts
@@ -5,7 +5,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButton } from "#elements/dialogs";
 import { PFColor } from "#elements/Label";
@@ -38,12 +38,12 @@ export class OutpostListPage extends TablePage<Outpost> {
     public override pageIcon = "pf-icon pf-icon-zone";
 
     protected async apiEndpoint(): Promise<PaginatedResponse<Outpost>> {
-        const outposts = await new OutpostsApi(DEFAULT_CONFIG).outpostsInstancesList(
+        const outposts = await aki(OutpostsApi).outpostsInstancesList(
             await this.defaultEndpointConfig(),
         );
         await Promise.all(
             outposts.results.map((outpost) => {
-                return new OutpostsApi(DEFAULT_CONFIG)
+                return aki(OutpostsApi)
                     .outpostsInstancesHealthList({
                         uuid: outpost.pk,
                     })
@@ -121,12 +121,12 @@ export class OutpostListPage extends TablePage<Outpost> {
             object-label=${msg("Outpost(s)")}
             .objects=${this.selectedElements}
             .usedBy=${(item: Outpost) => {
-                return new OutpostsApi(DEFAULT_CONFIG).outpostsInstancesUsedByList({
+                return aki(OutpostsApi).outpostsInstancesUsedByList({
                     uuid: item.pk,
                 });
             }}
             .delete=${(item: Outpost) => {
-                return new OutpostsApi(DEFAULT_CONFIG).outpostsInstancesDestroy({
+                return aki(OutpostsApi).outpostsInstancesDestroy({
                     uuid: item.pk,
                 });
             }}
diff --git a/web/src/admin/outposts/OutpostViewPage.ts b/web/src/admin/outposts/OutpostViewPage.ts
index 5007b369af..5af44089a0 100644
--- a/web/src/admin/outposts/OutpostViewPage.ts
+++ b/web/src/admin/outposts/OutpostViewPage.ts
@@ -8,7 +8,7 @@ import "#admin/outposts/OutpostHealthList";
 import "#admin/outposts/OutpostProviderList";
 import "#elements/buttons/TokenCopyButton/ak-token-copy-button";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { docLink } from "#common/global";
 
 import { AKElement } from "#elements/Base";
@@ -53,7 +53,7 @@ export class OutpostViewPage extends AKElement {
         PFProgress,
     ];
 
-    #api = new OutpostsApi(DEFAULT_CONFIG);
+    #api = aki(OutpostsApi);
 
     @property({ type: String, attribute: "outpost-id" })
     set outpostID(id: string) {
diff --git a/web/src/admin/outposts/ServiceConnectionDockerForm.ts b/web/src/admin/outposts/ServiceConnectionDockerForm.ts
index 5a3656a436..ffaa42e972 100644
--- a/web/src/admin/outposts/ServiceConnectionDockerForm.ts
+++ b/web/src/admin/outposts/ServiceConnectionDockerForm.ts
@@ -3,7 +3,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 import "#components/ak-switch-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 
@@ -17,7 +17,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-service-connection-docker-form")
 export class ServiceConnectionDockerForm extends ModelForm<DockerServiceConnection, string> {
     loadInstance(pk: string): Promise<DockerServiceConnection> {
-        return new OutpostsApi(DEFAULT_CONFIG).outpostsServiceConnectionsDockerRetrieve({
+        return aki(OutpostsApi).outpostsServiceConnectionsDockerRetrieve({
             uuid: pk,
         });
     }
@@ -30,12 +30,12 @@ export class ServiceConnectionDockerForm extends ModelForm<DockerServiceConnecti
 
     async send(data: DockerServiceConnection): Promise<DockerServiceConnection> {
         if (this.instance) {
-            return new OutpostsApi(DEFAULT_CONFIG).outpostsServiceConnectionsDockerUpdate({
+            return aki(OutpostsApi).outpostsServiceConnectionsDockerUpdate({
                 uuid: this.instance.pk || "",
                 dockerServiceConnectionRequest: data,
             });
         }
-        return new OutpostsApi(DEFAULT_CONFIG).outpostsServiceConnectionsDockerCreate({
+        return aki(OutpostsApi).outpostsServiceConnectionsDockerCreate({
             dockerServiceConnectionRequest: data,
         });
     }
diff --git a/web/src/admin/outposts/ServiceConnectionKubernetesForm.ts b/web/src/admin/outposts/ServiceConnectionKubernetesForm.ts
index e2b3ed6b61..a9bdb49946 100644
--- a/web/src/admin/outposts/ServiceConnectionKubernetesForm.ts
+++ b/web/src/admin/outposts/ServiceConnectionKubernetesForm.ts
@@ -2,7 +2,7 @@ import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 import "#components/ak-switch-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 
@@ -21,7 +21,7 @@ export class ServiceConnectionKubernetesForm extends ModelForm<
     string
 > {
     loadInstance(pk: string): Promise<KubernetesServiceConnection> {
-        return new OutpostsApi(DEFAULT_CONFIG).outpostsServiceConnectionsKubernetesRetrieve({
+        return aki(OutpostsApi).outpostsServiceConnectionsKubernetesRetrieve({
             uuid: pk,
         });
     }
@@ -34,12 +34,12 @@ export class ServiceConnectionKubernetesForm extends ModelForm<
 
     async send(data: KubernetesServiceConnection): Promise<KubernetesServiceConnection> {
         if (this.instance) {
-            return new OutpostsApi(DEFAULT_CONFIG).outpostsServiceConnectionsKubernetesUpdate({
+            return aki(OutpostsApi).outpostsServiceConnectionsKubernetesUpdate({
                 uuid: this.instance.pk || "",
                 kubernetesServiceConnectionRequest: data,
             });
         }
-        return new OutpostsApi(DEFAULT_CONFIG).outpostsServiceConnectionsKubernetesCreate({
+        return aki(OutpostsApi).outpostsServiceConnectionsKubernetesCreate({
             kubernetesServiceConnectionRequest: data,
         });
     }
diff --git a/web/src/admin/outposts/ServiceConnectionListPage.ts b/web/src/admin/outposts/ServiceConnectionListPage.ts
index aab3647c32..6137333f6a 100644
--- a/web/src/admin/outposts/ServiceConnectionListPage.ts
+++ b/web/src/admin/outposts/ServiceConnectionListPage.ts
@@ -10,7 +10,7 @@ import "#elements/tasks/ScheduleList";
 import "#elements/tasks/TaskList";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButtonByTagName } from "#elements/dialogs";
 import { IconPermissionButton } from "#elements/dialogs/components/IconPermissionButton";
@@ -51,12 +51,12 @@ export class OutpostServiceConnectionListPage extends TablePage<ServiceConnectio
     );
 
     async apiEndpoint(): Promise<PaginatedResponse<ServiceConnection>> {
-        const connections = await new OutpostsApi(DEFAULT_CONFIG).outpostsServiceConnectionsAllList(
+        const connections = await aki(OutpostsApi).outpostsServiceConnectionsAllList(
             await this.defaultEndpointConfig(),
         );
         await Promise.all(
             connections.results.map((connection) => {
-                return new OutpostsApi(DEFAULT_CONFIG)
+                return aki(OutpostsApi)
                     .outpostsServiceConnectionsAllStateRetrieve({
                         uuid: connection.pk,
                     })
@@ -143,12 +143,12 @@ export class OutpostServiceConnectionListPage extends TablePage<ServiceConnectio
             object-label=${msg("Outpost integration(s)")}
             .objects=${this.selectedElements}
             .usedBy=${(item: ServiceConnection) => {
-                return new OutpostsApi(DEFAULT_CONFIG).outpostsServiceConnectionsAllUsedByList({
+                return aki(OutpostsApi).outpostsServiceConnectionsAllUsedByList({
                     uuid: item.pk,
                 });
             }}
             .delete=${(item: ServiceConnection) => {
-                return new OutpostsApi(DEFAULT_CONFIG).outpostsServiceConnectionsAllDestroy({
+                return aki(OutpostsApi).outpostsServiceConnectionsAllDestroy({
                     uuid: item.pk,
                 });
             }}
diff --git a/web/src/admin/outposts/ak-service-connection-wizard.ts b/web/src/admin/outposts/ak-service-connection-wizard.ts
index c955f33a06..81352d4ee7 100644
--- a/web/src/admin/outposts/ak-service-connection-wizard.ts
+++ b/web/src/admin/outposts/ak-service-connection-wizard.ts
@@ -4,7 +4,7 @@ import "#elements/wizard/FormWizardPage";
 import "#elements/wizard/TypeCreateWizardPage";
 import "#elements/wizard/Wizard";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { CreateWizard } from "#elements/wizard/CreateWizard";
 
@@ -18,7 +18,7 @@ export class AKServiceConnectionWizard extends CreateWizard {
     public static override verboseName = msg("Outpost Integration");
     public static override verboseNamePlural = msg("Outpost Integrations");
 
-    #api = new OutpostsApi(DEFAULT_CONFIG);
+    #api = aki(OutpostsApi);
 
     protected apiEndpoint = (): Promise<TypeCreate[]> => {
         return this.#api.outpostsServiceConnectionsAllTypesList();
diff --git a/web/src/admin/policies/BoundPoliciesList.ts b/web/src/admin/policies/BoundPoliciesList.ts
index 9c3f1d7a26..51e4fe999f 100644
--- a/web/src/admin/policies/BoundPoliciesList.ts
+++ b/web/src/admin/policies/BoundPoliciesList.ts
@@ -8,7 +8,7 @@ import "#elements/Tabs";
 import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PolicyBindingCheckTarget, PolicyBindingCheckTargetToLabel } from "#common/policies/utils";
 
 import { asInstanceInvokerByTagName, modalInvoker } from "#elements/dialogs";
@@ -69,7 +69,7 @@ export class BoundPoliciesList<T extends PolicyBinding = PolicyBinding> extends
     }
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<T>> {
-        return new PoliciesApi(DEFAULT_CONFIG).policiesBindingsList({
+        return aki(PoliciesApi).policiesBindingsList({
             ...(await this.defaultEndpointConfig()),
             target: this.target || "",
         }) as Promise<PaginatedResponse<T>>;
@@ -158,12 +158,12 @@ export class BoundPoliciesList<T extends PolicyBinding = PolicyBinding> extends
                     ];
                 }}
                 .usedBy=${(item: PolicyBinding) => {
-                    return new PoliciesApi(DEFAULT_CONFIG).policiesBindingsUsedByList({
+                    return aki(PoliciesApi).policiesBindingsUsedByList({
                         policyBindingUuid: item.pk,
                     });
                 }}
                 .delete=${(item: PolicyBinding) => {
-                    return new PoliciesApi(DEFAULT_CONFIG).policiesBindingsDestroy({
+                    return aki(PoliciesApi).policiesBindingsDestroy({
                         policyBindingUuid: item.pk,
                     });
                 }}
diff --git a/web/src/admin/policies/PolicyBindingForm.ts b/web/src/admin/policies/PolicyBindingForm.ts
index 941ae7d101..7c4b231b6c 100644
--- a/web/src/admin/policies/PolicyBindingForm.ts
+++ b/web/src/admin/policies/PolicyBindingForm.ts
@@ -4,7 +4,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/Radio";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import {
     createPassFailOptions,
     PolicyBindingCheckTarget,
@@ -44,7 +44,7 @@ export class PolicyBindingForm<T extends PolicyBinding = PolicyBinding> extends
     public static verboseNamePlural = msg("Policy Bindings");
 
     async loadInstance(pk: string): Promise<T> {
-        const binding = await new PoliciesApi(DEFAULT_CONFIG).policiesBindingsRetrieve({
+        const binding = await aki(PoliciesApi).policiesBindingsRetrieve({
             policyBindingUuid: pk,
         });
         if (binding?.policyObj) {
@@ -119,12 +119,12 @@ export class PolicyBindingForm<T extends PolicyBinding = PolicyBinding> extends
         }
 
         if (this.instance?.pk) {
-            return new PoliciesApi(DEFAULT_CONFIG).policiesBindingsUpdate({
+            return aki(PoliciesApi).policiesBindingsUpdate({
                 policyBindingUuid: this.instance.pk,
                 policyBindingRequest: data,
             });
         }
-        return new PoliciesApi(DEFAULT_CONFIG).policiesBindingsCreate({
+        return aki(PoliciesApi).policiesBindingsCreate({
             policyBindingRequest: data,
         });
     }
@@ -133,7 +133,7 @@ export class PolicyBindingForm<T extends PolicyBinding = PolicyBinding> extends
         if (this.instance?.pk) {
             return this.instance.order;
         }
-        const bindings = await new PoliciesApi(DEFAULT_CONFIG).policiesBindingsList({
+        const bindings = await aki(PoliciesApi).policiesBindingsList({
             target: this.targetPk || "",
         });
         const orders = bindings.results.map((binding) => binding.order);
@@ -178,9 +178,7 @@ export class PolicyBindingForm<T extends PolicyBinding = PolicyBinding> extends
                         if (query !== undefined) {
                             args.search = query;
                         }
-                        const policies = await new PoliciesApi(DEFAULT_CONFIG).policiesAllList(
-                            args,
-                        );
+                        const policies = await aki(PoliciesApi).policiesAllList(args);
                         return policies.results;
                     }}
                     .renderElement=${(policy: Policy) => policy.name}
@@ -209,7 +207,7 @@ export class PolicyBindingForm<T extends PolicyBinding = PolicyBinding> extends
                         if (query !== undefined) {
                             args.search = query;
                         }
-                        const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(args);
+                        const groups = await aki(CoreApi).coreGroupsList(args);
                         return groups.results;
                     }}
                     .renderElement=${(group: Group): string => {
@@ -239,7 +237,7 @@ export class PolicyBindingForm<T extends PolicyBinding = PolicyBinding> extends
                         if (query !== undefined) {
                             args.search = query;
                         }
-                        const users = await new CoreApi(DEFAULT_CONFIG).coreUsersList(args);
+                        const users = await aki(CoreApi).coreUsersList(args);
                         return users.results;
                     }}
                     .renderElement=${(user: User) => user.username}
diff --git a/web/src/admin/policies/PolicyListPage.ts b/web/src/admin/policies/PolicyListPage.ts
index 76b5348657..eb2d06aef7 100644
--- a/web/src/admin/policies/PolicyListPage.ts
+++ b/web/src/admin/policies/PolicyListPage.ts
@@ -13,7 +13,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButtonByTagName, modalInvoker } from "#elements/dialogs";
 import { IconPermissionButton } from "#elements/dialogs/components/IconPermissionButton";
@@ -48,7 +48,7 @@ export class PolicyListPage extends TablePage<Policy> {
     public override order = "name";
 
     async apiEndpoint(): Promise<PaginatedResponse<Policy>> {
-        return new PoliciesApi(DEFAULT_CONFIG).policiesAllList(await this.defaultEndpointConfig());
+        return aki(PoliciesApi).policiesAllList(await this.defaultEndpointConfig());
     }
 
     protected columns: TableColumn[] = [
@@ -100,12 +100,12 @@ export class PolicyListPage extends TablePage<Policy> {
             object-label=${msg("Policy / Policies")}
             .objects=${this.selectedElements}
             .usedBy=${(item: Policy) => {
-                return new PoliciesApi(DEFAULT_CONFIG).policiesAllUsedByList({
+                return aki(PoliciesApi).policiesAllUsedByList({
                     policyUuid: item.pk,
                 });
             }}
             .delete=${(item: Policy) => {
-                return new PoliciesApi(DEFAULT_CONFIG).policiesAllDestroy({
+                return aki(PoliciesApi).policiesAllDestroy({
                     policyUuid: item.pk,
                 });
             }}
@@ -136,7 +136,7 @@ export class PolicyListPage extends TablePage<Policy> {
                 errorMessage=${msg("Failed to delete policy cache")}
                 action=${msg("Clear Cache")}
                 .onConfirm=${() => {
-                    return new PoliciesApi(DEFAULT_CONFIG).policiesAllCacheClearCreate();
+                    return aki(PoliciesApi).policiesAllCacheClearCreate();
                 }}
             >
                 <span slot="header">${msg("Clear Policy cache")}</span>
diff --git a/web/src/admin/policies/PolicyTestForm.ts b/web/src/admin/policies/PolicyTestForm.ts
index 33f985051c..de3ec5e22c 100644
--- a/web/src/admin/policies/PolicyTestForm.ts
+++ b/web/src/admin/policies/PolicyTestForm.ts
@@ -4,7 +4,7 @@ import "#elements/events/LogViewer";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PFSize } from "#common/enums";
 
 import { Form } from "#elements/forms/Form";
@@ -50,7 +50,7 @@ export class PolicyTestForm extends Form<PolicyTestRequest> {
         `,
     ];
 
-    #api = new PoliciesApi(DEFAULT_CONFIG);
+    #api = aki(PoliciesApi);
 
     protected override formatSubmitLabel(submitLabel?: string | null): string {
         return submitLabel || msg("Run Test");
@@ -138,7 +138,7 @@ export class PolicyTestForm extends Form<PolicyTestRequest> {
                         if (query !== undefined) {
                             args.search = query;
                         }
-                        const users = await new CoreApi(DEFAULT_CONFIG).coreUsersList(args);
+                        const users = await aki(CoreApi).coreUsersList(args);
                         return users.results;
                     }}
                     .renderElement=${(user: User): string => {
diff --git a/web/src/admin/policies/ak-policy-wizard.ts b/web/src/admin/policies/ak-policy-wizard.ts
index a0aad51bd3..d3519731dc 100644
--- a/web/src/admin/policies/ak-policy-wizard.ts
+++ b/web/src/admin/policies/ak-policy-wizard.ts
@@ -12,7 +12,7 @@ import "#elements/wizard/Wizard";
 import "#elements/forms/FormGroup";
 import "#admin/policies/PolicyBindingForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PolicyBindingCheckTarget } from "#common/policies/utils";
 
 import { RadioChangeEventDetail, RadioOption } from "#elements/forms/Radio";
@@ -38,7 +38,7 @@ const initialStep = "initial";
 
 @customElement("ak-policy-wizard")
 export class PolicyWizard extends CreateWizard {
-    protected policiesAPI = new PoliciesApi(DEFAULT_CONFIG);
+    protected policiesAPI = aki(PoliciesApi);
 
     @property({ type: Boolean })
     public showBindingPage = false;
diff --git a/web/src/admin/policies/dummy/DummyPolicyForm.ts b/web/src/admin/policies/dummy/DummyPolicyForm.ts
index 45ef1ea85d..650169bd20 100644
--- a/web/src/admin/policies/dummy/DummyPolicyForm.ts
+++ b/web/src/admin/policies/dummy/DummyPolicyForm.ts
@@ -3,7 +3,7 @@ import "#components/ak-switch-input";
 import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePolicyForm } from "#admin/policies/BasePolicyForm";
 
@@ -17,19 +17,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-policy-dummy-form")
 export class DummyPolicyForm extends BasePolicyForm<DummyPolicy> {
     loadInstance(pk: string): Promise<DummyPolicy> {
-        return new PoliciesApi(DEFAULT_CONFIG).policiesDummyRetrieve({
+        return aki(PoliciesApi).policiesDummyRetrieve({
             policyUuid: pk,
         });
     }
 
     async send(data: DummyPolicy): Promise<DummyPolicy> {
         if (this.instance) {
-            return new PoliciesApi(DEFAULT_CONFIG).policiesDummyUpdate({
+            return aki(PoliciesApi).policiesDummyUpdate({
                 policyUuid: this.instance.pk || "",
                 dummyPolicyRequest: data,
             });
         }
-        return new PoliciesApi(DEFAULT_CONFIG).policiesDummyCreate({
+        return aki(PoliciesApi).policiesDummyCreate({
             dummyPolicyRequest: data,
         });
     }
diff --git a/web/src/admin/policies/event_matcher/EventMatcherPolicyForm.ts b/web/src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
index ea60ff3563..fe9cc31060 100644
--- a/web/src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
+++ b/web/src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
@@ -3,7 +3,7 @@ import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { docLink } from "#common/global";
 
 import { BasePolicyForm } from "#admin/policies/BasePolicyForm";
@@ -25,7 +25,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-policy-event-matcher-form")
 export class EventMatcherPolicyForm extends BasePolicyForm<EventMatcherPolicy> {
     override loadInstance(pk: string): Promise<EventMatcherPolicy> {
-        return new PoliciesApi(DEFAULT_CONFIG).policiesEventMatcherRetrieve({
+        return aki(PoliciesApi).policiesEventMatcherRetrieve({
             policyUuid: pk,
         });
     }
@@ -37,12 +37,12 @@ export class EventMatcherPolicyForm extends BasePolicyForm<EventMatcherPolicy> {
         if (data.app?.toString() === "") data.app = null;
         if (data.model?.toString() === "") data.model = null;
         if (this.instance) {
-            return new PoliciesApi(DEFAULT_CONFIG).policiesEventMatcherUpdate({
+            return aki(PoliciesApi).policiesEventMatcherUpdate({
                 policyUuid: this.instance.pk || "",
                 eventMatcherPolicyRequest: data,
             });
         }
-        return new PoliciesApi(DEFAULT_CONFIG).policiesEventMatcherCreate({
+        return aki(PoliciesApi).policiesEventMatcherCreate({
             eventMatcherPolicyRequest: data,
         });
     }
@@ -96,9 +96,7 @@ export class EventMatcherPolicyForm extends BasePolicyForm<EventMatcherPolicy> {
                     <ak-form-element-horizontal label=${msg("Action")} name="action">
                         <ak-search-select
                             .fetchObjects=${async (query?: string): Promise<TypeCreate[]> => {
-                                const items = await new EventsApi(
-                                    DEFAULT_CONFIG,
-                                ).eventsEventsActionsList();
+                                const items = await aki(EventsApi).eventsEventsActionsList();
                                 return items.filter((item) =>
                                     query
                                         ? item.name.toLowerCase().includes(query.toLowerCase())
@@ -140,7 +138,7 @@ export class EventMatcherPolicyForm extends BasePolicyForm<EventMatcherPolicy> {
                     <ak-form-element-horizontal label=${msg("App")} name="app">
                         <ak-search-select
                             .fetchObjects=${async (query?: string): Promise<App[]> => {
-                                const items = await new AdminApi(DEFAULT_CONFIG).adminAppsList();
+                                const items = await aki(AdminApi).adminAppsList();
                                 return items.filter((item) =>
                                     query ? item.name.includes(query) : true,
                                 );
@@ -166,7 +164,7 @@ export class EventMatcherPolicyForm extends BasePolicyForm<EventMatcherPolicy> {
                     <ak-form-element-horizontal label=${msg("Model")} name="model">
                         <ak-search-select
                             .fetchObjects=${async (query?: string): Promise<App[]> => {
-                                const items = await new AdminApi(DEFAULT_CONFIG).adminModelsList();
+                                const items = await aki(AdminApi).adminModelsList();
                                 return items
                                     .filter((item) => (query ? item.name.includes(query) : true))
                                     .sort((a, b) => {
diff --git a/web/src/admin/policies/expiry/ExpiryPolicyForm.ts b/web/src/admin/policies/expiry/ExpiryPolicyForm.ts
index b15a4b1629..3ec04609ca 100644
--- a/web/src/admin/policies/expiry/ExpiryPolicyForm.ts
+++ b/web/src/admin/policies/expiry/ExpiryPolicyForm.ts
@@ -2,7 +2,7 @@ import "#components/ak-switch-input";
 import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePolicyForm } from "#admin/policies/BasePolicyForm";
 
@@ -16,19 +16,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-policy-password-expiry-form")
 export class PasswordExpiryPolicyForm extends BasePolicyForm<PasswordExpiryPolicy> {
     loadInstance(pk: string): Promise<PasswordExpiryPolicy> {
-        return new PoliciesApi(DEFAULT_CONFIG).policiesPasswordExpiryRetrieve({
+        return aki(PoliciesApi).policiesPasswordExpiryRetrieve({
             policyUuid: pk,
         });
     }
 
     async send(data: PasswordExpiryPolicy): Promise<PasswordExpiryPolicy> {
         if (this.instance) {
-            return new PoliciesApi(DEFAULT_CONFIG).policiesPasswordExpiryUpdate({
+            return aki(PoliciesApi).policiesPasswordExpiryUpdate({
                 policyUuid: this.instance.pk || "",
                 passwordExpiryPolicyRequest: data,
             });
         }
-        return new PoliciesApi(DEFAULT_CONFIG).policiesPasswordExpiryCreate({
+        return aki(PoliciesApi).policiesPasswordExpiryCreate({
             passwordExpiryPolicyRequest: data,
         });
     }
diff --git a/web/src/admin/policies/expression/ExpressionPolicyForm.ts b/web/src/admin/policies/expression/ExpressionPolicyForm.ts
index bbf705bd45..0fd9b9c2a8 100644
--- a/web/src/admin/policies/expression/ExpressionPolicyForm.ts
+++ b/web/src/admin/policies/expression/ExpressionPolicyForm.ts
@@ -3,7 +3,7 @@ import "#elements/CodeMirror";
 import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { docLink } from "#common/global";
 
 import { BasePolicyForm } from "#admin/policies/BasePolicyForm";
@@ -18,19 +18,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-policy-expression-form")
 export class ExpressionPolicyForm extends BasePolicyForm<ExpressionPolicy> {
     loadInstance(pk: string): Promise<ExpressionPolicy> {
-        return new PoliciesApi(DEFAULT_CONFIG).policiesExpressionRetrieve({
+        return aki(PoliciesApi).policiesExpressionRetrieve({
             policyUuid: pk,
         });
     }
 
     async send(data: ExpressionPolicy): Promise<ExpressionPolicy> {
         if (this.instance) {
-            return new PoliciesApi(DEFAULT_CONFIG).policiesExpressionUpdate({
+            return aki(PoliciesApi).policiesExpressionUpdate({
                 policyUuid: this.instance.pk || "",
                 expressionPolicyRequest: data,
             });
         }
-        return new PoliciesApi(DEFAULT_CONFIG).policiesExpressionCreate({
+        return aki(PoliciesApi).policiesExpressionCreate({
             expressionPolicyRequest: data,
         });
     }
diff --git a/web/src/admin/policies/geoip/CountryCache.ts b/web/src/admin/policies/geoip/CountryCache.ts
index 0a132f4014..1972f1432c 100644
--- a/web/src/admin/policies/geoip/CountryCache.ts
+++ b/web/src/admin/policies/geoip/CountryCache.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DetailedCountry, PoliciesApi } from "@goauthentik/api";
 
@@ -23,10 +23,12 @@ class CountryCache {
             return this.countries;
         }
 
-        await new PoliciesApi(DEFAULT_CONFIG).policiesGeoipIso3166List().then((response) => {
-            this.countries = response;
-            this.lastReceivedAt = new Date().getTime();
-        });
+        await aki(PoliciesApi)
+            .policiesGeoipIso3166List()
+            .then((response) => {
+                this.countries = response;
+                this.lastReceivedAt = new Date().getTime();
+            });
 
         return this.countries;
     }
diff --git a/web/src/admin/policies/geoip/GeoIPPolicyForm.ts b/web/src/admin/policies/geoip/GeoIPPolicyForm.ts
index 4807f57702..ff1d50ee01 100644
--- a/web/src/admin/policies/geoip/GeoIPPolicyForm.ts
+++ b/web/src/admin/policies/geoip/GeoIPPolicyForm.ts
@@ -6,7 +6,7 @@ import "#elements/forms/SearchSelect/index";
 
 import { countryCache } from "./CountryCache.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DataProvision, DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -25,7 +25,7 @@ function countryToPair(country: GeoIPPolicyCountriesObjInner): DualSelectPair {
 @customElement("ak-policy-geoip-form")
 export class GeoIPPolicyForm extends BasePolicyForm<GeoIPPolicy> {
     loadInstance(pk: string): Promise<GeoIPPolicy> {
-        return new PoliciesApi(DEFAULT_CONFIG).policiesGeoipRetrieve({
+        return aki(PoliciesApi).policiesGeoipRetrieve({
             policyUuid: pk,
         });
     }
@@ -38,12 +38,12 @@ export class GeoIPPolicyForm extends BasePolicyForm<GeoIPPolicy> {
         }
 
         if (this.instance) {
-            return new PoliciesApi(DEFAULT_CONFIG).policiesGeoipUpdate({
+            return aki(PoliciesApi).policiesGeoipUpdate({
                 policyUuid: this.instance.pk || "",
                 geoIPPolicyRequest: data,
             });
         }
-        return new PoliciesApi(DEFAULT_CONFIG).policiesGeoipCreate({
+        return aki(PoliciesApi).policiesGeoipCreate({
             geoIPPolicyRequest: data,
         });
     }
diff --git a/web/src/admin/policies/password/PasswordPolicyForm.ts b/web/src/admin/policies/password/PasswordPolicyForm.ts
index 0d72241b1a..25df0800d3 100644
--- a/web/src/admin/policies/password/PasswordPolicyForm.ts
+++ b/web/src/admin/policies/password/PasswordPolicyForm.ts
@@ -2,7 +2,7 @@ import "#elements/forms/FormGroup";
 import "#components/ak-switch-input";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePolicyForm } from "#admin/policies/BasePolicyForm";
 
@@ -33,7 +33,7 @@ export class PasswordPolicyForm extends BasePolicyForm<PasswordPolicy> {
     }
 
     async loadInstance(pk: string): Promise<PasswordPolicy> {
-        const policy = await new PoliciesApi(DEFAULT_CONFIG).policiesPasswordRetrieve({
+        const policy = await aki(PoliciesApi).policiesPasswordRetrieve({
             policyUuid: pk,
         });
         this.showStatic = policy.checkStaticRules || false;
@@ -44,12 +44,12 @@ export class PasswordPolicyForm extends BasePolicyForm<PasswordPolicy> {
 
     async send(data: PasswordPolicy): Promise<PasswordPolicy> {
         if (this.instance) {
-            return new PoliciesApi(DEFAULT_CONFIG).policiesPasswordUpdate({
+            return aki(PoliciesApi).policiesPasswordUpdate({
                 policyUuid: this.instance.pk || "",
                 passwordPolicyRequest: data,
             });
         }
-        return new PoliciesApi(DEFAULT_CONFIG).policiesPasswordCreate({
+        return aki(PoliciesApi).policiesPasswordCreate({
             passwordPolicyRequest: data,
         });
     }
diff --git a/web/src/admin/policies/reputation/ReputationListPage.ts b/web/src/admin/policies/reputation/ReputationListPage.ts
index 046c353dea..eddb818e0f 100644
--- a/web/src/admin/policies/reputation/ReputationListPage.ts
+++ b/web/src/admin/policies/reputation/ReputationListPage.ts
@@ -4,7 +4,7 @@ import "#elements/buttons/SpinnerButton/index";
 import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, TableColumn, Timestamp } from "#elements/table/Table";
 import { TablePage } from "#elements/table/TablePage";
@@ -33,7 +33,7 @@ export class ReputationListPage extends TablePage<Reputation> {
     public override searchPlaceholder = msg("Search for a reputation by identifier or IP...");
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<Reputation>> {
-        return new PoliciesApi(DEFAULT_CONFIG).policiesReputationScoresList({
+        return aki(PoliciesApi).policiesReputationScoresList({
             ...(await this.defaultEndpointConfig()),
         });
     }
@@ -56,12 +56,12 @@ export class ReputationListPage extends TablePage<Reputation> {
             object-label=${msg("Reputation")}
             .objects=${this.selectedElements}
             .usedBy=${(item: Reputation) => {
-                return new PoliciesApi(DEFAULT_CONFIG).policiesReputationScoresUsedByList({
+                return aki(PoliciesApi).policiesReputationScoresUsedByList({
                     reputationUuid: item.pk || "",
                 });
             }}
             .delete=${(item: Reputation) => {
-                return new PoliciesApi(DEFAULT_CONFIG).policiesReputationScoresDestroy({
+                return aki(PoliciesApi).policiesReputationScoresDestroy({
                     reputationUuid: item.pk || "",
                 });
             }}
diff --git a/web/src/admin/policies/reputation/ReputationPolicyForm.ts b/web/src/admin/policies/reputation/ReputationPolicyForm.ts
index 6192ddd1c0..b3ba51d421 100644
--- a/web/src/admin/policies/reputation/ReputationPolicyForm.ts
+++ b/web/src/admin/policies/reputation/ReputationPolicyForm.ts
@@ -2,7 +2,7 @@ import "#components/ak-switch-input";
 import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePolicyForm } from "#admin/policies/BasePolicyForm";
 
@@ -16,19 +16,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-policy-reputation-form")
 export class ReputationPolicyForm extends BasePolicyForm<ReputationPolicy> {
     loadInstance(pk: string): Promise<ReputationPolicy> {
-        return new PoliciesApi(DEFAULT_CONFIG).policiesReputationRetrieve({
+        return aki(PoliciesApi).policiesReputationRetrieve({
             policyUuid: pk,
         });
     }
 
     async send(data: ReputationPolicy): Promise<ReputationPolicy> {
         if (this.instance) {
-            return new PoliciesApi(DEFAULT_CONFIG).policiesReputationUpdate({
+            return aki(PoliciesApi).policiesReputationUpdate({
                 policyUuid: this.instance.pk || "",
                 reputationPolicyRequest: data,
             });
         }
-        return new PoliciesApi(DEFAULT_CONFIG).policiesReputationCreate({
+        return aki(PoliciesApi).policiesReputationCreate({
             reputationPolicyRequest: data,
         });
     }
diff --git a/web/src/admin/policies/unique_password/UniquePasswordPolicyForm.ts b/web/src/admin/policies/unique_password/UniquePasswordPolicyForm.ts
index 03b5a816b1..c43435d9b0 100644
--- a/web/src/admin/policies/unique_password/UniquePasswordPolicyForm.ts
+++ b/web/src/admin/policies/unique_password/UniquePasswordPolicyForm.ts
@@ -2,7 +2,7 @@ import "#components/ak-switch-input";
 import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePolicyForm } from "#admin/policies/BasePolicyForm";
 
@@ -16,19 +16,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-policy-password-uniqueness-form")
 export class UniquePasswordPolicyForm extends BasePolicyForm<UniquePasswordPolicy> {
     async loadInstance(pk: string): Promise<UniquePasswordPolicy> {
-        return new PoliciesApi(DEFAULT_CONFIG).policiesUniquePasswordRetrieve({
+        return aki(PoliciesApi).policiesUniquePasswordRetrieve({
             policyUuid: pk,
         });
     }
 
     async send(data: UniquePasswordPolicy): Promise<UniquePasswordPolicy> {
         if (this.instance) {
-            return new PoliciesApi(DEFAULT_CONFIG).policiesUniquePasswordUpdate({
+            return aki(PoliciesApi).policiesUniquePasswordUpdate({
                 policyUuid: this.instance.pk || "",
                 uniquePasswordPolicyRequest: data,
             });
         }
-        return new PoliciesApi(DEFAULT_CONFIG).policiesUniquePasswordCreate({
+        return aki(PoliciesApi).policiesUniquePasswordCreate({
             uniquePasswordPolicyRequest: data,
         });
     }
diff --git a/web/src/admin/property-mappings/PropertyMappingListPage.ts b/web/src/admin/property-mappings/PropertyMappingListPage.ts
index a00cd3391d..6c311328c4 100644
--- a/web/src/admin/property-mappings/PropertyMappingListPage.ts
+++ b/web/src/admin/property-mappings/PropertyMappingListPage.ts
@@ -20,7 +20,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButtonByTagName, modalInvoker } from "#elements/dialogs";
 import { IconPermissionButton } from "#elements/dialogs/components/IconPermissionButton";
@@ -57,7 +57,7 @@ export class PropertyMappingListPage extends TablePage<PropertyMapping> {
     protected hideManaged = getURLParam<boolean>("hideManaged", true);
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<PropertyMapping>> {
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsAllList({
+        return aki(PropertymappingsApi).propertymappingsAllList({
             ...(await this.defaultEndpointConfig()),
             managedIsnull: this.hideManaged ? true : undefined,
         });
@@ -75,12 +75,12 @@ export class PropertyMappingListPage extends TablePage<PropertyMapping> {
             object-label=${msg("Property Mapping(s)")}
             .objects=${this.selectedElements}
             .usedBy=${(item: PropertyMapping) => {
-                return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsAllUsedByList({
+                return aki(PropertymappingsApi).propertymappingsAllUsedByList({
                     pmUuid: item.pk,
                 });
             }}
             .delete=${(item: PropertyMapping) => {
-                return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsAllDestroy({
+                return aki(PropertymappingsApi).propertymappingsAllDestroy({
                     pmUuid: item.pk,
                 });
             }}
diff --git a/web/src/admin/property-mappings/PropertyMappingNotification.ts b/web/src/admin/property-mappings/PropertyMappingNotification.ts
index 8c4af6cd72..d441ab7b01 100644
--- a/web/src/admin/property-mappings/PropertyMappingNotification.ts
+++ b/web/src/admin/property-mappings/PropertyMappingNotification.ts
@@ -1,7 +1,7 @@
 import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePropertyMappingForm } from "#admin/property-mappings/BasePropertyMappingForm";
 
@@ -12,19 +12,19 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-property-mapping-notification-form")
 export class PropertyMappingNotification extends BasePropertyMappingForm<NotificationWebhookMapping> {
     loadInstance(pk: string): Promise<NotificationWebhookMapping> {
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsNotificationRetrieve({
+        return aki(PropertymappingsApi).propertymappingsNotificationRetrieve({
             pmUuid: pk,
         });
     }
 
     async send(data: NotificationWebhookMapping): Promise<NotificationWebhookMapping> {
         if (this.instance) {
-            return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsNotificationUpdate({
+            return aki(PropertymappingsApi).propertymappingsNotificationUpdate({
                 pmUuid: this.instance.pk,
                 notificationWebhookMappingRequest: data,
             });
         }
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsNotificationCreate({
+        return aki(PropertymappingsApi).propertymappingsNotificationCreate({
             notificationWebhookMappingRequest: data,
         });
     }
diff --git a/web/src/admin/property-mappings/PropertyMappingProviderGoogleWorkspaceForm.ts b/web/src/admin/property-mappings/PropertyMappingProviderGoogleWorkspaceForm.ts
index 68045b47c0..2d58a0b97c 100644
--- a/web/src/admin/property-mappings/PropertyMappingProviderGoogleWorkspaceForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingProviderGoogleWorkspaceForm.ts
@@ -1,7 +1,7 @@
 import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePropertyMappingForm } from "#admin/property-mappings/BasePropertyMappingForm";
 
@@ -12,25 +12,19 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-property-mapping-provider-google-workspace-form")
 export class PropertyMappingProviderGoogleWorkspaceForm extends BasePropertyMappingForm<GoogleWorkspaceProviderMapping> {
     loadInstance(pk: string): Promise<GoogleWorkspaceProviderMapping> {
-        return new PropertymappingsApi(
-            DEFAULT_CONFIG,
-        ).propertymappingsProviderGoogleWorkspaceRetrieve({
+        return aki(PropertymappingsApi).propertymappingsProviderGoogleWorkspaceRetrieve({
             pmUuid: pk,
         });
     }
 
     async send(data: GoogleWorkspaceProviderMapping): Promise<GoogleWorkspaceProviderMapping> {
         if (this.instance) {
-            return new PropertymappingsApi(
-                DEFAULT_CONFIG,
-            ).propertymappingsProviderGoogleWorkspaceUpdate({
+            return aki(PropertymappingsApi).propertymappingsProviderGoogleWorkspaceUpdate({
                 pmUuid: this.instance.pk,
                 googleWorkspaceProviderMappingRequest: data,
             });
         }
-        return new PropertymappingsApi(
-            DEFAULT_CONFIG,
-        ).propertymappingsProviderGoogleWorkspaceCreate({
+        return aki(PropertymappingsApi).propertymappingsProviderGoogleWorkspaceCreate({
             googleWorkspaceProviderMappingRequest: data,
         });
     }
diff --git a/web/src/admin/property-mappings/PropertyMappingProviderMicrosoftEntraForm.ts b/web/src/admin/property-mappings/PropertyMappingProviderMicrosoftEntraForm.ts
index f61b84830a..27d559b56d 100644
--- a/web/src/admin/property-mappings/PropertyMappingProviderMicrosoftEntraForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingProviderMicrosoftEntraForm.ts
@@ -1,7 +1,7 @@
 import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePropertyMappingForm } from "#admin/property-mappings/BasePropertyMappingForm";
 
@@ -12,27 +12,21 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-property-mapping-provider-microsoft-entra-form")
 export class PropertyMappingProviderMicrosoftEntraForm extends BasePropertyMappingForm<MicrosoftEntraProviderMapping> {
     loadInstance(pk: string): Promise<MicrosoftEntraProviderMapping> {
-        return new PropertymappingsApi(
-            DEFAULT_CONFIG,
-        ).propertymappingsProviderMicrosoftEntraRetrieve({
+        return aki(PropertymappingsApi).propertymappingsProviderMicrosoftEntraRetrieve({
             pmUuid: pk,
         });
     }
 
     async send(data: MicrosoftEntraProviderMapping): Promise<MicrosoftEntraProviderMapping> {
         if (this.instance) {
-            return new PropertymappingsApi(
-                DEFAULT_CONFIG,
-            ).propertymappingsProviderMicrosoftEntraUpdate({
+            return aki(PropertymappingsApi).propertymappingsProviderMicrosoftEntraUpdate({
                 pmUuid: this.instance.pk,
                 microsoftEntraProviderMappingRequest: data,
             });
         }
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderMicrosoftEntraCreate(
-            {
-                microsoftEntraProviderMappingRequest: data,
-            },
-        );
+        return aki(PropertymappingsApi).propertymappingsProviderMicrosoftEntraCreate({
+            microsoftEntraProviderMappingRequest: data,
+        });
     }
 }
 
diff --git a/web/src/admin/property-mappings/PropertyMappingProviderRACForm.ts b/web/src/admin/property-mappings/PropertyMappingProviderRACForm.ts
index 44e5076779..8a7fffb84a 100644
--- a/web/src/admin/property-mappings/PropertyMappingProviderRACForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingProviderRACForm.ts
@@ -3,7 +3,7 @@ import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/Radio";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { docLink } from "#common/global";
 
 import type { RadioOption } from "#elements/forms/Radio";
@@ -37,19 +37,19 @@ export const staticSettingOptions: RadioOption<string | undefined>[] = [
 @customElement("ak-property-mapping-provider-rac-form")
 export class PropertyMappingProviderRACForm extends BasePropertyMappingForm<RACPropertyMapping> {
     loadInstance(pk: string): Promise<RACPropertyMapping> {
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderRacRetrieve({
+        return aki(PropertymappingsApi).propertymappingsProviderRacRetrieve({
             pmUuid: pk,
         });
     }
 
     async send(data: RACPropertyMapping): Promise<RACPropertyMapping> {
         if (this.instance) {
-            return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderRacUpdate({
+            return aki(PropertymappingsApi).propertymappingsProviderRacUpdate({
                 pmUuid: this.instance.pk,
                 rACPropertyMappingRequest: data,
             });
         }
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderRacCreate({
+        return aki(PropertymappingsApi).propertymappingsProviderRacCreate({
             rACPropertyMappingRequest: data,
         });
     }
diff --git a/web/src/admin/property-mappings/PropertyMappingProviderRadiusForm.ts b/web/src/admin/property-mappings/PropertyMappingProviderRadiusForm.ts
index b0e156d8de..31cd0fe6d7 100644
--- a/web/src/admin/property-mappings/PropertyMappingProviderRadiusForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingProviderRadiusForm.ts
@@ -1,7 +1,7 @@
 import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePropertyMappingForm } from "#admin/property-mappings/BasePropertyMappingForm";
 
@@ -12,19 +12,19 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-property-mapping-provider-radius-form")
 export class PropertyMappingProviderRadiusForm extends BasePropertyMappingForm<RadiusProviderPropertyMapping> {
     loadInstance(pk: string): Promise<RadiusProviderPropertyMapping> {
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderRadiusRetrieve({
+        return aki(PropertymappingsApi).propertymappingsProviderRadiusRetrieve({
             pmUuid: pk,
         });
     }
 
     async send(data: RadiusProviderPropertyMapping): Promise<RadiusProviderPropertyMapping> {
         if (this.instance) {
-            return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderRadiusUpdate({
+            return aki(PropertymappingsApi).propertymappingsProviderRadiusUpdate({
                 pmUuid: this.instance.pk,
                 radiusProviderPropertyMappingRequest: data,
             });
         }
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderRadiusCreate({
+        return aki(PropertymappingsApi).propertymappingsProviderRadiusCreate({
             radiusProviderPropertyMappingRequest: data,
         });
     }
diff --git a/web/src/admin/property-mappings/PropertyMappingProviderSAMLForm.ts b/web/src/admin/property-mappings/PropertyMappingProviderSAMLForm.ts
index 9149ee6f95..19c259e14f 100644
--- a/web/src/admin/property-mappings/PropertyMappingProviderSAMLForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingProviderSAMLForm.ts
@@ -1,7 +1,7 @@
 import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePropertyMappingForm } from "#admin/property-mappings/BasePropertyMappingForm";
 
@@ -15,19 +15,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-property-mapping-provider-saml-form")
 export class PropertyMappingProviderSAMLForm extends BasePropertyMappingForm<SAMLPropertyMapping> {
     loadInstance(pk: string): Promise<SAMLPropertyMapping> {
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderSamlRetrieve({
+        return aki(PropertymappingsApi).propertymappingsProviderSamlRetrieve({
             pmUuid: pk,
         });
     }
 
     async send(data: SAMLPropertyMapping): Promise<SAMLPropertyMapping> {
         if (this.instance) {
-            return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderSamlUpdate({
+            return aki(PropertymappingsApi).propertymappingsProviderSamlUpdate({
                 pmUuid: this.instance.pk,
                 sAMLPropertyMappingRequest: data,
             });
         }
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderSamlCreate({
+        return aki(PropertymappingsApi).propertymappingsProviderSamlCreate({
             sAMLPropertyMappingRequest: data,
         });
     }
diff --git a/web/src/admin/property-mappings/PropertyMappingProviderSCIMForm.ts b/web/src/admin/property-mappings/PropertyMappingProviderSCIMForm.ts
index 542606910c..393d4faa30 100644
--- a/web/src/admin/property-mappings/PropertyMappingProviderSCIMForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingProviderSCIMForm.ts
@@ -1,7 +1,7 @@
 import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePropertyMappingForm } from "#admin/property-mappings/BasePropertyMappingForm";
 
@@ -12,19 +12,19 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-property-mapping-provider-scim-form")
 export class PropertyMappingProviderSCIMForm extends BasePropertyMappingForm<SCIMMapping> {
     loadInstance(pk: string): Promise<SCIMMapping> {
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderScimRetrieve({
+        return aki(PropertymappingsApi).propertymappingsProviderScimRetrieve({
             pmUuid: pk,
         });
     }
 
     async send(data: SCIMMapping): Promise<SCIMMapping> {
         if (this.instance) {
-            return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderScimUpdate({
+            return aki(PropertymappingsApi).propertymappingsProviderScimUpdate({
                 pmUuid: this.instance.pk,
                 sCIMMappingRequest: data,
             });
         }
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderScimCreate({
+        return aki(PropertymappingsApi).propertymappingsProviderScimCreate({
             sCIMMappingRequest: data,
         });
     }
diff --git a/web/src/admin/property-mappings/PropertyMappingProviderScopeForm.ts b/web/src/admin/property-mappings/PropertyMappingProviderScopeForm.ts
index 4c432471d2..10529beca5 100644
--- a/web/src/admin/property-mappings/PropertyMappingProviderScopeForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingProviderScopeForm.ts
@@ -1,7 +1,7 @@
 import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePropertyMappingForm } from "#admin/property-mappings/BasePropertyMappingForm";
 
@@ -15,19 +15,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-property-mapping-provider-scope-form")
 export class PropertyMappingProviderScopeForm extends BasePropertyMappingForm<ScopeMapping> {
     loadInstance(pk: string): Promise<ScopeMapping> {
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderScopeRetrieve({
+        return aki(PropertymappingsApi).propertymappingsProviderScopeRetrieve({
             pmUuid: pk,
         });
     }
 
     async send(data: ScopeMapping): Promise<ScopeMapping> {
         if (this.instance) {
-            return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderScopeUpdate({
+            return aki(PropertymappingsApi).propertymappingsProviderScopeUpdate({
                 pmUuid: this.instance.pk,
                 scopeMappingRequest: data,
             });
         }
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderScopeCreate({
+        return aki(PropertymappingsApi).propertymappingsProviderScopeCreate({
             scopeMappingRequest: data,
         });
     }
diff --git a/web/src/admin/property-mappings/PropertyMappingSourceKerberosForm.ts b/web/src/admin/property-mappings/PropertyMappingSourceKerberosForm.ts
index b8a870feed..8085d2dca1 100644
--- a/web/src/admin/property-mappings/PropertyMappingSourceKerberosForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingSourceKerberosForm.ts
@@ -1,7 +1,7 @@
 import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePropertyMappingForm } from "#admin/property-mappings/BasePropertyMappingForm";
 
@@ -14,19 +14,19 @@ export class PropertyMappingSourceKerberosForm extends BasePropertyMappingForm<K
     protected override docLink = "/users-sources/sources/property-mappings/expressions";
 
     loadInstance(pk: string): Promise<KerberosSourcePropertyMapping> {
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceKerberosRetrieve({
+        return aki(PropertymappingsApi).propertymappingsSourceKerberosRetrieve({
             pmUuid: pk,
         });
     }
 
     async send(data: KerberosSourcePropertyMapping): Promise<KerberosSourcePropertyMapping> {
         if (this.instance) {
-            return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceKerberosUpdate({
+            return aki(PropertymappingsApi).propertymappingsSourceKerberosUpdate({
                 pmUuid: this.instance.pk,
                 kerberosSourcePropertyMappingRequest: data,
             });
         }
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceKerberosCreate({
+        return aki(PropertymappingsApi).propertymappingsSourceKerberosCreate({
             kerberosSourcePropertyMappingRequest: data,
         });
     }
diff --git a/web/src/admin/property-mappings/PropertyMappingSourceLDAPForm.ts b/web/src/admin/property-mappings/PropertyMappingSourceLDAPForm.ts
index ab691f7463..8c188575b5 100644
--- a/web/src/admin/property-mappings/PropertyMappingSourceLDAPForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingSourceLDAPForm.ts
@@ -1,7 +1,7 @@
 import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePropertyMappingForm } from "#admin/property-mappings/BasePropertyMappingForm";
 
@@ -14,19 +14,19 @@ export class PropertyMappingSourceLDAPForm extends BasePropertyMappingForm<LDAPS
     protected override docLink = "/users-sources/sources/property-mappings/expressions";
 
     loadInstance(pk: string): Promise<LDAPSourcePropertyMapping> {
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceLdapRetrieve({
+        return aki(PropertymappingsApi).propertymappingsSourceLdapRetrieve({
             pmUuid: pk,
         });
     }
 
     async send(data: LDAPSourcePropertyMapping): Promise<LDAPSourcePropertyMapping> {
         if (this.instance) {
-            return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceLdapUpdate({
+            return aki(PropertymappingsApi).propertymappingsSourceLdapUpdate({
                 pmUuid: this.instance.pk,
                 lDAPSourcePropertyMappingRequest: data,
             });
         }
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceLdapCreate({
+        return aki(PropertymappingsApi).propertymappingsSourceLdapCreate({
             lDAPSourcePropertyMappingRequest: data,
         });
     }
diff --git a/web/src/admin/property-mappings/PropertyMappingSourceOAuthForm.ts b/web/src/admin/property-mappings/PropertyMappingSourceOAuthForm.ts
index 89a4a42fb7..9af4c1dfaf 100644
--- a/web/src/admin/property-mappings/PropertyMappingSourceOAuthForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingSourceOAuthForm.ts
@@ -1,7 +1,7 @@
 import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePropertyMappingForm } from "#admin/property-mappings/BasePropertyMappingForm";
 
@@ -14,19 +14,19 @@ export class PropertyMappingSourceOAuthForm extends BasePropertyMappingForm<OAut
     protected override docLink = "/users-sources/sources/property-mappings/expressions";
 
     loadInstance(pk: string): Promise<OAuthSourcePropertyMapping> {
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceOauthRetrieve({
+        return aki(PropertymappingsApi).propertymappingsSourceOauthRetrieve({
             pmUuid: pk,
         });
     }
 
     async send(data: OAuthSourcePropertyMapping): Promise<OAuthSourcePropertyMapping> {
         if (this.instance) {
-            return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceOauthUpdate({
+            return aki(PropertymappingsApi).propertymappingsSourceOauthUpdate({
                 pmUuid: this.instance.pk,
                 oAuthSourcePropertyMappingRequest: data,
             });
         }
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceOauthCreate({
+        return aki(PropertymappingsApi).propertymappingsSourceOauthCreate({
             oAuthSourcePropertyMappingRequest: data,
         });
     }
diff --git a/web/src/admin/property-mappings/PropertyMappingSourcePlexForm.ts b/web/src/admin/property-mappings/PropertyMappingSourcePlexForm.ts
index 619ec69ed4..c4a814688e 100644
--- a/web/src/admin/property-mappings/PropertyMappingSourcePlexForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingSourcePlexForm.ts
@@ -1,7 +1,7 @@
 import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePropertyMappingForm } from "#admin/property-mappings/BasePropertyMappingForm";
 
@@ -14,19 +14,19 @@ export class PropertyMappingSourcePlexForm extends BasePropertyMappingForm<PlexS
     protected override docLink = "/users-sources/sources/property-mappings/expressions";
 
     loadInstance(pk: string): Promise<PlexSourcePropertyMapping> {
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourcePlexRetrieve({
+        return aki(PropertymappingsApi).propertymappingsSourcePlexRetrieve({
             pmUuid: pk,
         });
     }
 
     async send(data: PlexSourcePropertyMapping): Promise<PlexSourcePropertyMapping> {
         if (this.instance) {
-            return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourcePlexUpdate({
+            return aki(PropertymappingsApi).propertymappingsSourcePlexUpdate({
                 pmUuid: this.instance.pk,
                 plexSourcePropertyMappingRequest: data,
             });
         }
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourcePlexCreate({
+        return aki(PropertymappingsApi).propertymappingsSourcePlexCreate({
             plexSourcePropertyMappingRequest: data,
         });
     }
diff --git a/web/src/admin/property-mappings/PropertyMappingSourceSAMLForm.ts b/web/src/admin/property-mappings/PropertyMappingSourceSAMLForm.ts
index 760a2541d6..2977c7bfae 100644
--- a/web/src/admin/property-mappings/PropertyMappingSourceSAMLForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingSourceSAMLForm.ts
@@ -1,7 +1,7 @@
 import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePropertyMappingForm } from "#admin/property-mappings/BasePropertyMappingForm";
 
@@ -14,19 +14,19 @@ export class PropertyMappingSourceSAMLForm extends BasePropertyMappingForm<SAMLS
     protected override docLink = "/users-sources/sources/property-mappings/expressions";
 
     loadInstance(pk: string): Promise<SAMLSourcePropertyMapping> {
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceSamlRetrieve({
+        return aki(PropertymappingsApi).propertymappingsSourceSamlRetrieve({
             pmUuid: pk,
         });
     }
 
     async send(data: SAMLSourcePropertyMapping): Promise<SAMLSourcePropertyMapping> {
         if (this.instance) {
-            return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceSamlUpdate({
+            return aki(PropertymappingsApi).propertymappingsSourceSamlUpdate({
                 pmUuid: this.instance.pk,
                 sAMLSourcePropertyMappingRequest: data,
             });
         }
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceSamlCreate({
+        return aki(PropertymappingsApi).propertymappingsSourceSamlCreate({
             sAMLSourcePropertyMappingRequest: data,
         });
     }
diff --git a/web/src/admin/property-mappings/PropertyMappingSourceSCIMForm.ts b/web/src/admin/property-mappings/PropertyMappingSourceSCIMForm.ts
index 41601e0589..11c0b1ac3f 100644
--- a/web/src/admin/property-mappings/PropertyMappingSourceSCIMForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingSourceSCIMForm.ts
@@ -1,7 +1,7 @@
 import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePropertyMappingForm } from "#admin/property-mappings/BasePropertyMappingForm";
 
@@ -14,19 +14,19 @@ export class PropertyMappingSourceSCIMForm extends BasePropertyMappingForm<SCIMS
     protected override docLink = "/users-sources/sources/property-mappings/expressions";
 
     loadInstance(pk: string): Promise<SCIMSourcePropertyMapping> {
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceScimRetrieve({
+        return aki(PropertymappingsApi).propertymappingsSourceScimRetrieve({
             pmUuid: pk,
         });
     }
 
     async send(data: SCIMSourcePropertyMapping): Promise<SCIMSourcePropertyMapping> {
         if (this.instance) {
-            return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceScimUpdate({
+            return aki(PropertymappingsApi).propertymappingsSourceScimUpdate({
                 pmUuid: this.instance.pk,
                 sCIMSourcePropertyMappingRequest: data,
             });
         }
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceScimCreate({
+        return aki(PropertymappingsApi).propertymappingsSourceScimCreate({
             sCIMSourcePropertyMappingRequest: data,
         });
     }
diff --git a/web/src/admin/property-mappings/PropertyMappingSourceTelegramForm.ts b/web/src/admin/property-mappings/PropertyMappingSourceTelegramForm.ts
index 580792d625..45f8006654 100644
--- a/web/src/admin/property-mappings/PropertyMappingSourceTelegramForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingSourceTelegramForm.ts
@@ -1,7 +1,7 @@
 import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BasePropertyMappingForm } from "#admin/property-mappings/BasePropertyMappingForm";
 
@@ -14,19 +14,19 @@ export class PropertyMappingSourceTelegramForm extends BasePropertyMappingForm<T
     protected override docLink = "/users-sources/sources/property-mappings/expressions";
 
     loadInstance(pk: string): Promise<TelegramSourcePropertyMapping> {
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceTelegramRetrieve({
+        return aki(PropertymappingsApi).propertymappingsSourceTelegramRetrieve({
             pmUuid: pk,
         });
     }
 
     async send(data: TelegramSourcePropertyMapping): Promise<TelegramSourcePropertyMapping> {
         if (this.instance) {
-            return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceTelegramUpdate({
+            return aki(PropertymappingsApi).propertymappingsSourceTelegramUpdate({
                 pmUuid: this.instance.pk,
                 telegramSourcePropertyMappingRequest: data,
             });
         }
-        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsSourceTelegramCreate({
+        return aki(PropertymappingsApi).propertymappingsSourceTelegramCreate({
             telegramSourcePropertyMappingRequest: data,
         });
     }
diff --git a/web/src/admin/property-mappings/PropertyMappingTestForm.ts b/web/src/admin/property-mappings/PropertyMappingTestForm.ts
index 442e50f9eb..6f8daf1064 100644
--- a/web/src/admin/property-mappings/PropertyMappingTestForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingTestForm.ts
@@ -2,7 +2,7 @@ import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PFSize } from "#common/enums";
 
 import { Form } from "#elements/forms/Form";
@@ -39,7 +39,7 @@ export class PropertyMappingTestForm extends Form<PropertyMappingTestRequest> {
     public override cancelable = true;
     public override size = PFSize.XLarge;
 
-    #api = new PropertymappingsApi(DEFAULT_CONFIG);
+    #api = aki(PropertymappingsApi);
 
     protected override formatSubmitLabel(submitLabel?: string | null): string {
         return submitLabel || msg("Run Test");
@@ -189,7 +189,7 @@ export class PropertyMappingTestForm extends Form<PropertyMappingTestRequest> {
                         if (query !== undefined) {
                             args.search = query;
                         }
-                        const users = await new CoreApi(DEFAULT_CONFIG).coreUsersList(args);
+                        const users = await aki(CoreApi).coreUsersList(args);
                         return users.results;
                     }}
                     .renderElement=${(user: User): string => {
@@ -218,7 +218,7 @@ export class PropertyMappingTestForm extends Form<PropertyMappingTestRequest> {
                         if (query !== undefined) {
                             args.search = query;
                         }
-                        const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(args);
+                        const groups = await aki(CoreApi).coreGroupsList(args);
                         return groups.results;
                     }}
                     .renderElement=${(group: Group): string => {
diff --git a/web/src/admin/property-mappings/ak-property-mapping-wizard.ts b/web/src/admin/property-mappings/ak-property-mapping-wizard.ts
index 6158d22ff6..5dddb17c4c 100644
--- a/web/src/admin/property-mappings/ak-property-mapping-wizard.ts
+++ b/web/src/admin/property-mappings/ak-property-mapping-wizard.ts
@@ -18,7 +18,7 @@ import "#elements/wizard/FormWizardPage";
 import "#elements/wizard/TypeCreateWizardPage";
 import "#elements/wizard/Wizard";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { CreateWizard } from "#elements/wizard/CreateWizard";
 
@@ -29,7 +29,7 @@ import { customElement } from "@lit/reactive-element/decorators/custom-element.j
 
 @customElement("ak-property-mapping-wizard")
 export class AKPropertyMappingWizard extends CreateWizard {
-    #api = new PropertymappingsApi(DEFAULT_CONFIG);
+    #api = aki(PropertymappingsApi);
 
     protected override apiEndpoint(requestInit?: RequestInit): Promise<TypeCreate[]> {
         return this.#api.propertymappingsAllTypesList(requestInit);
diff --git a/web/src/admin/providers/ProviderListPage.ts b/web/src/admin/providers/ProviderListPage.ts
index 7f1ae00ff2..d52911bc26 100644
--- a/web/src/admin/providers/ProviderListPage.ts
+++ b/web/src/admin/providers/ProviderListPage.ts
@@ -14,7 +14,7 @@ import "#elements/buttons/SpinnerButton/index";
 import "#elements/forms/DeleteBulkForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButtonByTagName } from "#elements/dialogs";
 import { PaginatedResponse, TableColumn } from "#elements/table/Table";
@@ -51,9 +51,7 @@ export class ProviderListPage extends TablePage<Provider> {
     public searchPlaceholder = msg("Search for provider by name, type or assigned application...");
 
     override async apiEndpoint(): Promise<PaginatedResponse<Provider>> {
-        return new ProvidersApi(DEFAULT_CONFIG).providersAllList(
-            await this.defaultEndpointConfig(),
-        );
+        return aki(ProvidersApi).providersAllList(await this.defaultEndpointConfig());
     }
 
     protected override columns: TableColumn[] = [
@@ -70,12 +68,12 @@ export class ProviderListPage extends TablePage<Provider> {
             object-label=${msg("Provider(s)")}
             .objects=${this.selectedElements}
             .usedBy=${(item: Provider) => {
-                return new ProvidersApi(DEFAULT_CONFIG).providersAllUsedByList({
+                return aki(ProvidersApi).providersAllUsedByList({
                     id: item.pk,
                 });
             }}
             .delete=${(item: Provider) => {
-                return new ProvidersApi(DEFAULT_CONFIG).providersAllDestroy({
+                return aki(ProvidersApi).providersAllDestroy({
                     id: item.pk,
                 });
             }}
diff --git a/web/src/admin/providers/ProviderViewPage.ts b/web/src/admin/providers/ProviderViewPage.ts
index 605a754697..e4770ae983 100644
--- a/web/src/admin/providers/ProviderViewPage.ts
+++ b/web/src/admin/providers/ProviderViewPage.ts
@@ -12,7 +12,7 @@ import "#admin/providers/wsfed/WSFederationProviderViewPage";
 import "#elements/EmptyState";
 import "#elements/buttons/SpinnerButton/ak-spinner-button";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { AKElement } from "#elements/Base";
 
@@ -31,7 +31,7 @@ import PFPage from "@patternfly/patternfly/components/Page/page.css";
 export class ProviderViewPage extends AKElement {
     @property({ type: Number })
     set providerID(value: number) {
-        new ProvidersApi(DEFAULT_CONFIG)
+        aki(ProvidersApi)
             .providersAllRetrieve({
                 id: value,
             })
diff --git a/web/src/admin/providers/ak-provider-wizard.ts b/web/src/admin/providers/ak-provider-wizard.ts
index 50389821a0..59b13a8f68 100644
--- a/web/src/admin/providers/ak-provider-wizard.ts
+++ b/web/src/admin/providers/ak-provider-wizard.ts
@@ -8,7 +8,7 @@ import "#elements/wizard/FormWizardPage";
 import "#elements/wizard/TypeCreateWizardPage";
 import "#elements/wizard/Wizard";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { CreateWizard } from "#elements/wizard/CreateWizard";
 import { TypeCreateWizardPageLayouts } from "#elements/wizard/TypeCreateWizardPage";
@@ -20,7 +20,7 @@ import { customElement } from "@lit/reactive-element/decorators/custom-element.j
 
 @customElement("ak-provider-wizard")
 export class AKProviderWizard extends CreateWizard {
-    #api = new ProvidersApi(DEFAULT_CONFIG);
+    #api = aki(ProvidersApi);
 
     public static override verboseName = msg("Provider");
     public static override verboseNamePlural = msg("Providers");
diff --git a/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderForm.ts b/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderForm.ts
index 8876333917..667c19189d 100644
--- a/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderForm.ts
+++ b/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderForm.ts
@@ -11,7 +11,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/Radio";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BaseProviderForm } from "#admin/providers/BaseProviderForm";
 import {
@@ -36,19 +36,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-provider-google-workspace-form")
 export class GoogleWorkspaceProviderFormPage extends BaseProviderForm<GoogleWorkspaceProvider> {
     loadInstance(pk: number): Promise<GoogleWorkspaceProvider> {
-        return new ProvidersApi(DEFAULT_CONFIG).providersGoogleWorkspaceRetrieve({
+        return aki(ProvidersApi).providersGoogleWorkspaceRetrieve({
             id: pk,
         });
     }
 
     async send(data: GoogleWorkspaceProvider): Promise<GoogleWorkspaceProvider> {
         if (this.instance) {
-            return new ProvidersApi(DEFAULT_CONFIG).providersGoogleWorkspaceUpdate({
+            return aki(ProvidersApi).providersGoogleWorkspaceUpdate({
                 id: this.instance.pk,
                 googleWorkspaceProviderRequest: data,
             });
         }
-        return new ProvidersApi(DEFAULT_CONFIG).providersGoogleWorkspaceCreate({
+        return aki(ProvidersApi).providersGoogleWorkspaceCreate({
             googleWorkspaceProviderRequest: data,
         });
     }
@@ -193,9 +193,7 @@ export class GoogleWorkspaceProviderFormPage extends BaseProviderForm<GoogleWork
                                 if (query !== undefined) {
                                     args.search = query;
                                 }
-                                const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(
-                                    args,
-                                );
+                                const groups = await aki(CoreApi).coreGroupsList(args);
                                 return groups.results;
                             }}
                             .renderElement=${(group: Group): string => {
diff --git a/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderFormHelpers.ts b/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderFormHelpers.ts
index ddee113dee..db9e6ceb5d 100644
--- a/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderFormHelpers.ts
+++ b/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -7,8 +7,8 @@ import { GoogleWorkspaceProviderMapping, PropertymappingsApi } from "@goauthenti
 const mappingToSelect = (m: GoogleWorkspaceProviderMapping) => [m.pk, m.name, m.name, m];
 
 export async function propertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
+    const propertyMappings = await aki(
+        PropertymappingsApi,
     ).propertymappingsProviderGoogleWorkspaceList({
         ordering: "managed",
         pageSize: 20,
@@ -34,7 +34,7 @@ export function propertyMappingsSelector(
     }
 
     return async () => {
-        const pm = new PropertymappingsApi(DEFAULT_CONFIG);
+        const pm = aki(PropertymappingsApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 pm.propertymappingsProviderGoogleWorkspaceRetrieve({ pmUuid: instanceId }),
diff --git a/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderGroupList.ts b/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderGroupList.ts
index d00bad437c..ade332d94d 100644
--- a/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderGroupList.ts
+++ b/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderGroupList.ts
@@ -2,7 +2,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "#components/sync/SyncObjectForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -38,9 +38,7 @@ export class GoogleWorkspaceProviderGroupList extends Table<GoogleWorkspaceProvi
                     .provider=${this.providerId}
                     model=${SyncObjectModelEnum.AuthentikCoreModelsGroup}
                     .sync=${(data: ProvidersGoogleWorkspaceSyncObjectCreateRequest) => {
-                        return new ProvidersApi(
-                            DEFAULT_CONFIG,
-                        ).providersGoogleWorkspaceSyncObjectCreate(data);
+                        return aki(ProvidersApi).providersGoogleWorkspaceSyncObjectCreate(data);
                     }}
                     slot="form"
                 >
@@ -56,7 +54,7 @@ export class GoogleWorkspaceProviderGroupList extends Table<GoogleWorkspaceProvi
             object-label=${msg("Google Workspace Group(s)")}
             .objects=${this.selectedElements}
             .delete=${(item: GoogleWorkspaceProviderGroup) => {
-                return new ProvidersApi(DEFAULT_CONFIG).providersGoogleWorkspaceGroupsDestroy({
+                return aki(ProvidersApi).providersGoogleWorkspaceGroupsDestroy({
                     id: item.id,
                 });
             }}
@@ -68,7 +66,7 @@ export class GoogleWorkspaceProviderGroupList extends Table<GoogleWorkspaceProvi
     }
 
     async apiEndpoint(): Promise<PaginatedResponse<GoogleWorkspaceProviderGroup>> {
-        return new ProvidersApi(DEFAULT_CONFIG).providersGoogleWorkspaceGroupsList({
+        return aki(ProvidersApi).providersGoogleWorkspaceGroupsList({
             ...(await this.defaultEndpointConfig()),
             providerId: this.providerId,
         });
diff --git a/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderUserList.ts b/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderUserList.ts
index 2ecd02ec6b..9f1b1115ba 100644
--- a/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderUserList.ts
+++ b/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderUserList.ts
@@ -2,7 +2,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "#components/sync/SyncObjectForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { formatUserDisplayName } from "#common/users";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
@@ -39,9 +39,7 @@ export class GoogleWorkspaceProviderUserList extends Table<GoogleWorkspaceProvid
                     .provider=${this.providerId}
                     model=${SyncObjectModelEnum.AuthentikCoreModelsUser}
                     .sync=${(data: ProvidersGoogleWorkspaceSyncObjectCreateRequest) => {
-                        return new ProvidersApi(
-                            DEFAULT_CONFIG,
-                        ).providersGoogleWorkspaceSyncObjectCreate(data);
+                        return aki(ProvidersApi).providersGoogleWorkspaceSyncObjectCreate(data);
                     }}
                     slot="form"
                 >
@@ -57,7 +55,7 @@ export class GoogleWorkspaceProviderUserList extends Table<GoogleWorkspaceProvid
             object-label=${msg("Google Workspace User(s)")}
             .objects=${this.selectedElements}
             .delete=${(item: GoogleWorkspaceProviderUser) => {
-                return new ProvidersApi(DEFAULT_CONFIG).providersGoogleWorkspaceUsersDestroy({
+                return aki(ProvidersApi).providersGoogleWorkspaceUsersDestroy({
                     id: item.id,
                 });
             }}
@@ -69,7 +67,7 @@ export class GoogleWorkspaceProviderUserList extends Table<GoogleWorkspaceProvid
     }
 
     async apiEndpoint(): Promise<PaginatedResponse<GoogleWorkspaceProviderUser>> {
-        return new ProvidersApi(DEFAULT_CONFIG).providersGoogleWorkspaceUsersList({
+        return aki(ProvidersApi).providersGoogleWorkspaceUsersList({
             ...(await this.defaultEndpointConfig()),
             providerId: this.providerId,
         });
diff --git a/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderViewPage.ts b/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderViewPage.ts
index c2842ac80f..c746fc17d2 100644
--- a/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderViewPage.ts
+++ b/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderViewPage.ts
@@ -12,7 +12,7 @@ import "#components/sync/SyncStatusCard";
 import "#elements/tasks/ScheduleList";
 import "#elements/tasks/TaskList";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -65,7 +65,7 @@ export class GoogleWorkspaceProviderViewPage extends AKElement {
     }
 
     fetchProvider(id: number) {
-        new ProvidersApi(DEFAULT_CONFIG)
+        aki(ProvidersApi)
             .providersGoogleWorkspaceRetrieve({ id })
             .then((prov) => (this.provider = prov));
     }
@@ -216,9 +216,7 @@ export class GoogleWorkspaceProviderViewPage extends AKElement {
                 >
                     <ak-sync-status-card
                         .fetch=${() => {
-                            return new ProvidersApi(
-                                DEFAULT_CONFIG,
-                            ).providersGoogleWorkspaceSyncStatusRetrieve({
+                            return aki(ProvidersApi).providersGoogleWorkspaceSyncStatusRetrieve({
                                 id: this.provider?.pk || 0,
                             });
                         }}
diff --git a/web/src/admin/providers/ldap/LDAPProviderForm.ts b/web/src/admin/providers/ldap/LDAPProviderForm.ts
index ea0a840348..e95c7af5ee 100644
--- a/web/src/admin/providers/ldap/LDAPProviderForm.ts
+++ b/web/src/admin/providers/ldap/LDAPProviderForm.ts
@@ -3,7 +3,7 @@ import "#admin/common/ak-flow-search/ak-branded-flow-search";
 
 import { renderForm } from "./LDAPProviderFormForm.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { WithBrandConfig } from "#elements/mixins/branding";
 
@@ -21,19 +21,19 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-provider-ldap-form")
 export class LDAPProviderFormPage extends WithBrandConfig(BaseProviderForm<LDAPProvider>) {
     async loadInstance(pk: number): Promise<LDAPProvider> {
-        return new ProvidersApi(DEFAULT_CONFIG).providersLdapRetrieve({
+        return aki(ProvidersApi).providersLdapRetrieve({
             id: pk,
         });
     }
 
     async send(data: LDAPProvider): Promise<LDAPProvider> {
         if (this.instance) {
-            return new ProvidersApi(DEFAULT_CONFIG).providersLdapUpdate({
+            return aki(ProvidersApi).providersLdapUpdate({
                 id: this.instance.pk,
                 lDAPProviderRequest: data,
             });
         }
-        return new ProvidersApi(DEFAULT_CONFIG).providersLdapCreate({
+        return aki(ProvidersApi).providersLdapCreate({
             lDAPProviderRequest: data,
         });
     }
diff --git a/web/src/admin/providers/ldap/LDAPProviderFormHelpers.ts b/web/src/admin/providers/ldap/LDAPProviderFormHelpers.ts
index e90255e91f..e40eb5c150 100644
--- a/web/src/admin/providers/ldap/LDAPProviderFormHelpers.ts
+++ b/web/src/admin/providers/ldap/LDAPProviderFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -7,9 +7,7 @@ import { LDAPSourcePropertyMapping, PropertymappingsApi } from "@goauthentik/api
 const mappingToSelect = (m: LDAPSourcePropertyMapping) => [m.pk, m.name, m.name, m];
 
 export async function propertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
-    ).propertymappingsSourceLdapList({
+    const propertyMappings = await aki(PropertymappingsApi).propertymappingsSourceLdapList({
         ordering: "managed",
         pageSize: 20,
         search: search.trim(),
@@ -32,7 +30,7 @@ export function propertyMappingsSelector(instanceMappings?: string[]) {
     }
 
     return async () => {
-        const pm = new PropertymappingsApi(DEFAULT_CONFIG);
+        const pm = aki(PropertymappingsApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 pm.propertymappingsSourceLdapRetrieve({ pmUuid: instanceId }),
diff --git a/web/src/admin/providers/ldap/LDAPProviderViewPage.ts b/web/src/admin/providers/ldap/LDAPProviderViewPage.ts
index 48a1c18dae..8141580d75 100644
--- a/web/src/admin/providers/ldap/LDAPProviderViewPage.ts
+++ b/web/src/admin/providers/ldap/LDAPProviderViewPage.ts
@@ -7,7 +7,7 @@ import "#elements/Tabs";
 import "#elements/buttons/ModalButton";
 import "#elements/buttons/SpinnerButton/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -62,7 +62,7 @@ export class LDAPProviderViewPage extends WithSession(AKElement) {
     }
 
     fetchProvider(id: number) {
-        new ProvidersApi(DEFAULT_CONFIG)
+        aki(ProvidersApi)
             .providersLdapRetrieve({ id })
             .then((prov) => (this.provider = prov));
     }
@@ -123,13 +123,7 @@ export class LDAPProviderViewPage extends WithSession(AKElement) {
         }
 
         return html`
-            ${
-                this.provider?.outpostSet.length < 1
-                    ? html`<div slot="header" class="pf-c-banner pf-m-warning">
-                          ${msg("Warning: Provider is not used by any Outpost.")}
-                      </div>`
-                    : nothing
-            }
+            ${this.provider?.outpostSet.length < 1 ? html`<div slot="header" class="pf-c-banner pf-m-warning">${msg("Warning: Provider is not used by any Outpost.")}</div>` : nothing}
             <div class="pf-c-page__main-section pf-m-no-padding-mobile pf-l-grid pf-m-gutter">
                 <div class="pf-c-card pf-l-grid__item pf-m-12-col">
                     <div class="pf-c-card__body">
@@ -210,9 +204,7 @@ export class LDAPProviderViewPage extends WithSession(AKElement) {
                             </div>
                             <div class="pf-c-form__group">
                                 <label class="pf-c-form__label">
-                                    <span class="pf-c-form__label-text">${msg(
-                                        "Bind Password",
-                                    )}</span>
+                                    <span class="pf-c-form__label-text">${msg("Bind Password")}</span>
                                 </label>
                                 <input
                                     class="pf-c-form-control"
diff --git a/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderForm.ts b/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderForm.ts
index 4cc95e2532..2d86263efc 100644
--- a/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderForm.ts
+++ b/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderForm.ts
@@ -11,7 +11,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/Radio";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BaseProviderForm } from "#admin/providers/BaseProviderForm";
 import {
@@ -36,19 +36,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-provider-microsoft-entra-form")
 export class MicrosoftEntraProviderFormPage extends BaseProviderForm<MicrosoftEntraProvider> {
     loadInstance(pk: number): Promise<MicrosoftEntraProvider> {
-        return new ProvidersApi(DEFAULT_CONFIG).providersMicrosoftEntraRetrieve({
+        return aki(ProvidersApi).providersMicrosoftEntraRetrieve({
             id: pk,
         });
     }
 
     async send(data: MicrosoftEntraProvider): Promise<MicrosoftEntraProvider> {
         if (this.instance) {
-            return new ProvidersApi(DEFAULT_CONFIG).providersMicrosoftEntraUpdate({
+            return aki(ProvidersApi).providersMicrosoftEntraUpdate({
                 id: this.instance.pk,
                 microsoftEntraProviderRequest: data,
             });
         }
-        return new ProvidersApi(DEFAULT_CONFIG).providersMicrosoftEntraCreate({
+        return aki(ProvidersApi).providersMicrosoftEntraCreate({
             microsoftEntraProviderRequest: data,
         });
     }
@@ -171,9 +171,7 @@ export class MicrosoftEntraProviderFormPage extends BaseProviderForm<MicrosoftEn
                                 if (query !== undefined) {
                                     args.search = query;
                                 }
-                                const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(
-                                    args,
-                                );
+                                const groups = await aki(CoreApi).coreGroupsList(args);
                                 return groups.results;
                             }}
                             .renderElement=${(group: Group): string => {
diff --git a/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderFormHelpers.ts b/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderFormHelpers.ts
index 893c2f8bfb..d2559f2750 100644
--- a/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderFormHelpers.ts
+++ b/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -7,8 +7,8 @@ import { MicrosoftEntraProviderMapping, PropertymappingsApi } from "@goauthentik
 const mappingToSelect = (m: MicrosoftEntraProviderMapping) => [m.pk, m.name, m.name, m];
 
 export async function propertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
+    const propertyMappings = await aki(
+        PropertymappingsApi,
     ).propertymappingsProviderMicrosoftEntraList({
         ordering: "managed",
         pageSize: 20,
@@ -34,7 +34,7 @@ export function propertyMappingsSelector(
     }
 
     return async () => {
-        const pm = new PropertymappingsApi(DEFAULT_CONFIG);
+        const pm = aki(PropertymappingsApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 pm.propertymappingsProviderMicrosoftEntraRetrieve({ pmUuid: instanceId }),
diff --git a/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderGroupList.ts b/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderGroupList.ts
index 8835160b2f..791037e0f4 100644
--- a/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderGroupList.ts
+++ b/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderGroupList.ts
@@ -2,7 +2,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "#components/sync/SyncObjectForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -35,9 +35,7 @@ export class MicrosoftEntraProviderGroupList extends Table<MicrosoftEntraProvide
                     .provider=${this.providerId}
                     model=${SyncObjectModelEnum.AuthentikCoreModelsGroup}
                     .sync=${(data: ProvidersMicrosoftEntraSyncObjectCreateRequest) => {
-                        return new ProvidersApi(
-                            DEFAULT_CONFIG,
-                        ).providersMicrosoftEntraSyncObjectCreate(data);
+                        return aki(ProvidersApi).providersMicrosoftEntraSyncObjectCreate(data);
                     }}
                     slot="form"
                 >
@@ -53,7 +51,7 @@ export class MicrosoftEntraProviderGroupList extends Table<MicrosoftEntraProvide
             object-label=${msg("Microsoft Entra Group(s)")}
             .objects=${this.selectedElements}
             .delete=${(item: MicrosoftEntraProviderGroup) => {
-                return new ProvidersApi(DEFAULT_CONFIG).providersMicrosoftEntraGroupsDestroy({
+                return aki(ProvidersApi).providersMicrosoftEntraGroupsDestroy({
                     id: item.id,
                 });
             }}
@@ -65,7 +63,7 @@ export class MicrosoftEntraProviderGroupList extends Table<MicrosoftEntraProvide
     }
 
     async apiEndpoint(): Promise<PaginatedResponse<MicrosoftEntraProviderGroup>> {
-        return new ProvidersApi(DEFAULT_CONFIG).providersMicrosoftEntraGroupsList({
+        return aki(ProvidersApi).providersMicrosoftEntraGroupsList({
             ...(await this.defaultEndpointConfig()),
             providerId: this.providerId,
         });
diff --git a/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderPropertyMappings.ts b/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderPropertyMappings.ts
index 3945eecdc6..520dbf9162 100644
--- a/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderPropertyMappings.ts
+++ b/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderPropertyMappings.ts
@@ -1,12 +1,12 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
 import { PropertymappingsApi, ScopeMapping } from "@goauthentik/api";
 
 export async function microsoftEntraPropertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
+    const propertyMappings = await aki(
+        PropertymappingsApi,
     ).propertymappingsProviderMicrosoftEntraList({
         ordering: "managed",
         pageSize: 20,
diff --git a/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderUserList.ts b/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderUserList.ts
index 5bf3416ee2..fbf8c058ef 100644
--- a/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderUserList.ts
+++ b/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderUserList.ts
@@ -2,7 +2,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "#components/sync/SyncObjectForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { formatUserDisplayName } from "#common/users";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
@@ -39,9 +39,7 @@ export class MicrosoftEntraProviderUserList extends Table<MicrosoftEntraProvider
                     .provider=${this.providerId}
                     model=${SyncObjectModelEnum.AuthentikCoreModelsUser}
                     .sync=${(data: ProvidersMicrosoftEntraSyncObjectCreateRequest) => {
-                        return new ProvidersApi(
-                            DEFAULT_CONFIG,
-                        ).providersMicrosoftEntraSyncObjectCreate(data);
+                        return aki(ProvidersApi).providersMicrosoftEntraSyncObjectCreate(data);
                     }}
                     slot="form"
                 >
@@ -57,7 +55,7 @@ export class MicrosoftEntraProviderUserList extends Table<MicrosoftEntraProvider
             object-label=${msg("Microsoft Entra User(s)")}
             .objects=${this.selectedElements}
             .delete=${(item: MicrosoftEntraProviderUser) => {
-                return new ProvidersApi(DEFAULT_CONFIG).providersMicrosoftEntraUsersDestroy({
+                return aki(ProvidersApi).providersMicrosoftEntraUsersDestroy({
                     id: item.id,
                 });
             }}
@@ -69,7 +67,7 @@ export class MicrosoftEntraProviderUserList extends Table<MicrosoftEntraProvider
     }
 
     async apiEndpoint(): Promise<PaginatedResponse<MicrosoftEntraProviderUser>> {
-        return new ProvidersApi(DEFAULT_CONFIG).providersMicrosoftEntraUsersList({
+        return aki(ProvidersApi).providersMicrosoftEntraUsersList({
             ...(await this.defaultEndpointConfig()),
             providerId: this.providerId,
         });
diff --git a/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderViewPage.ts b/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderViewPage.ts
index 89df2e453f..9b631e1f71 100644
--- a/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderViewPage.ts
+++ b/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderViewPage.ts
@@ -12,7 +12,7 @@ import "#components/sync/SyncStatusCard";
 import "#elements/tasks/ScheduleList";
 import "#elements/tasks/TaskList";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -65,7 +65,7 @@ export class MicrosoftEntraProviderViewPage extends AKElement {
     }
 
     fetchProvider(id: number) {
-        new ProvidersApi(DEFAULT_CONFIG)
+        aki(ProvidersApi)
             .providersMicrosoftEntraRetrieve({ id })
             .then((prov) => (this.provider = prov));
     }
@@ -216,9 +216,7 @@ export class MicrosoftEntraProviderViewPage extends AKElement {
                 >
                     <ak-sync-status-card
                         .fetch=${() => {
-                            return new ProvidersApi(
-                                DEFAULT_CONFIG,
-                            ).providersMicrosoftEntraSyncStatusRetrieve({
+                            return aki(ProvidersApi).providersMicrosoftEntraSyncStatusRetrieve({
                                 id: this.provider?.pk || 0,
                             });
                         }}
diff --git a/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts b/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
index 263b8ef3d9..a802f95eed 100644
--- a/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
@@ -1,6 +1,6 @@
 import { renderForm } from "./OAuth2ProviderFormForm.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -14,7 +14,7 @@ import { customElement, state } from "lit/decorators.js";
 const providerToSelect = (provider: OAuth2Provider) => [provider.pk, provider.name];
 
 export async function oauth2ProvidersProvider(page = 1, search = "") {
-    const oauthProviders = await new ProvidersApi(DEFAULT_CONFIG).providersOauth2List({
+    const oauthProviders = await aki(ProvidersApi).providersOauth2List({
         ordering: "name",
         pageSize: 20,
         search: search.trim(),
@@ -36,7 +36,7 @@ export function oauth2ProviderSelector(instanceProviders: number[] | undefined)
     }
 
     return async () => {
-        const oauthSources = new ProvidersApi(DEFAULT_CONFIG);
+        const oauthSources = aki(ProvidersApi);
         const mappings = await Promise.allSettled(
             instanceProviders.map((instanceId) =>
                 oauthSources.providersOauth2Retrieve({ id: instanceId }),
@@ -82,7 +82,7 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
     ];
 
     async loadInstance(pk: number): Promise<OAuth2Provider> {
-        const provider = await new ProvidersApi(DEFAULT_CONFIG).providersOauth2Retrieve({
+        const provider = await aki(ProvidersApi).providersOauth2Retrieve({
             id: pk,
         });
         this.showClientSecret = provider.clientType === ClientTypeEnum.Confidential;
@@ -92,12 +92,12 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
 
     async send(data: OAuth2Provider): Promise<OAuth2Provider> {
         if (this.instance) {
-            return new ProvidersApi(DEFAULT_CONFIG).providersOauth2Update({
+            return aki(ProvidersApi).providersOauth2Update({
                 id: this.instance.pk,
                 oAuth2ProviderRequest: data,
             });
         }
-        return new ProvidersApi(DEFAULT_CONFIG).providersOauth2Create({
+        return aki(ProvidersApi).providersOauth2Create({
             oAuth2ProviderRequest: data,
         });
     }
diff --git a/web/src/admin/providers/oauth2/OAuth2ProviderFormHelpers.ts b/web/src/admin/providers/oauth2/OAuth2ProviderFormHelpers.ts
index 9124fd1c22..6adf1ceeec 100644
--- a/web/src/admin/providers/oauth2/OAuth2ProviderFormHelpers.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProviderFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -13,9 +13,7 @@ export const defaultScopes = [
 const mappingToSelect = (s: ScopeMapping) => [s.pk, s.name, s.name, s];
 
 export async function propertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
-    ).propertymappingsProviderScopeList({
+    const propertyMappings = await aki(PropertymappingsApi).propertymappingsProviderScopeList({
         ordering: "scope_name",
         pageSize: 20,
         search: search.trim(),
@@ -37,7 +35,7 @@ export function propertyMappingsSelector(instanceMappings?: string[]) {
     }
 
     return async () => {
-        const pm = new PropertymappingsApi(DEFAULT_CONFIG);
+        const pm = aki(PropertymappingsApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 pm.propertymappingsProviderScopeRetrieve({ pmUuid: instanceId }),
diff --git a/web/src/admin/providers/oauth2/OAuth2ProviderViewPage.ts b/web/src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
index a32019ecdf..6640477be7 100644
--- a/web/src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
@@ -10,7 +10,7 @@ import "#elements/ak-mdx/index";
 import "#elements/buttons/ModalButton";
 import "#elements/buttons/SpinnerButton/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -80,7 +80,7 @@ export function LogoutMethodToLabel(method?: OAuth2ProviderLogoutMethodEnum): st
 export class OAuth2ProviderViewPage extends AKElement {
     @property({ type: Number })
     set providerID(value: number) {
-        new ProvidersApi(DEFAULT_CONFIG)
+        aki(ProvidersApi)
             .providersOauth2Retrieve({
                 id: value,
             })
@@ -123,7 +123,7 @@ export class OAuth2ProviderViewPage extends AKElement {
     }
 
     fetchPreview(): void {
-        new ProvidersApi(DEFAULT_CONFIG)
+        aki(ProvidersApi)
             .providersOauth2PreviewUserRetrieve({
                 id: this.provider?.pk || 0,
                 forUser: this.previewUser?.pk,
@@ -144,7 +144,7 @@ export class OAuth2ProviderViewPage extends AKElement {
                     id="page-overview"
                     aria-label="${msg("Overview")}"
                     @activate=${() => {
-                        new ProvidersApi(DEFAULT_CONFIG)
+                        aki(ProvidersApi)
                             .providersOauth2SetupUrlsRetrieve({
                                 id: this.provider?.pk || 0,
                             })
@@ -438,9 +438,7 @@ export class OAuth2ProviderViewPage extends AKElement {
                                             if (query !== undefined) {
                                                 args.search = query;
                                             }
-                                            const users = await new CoreApi(
-                                                DEFAULT_CONFIG,
-                                            ).coreUsersList(args);
+                                            const users = await aki(CoreApi).coreUsersList(args);
                                             return users.results;
                                         }}
                                         .renderElement=${(user: User): string => {
diff --git a/web/src/admin/providers/oauth2/OAuth2ProvidersProvider.ts b/web/src/admin/providers/oauth2/OAuth2ProvidersProvider.ts
index e880648425..a8eac3729d 100644
--- a/web/src/admin/providers/oauth2/OAuth2ProvidersProvider.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProvidersProvider.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair, DualSelectPairSource } from "#elements/ak-dual-select/types";
 
@@ -12,7 +12,7 @@ const providerToSelect = (provider: OAuth2Provider): DualSelectPair<OAuth2Provid
 ];
 
 export async function oauth2ProvidersProvider(page = 1, search = "") {
-    const oauthProviders = await new ProvidersApi(DEFAULT_CONFIG).providersOauth2List({
+    const oauthProviders = await aki(ProvidersApi).providersOauth2List({
         ordering: "name",
         pageSize: 20,
         search: search.trim(),
@@ -33,7 +33,7 @@ export function oauth2ProvidersSelector(
     }
 
     const fetchOauth2Providers: DualSelectPairSource = async () => {
-        const oauthSources = new ProvidersApi(DEFAULT_CONFIG);
+        const oauthSources = aki(ProvidersApi);
         const mappings = await Promise.allSettled(
             instanceProviders.map((instanceId) =>
                 oauthSources.providersOauth2Retrieve({ id: instanceId }),
diff --git a/web/src/admin/providers/oauth2/OAuth2Sources.ts b/web/src/admin/providers/oauth2/OAuth2Sources.ts
index ed6bfd16ca..f446567d3f 100644
--- a/web/src/admin/providers/oauth2/OAuth2Sources.ts
+++ b/web/src/admin/providers/oauth2/OAuth2Sources.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair, DualSelectPairSource } from "#elements/ak-dual-select/types";
 
@@ -12,7 +12,7 @@ const sourceToSelect = (source: OAuthSource): DualSelectPair<OAuthSource> => [
 ];
 
 export async function oauth2SourcesProvider(page = 1, search = "") {
-    const oauthSources = await new SourcesApi(DEFAULT_CONFIG).sourcesOauthList({
+    const oauthSources = await aki(SourcesApi).sourcesOauthList({
         ordering: "name",
         hasJwks: true,
         pageSize: 20,
@@ -32,7 +32,7 @@ export function oauth2SourcesSelector(instanceMappings?: string[]): DualSelectPa
     }
 
     const fetchAvailableOauth2Sources: DualSelectPairSource = async () => {
-        const oauthSources = new SourcesApi(DEFAULT_CONFIG);
+        const oauthSources = aki(SourcesApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 oauthSources.sourcesOauthList({ pbmUuid: instanceId }),
diff --git a/web/src/admin/providers/proxy/ProxyProviderForm.ts b/web/src/admin/providers/proxy/ProxyProviderForm.ts
index f706bdfde1..dc59902677 100644
--- a/web/src/admin/providers/proxy/ProxyProviderForm.ts
+++ b/web/src/admin/providers/proxy/ProxyProviderForm.ts
@@ -3,7 +3,7 @@ import "#admin/common/ak-flow-search/ak-flow-search";
 
 import { renderForm, SetMode, SetShowHttpBasic } from "./ProxyProviderFormForm.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BaseProviderForm } from "#admin/providers/BaseProviderForm";
 
@@ -21,7 +21,7 @@ export class ProxyProviderFormPage extends BaseProviderForm<ProxyProvider> {
     static styles: CSSResult[] = [...super.styles, PFContent, PFList, PFSpacing];
 
     async loadInstance(pk: number): Promise<ProxyProvider> {
-        const provider = await new ProvidersApi(DEFAULT_CONFIG).providersProxyRetrieve({
+        const provider = await aki(ProvidersApi).providersProxyRetrieve({
             id: pk,
         });
         this.showHttpBasic = provider.basicAuthEnabled ?? true;
@@ -48,12 +48,12 @@ export class ProxyProviderFormPage extends BaseProviderForm<ProxyProvider> {
             data.cookieDomain = "";
         }
         if (this.instance) {
-            return new ProvidersApi(DEFAULT_CONFIG).providersProxyUpdate({
+            return aki(ProvidersApi).providersProxyUpdate({
                 id: this.instance.pk,
                 proxyProviderRequest: data,
             });
         }
-        return new ProvidersApi(DEFAULT_CONFIG).providersProxyCreate({
+        return aki(ProvidersApi).providersProxyCreate({
             proxyProviderRequest: data,
         });
     }
diff --git a/web/src/admin/providers/proxy/ProxyProviderFormHelpers.ts b/web/src/admin/providers/proxy/ProxyProviderFormHelpers.ts
index a22ba4ccfa..adab3386c2 100644
--- a/web/src/admin/providers/proxy/ProxyProviderFormHelpers.ts
+++ b/web/src/admin/providers/proxy/ProxyProviderFormHelpers.ts
@@ -1,13 +1,11 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PropertymappingsApi, ScopeMapping } from "@goauthentik/api";
 
 const mappingToSelect = (s: ScopeMapping) => [s.pk, s.name, s.name, s];
 
 export async function propertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
-    ).propertymappingsProviderScopeList({
+    const propertyMappings = await aki(PropertymappingsApi).propertymappingsProviderScopeList({
         ordering: "scope_name",
         pageSize: 20,
         search: search.trim(),
@@ -25,7 +23,7 @@ export function propertyMappingsSelector(instanceMappings?: string[]) {
     }
 
     return async () => {
-        const pm = new PropertymappingsApi(DEFAULT_CONFIG);
+        const pm = aki(PropertymappingsApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 pm.propertymappingsProviderScopeRetrieve({ pmUuid: instanceId }),
diff --git a/web/src/admin/providers/proxy/ProxyProviderViewPage.ts b/web/src/admin/providers/proxy/ProxyProviderViewPage.ts
index fd198a1b1d..103cb2d3ae 100644
--- a/web/src/admin/providers/proxy/ProxyProviderViewPage.ts
+++ b/web/src/admin/providers/proxy/ProxyProviderViewPage.ts
@@ -9,7 +9,7 @@ import "#elements/ak-mdx/index";
 import "#elements/buttons/ModalButton";
 import "#elements/buttons/SpinnerButton/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import type { Replacer } from "#elements/ak-mdx/index";
@@ -105,7 +105,7 @@ export class ProxyProviderViewPage extends AKElement {
     }
 
     fetchProvider(id: number) {
-        new ProvidersApi(DEFAULT_CONFIG)
+        aki(ProvidersApi)
             .providersProxyRetrieve({ id })
             .then((prov) => (this.provider = prov));
     }
diff --git a/web/src/admin/providers/rac/ConnectionTokenList.ts b/web/src/admin/providers/rac/ConnectionTokenList.ts
index 3f6eb85999..d4ea90885c 100644
--- a/web/src/admin/providers/rac/ConnectionTokenList.ts
+++ b/web/src/admin/providers/rac/ConnectionTokenList.ts
@@ -3,7 +3,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -35,7 +35,7 @@ export class ConnectionTokenListPage extends Table<ConnectionToken> {
     static styles: CSSResult[] = [...super.styles, PFDescriptionList];
 
     async apiEndpoint(): Promise<PaginatedResponse<ConnectionToken>> {
-        return new RacApi(DEFAULT_CONFIG).racConnectionTokensList({
+        return aki(RacApi).racConnectionTokensList({
             ...(await this.defaultEndpointConfig()),
             provider: this.provider?.pk,
             sessionUser: this.userId,
@@ -54,12 +54,12 @@ export class ConnectionTokenListPage extends Table<ConnectionToken> {
                 ];
             }}
             .usedBy=${(item: ConnectionToken) => {
-                return new RacApi(DEFAULT_CONFIG).racConnectionTokensUsedByList({
+                return aki(RacApi).racConnectionTokensUsedByList({
                     connectionTokenUuid: item.pk || "",
                 });
             }}
             .delete=${(item: ConnectionToken) => {
-                return new RacApi(DEFAULT_CONFIG).racConnectionTokensDestroy({
+                return aki(RacApi).racConnectionTokensDestroy({
                     connectionTokenUuid: item.pk || "",
                 });
             }}
diff --git a/web/src/admin/providers/rac/EndpointForm.ts b/web/src/admin/providers/rac/EndpointForm.ts
index 2015ae0b71..fb921ef58a 100644
--- a/web/src/admin/providers/rac/EndpointForm.ts
+++ b/web/src/admin/providers/rac/EndpointForm.ts
@@ -8,7 +8,7 @@ import "#elements/forms/HorizontalFormElement";
 
 import { propertyMappingsProvider, propertyMappingsSelector } from "./RACProviderFormHelpers.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 import { SlottedTemplateResult } from "#elements/types";
@@ -31,7 +31,7 @@ export class EndpointForm extends ModelForm<Endpoint, string> {
     public providerID: number | null = null;
 
     protected override loadInstance(pk: string): Promise<Endpoint> {
-        return new RacApi(DEFAULT_CONFIG).racEndpointsRetrieve({
+        return aki(RacApi).racEndpointsRetrieve({
             pbmUuid: pk,
         });
     }
@@ -50,12 +50,12 @@ export class EndpointForm extends ModelForm<Endpoint, string> {
             data.provider = this.instance.provider;
         }
         if (this.instance) {
-            return new RacApi(DEFAULT_CONFIG).racEndpointsPartialUpdate({
+            return aki(RacApi).racEndpointsPartialUpdate({
                 pbmUuid: this.instance.pk || "",
                 patchedEndpointRequest: data,
             });
         }
-        return new RacApi(DEFAULT_CONFIG).racEndpointsCreate({
+        return aki(RacApi).racEndpointsCreate({
             endpointRequest: data,
         });
     }
diff --git a/web/src/admin/providers/rac/EndpointList.ts b/web/src/admin/providers/rac/EndpointList.ts
index 00bc14a456..0ed1a8a068 100644
--- a/web/src/admin/providers/rac/EndpointList.ts
+++ b/web/src/admin/providers/rac/EndpointList.ts
@@ -6,7 +6,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButton, ModalInvokerButton } from "#elements/dialogs";
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
@@ -40,7 +40,7 @@ export class EndpointListPage extends Table<Endpoint> {
     public provider: RACProvider | null = null;
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<Endpoint>> {
-        return new RacApi(DEFAULT_CONFIG).racEndpointsList({
+        return aki(RacApi).racEndpointsList({
             ...(await this.defaultEndpointConfig()),
             provider: this.provider?.pk,
             superuserFullList: true,
@@ -65,12 +65,12 @@ export class EndpointListPage extends Table<Endpoint> {
                 ];
             }}
             .usedBy=${(item: Endpoint) => {
-                return new RacApi(DEFAULT_CONFIG).racEndpointsUsedByList({
+                return aki(RacApi).racEndpointsUsedByList({
                     pbmUuid: item.pk,
                 });
             }}
             .delete=${(item: Endpoint) => {
-                return new RacApi(DEFAULT_CONFIG).racEndpointsDestroy({
+                return aki(RacApi).racEndpointsDestroy({
                     pbmUuid: item.pk,
                 });
             }}
diff --git a/web/src/admin/providers/rac/RACProviderForm.ts b/web/src/admin/providers/rac/RACProviderForm.ts
index 7842ffa486..bd76fee36e 100644
--- a/web/src/admin/providers/rac/RACProviderForm.ts
+++ b/web/src/admin/providers/rac/RACProviderForm.ts
@@ -13,7 +13,7 @@ import "#elements/utils/TimeDeltaHelp";
 
 import { propertyMappingsProvider, propertyMappingsSelector } from "./RACProviderFormHelpers.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 
@@ -31,7 +31,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-provider-rac-form")
 export class RACProviderFormPage extends ModelForm<RACProvider, number> {
     async loadInstance(pk: number): Promise<RACProvider> {
-        return new ProvidersApi(DEFAULT_CONFIG).providersRacRetrieve({
+        return aki(ProvidersApi).providersRacRetrieve({
             id: pk,
         });
     }
@@ -45,12 +45,12 @@ export class RACProviderFormPage extends ModelForm<RACProvider, number> {
 
     async send(data: RACProvider): Promise<RACProvider> {
         if (this.instance) {
-            return new ProvidersApi(DEFAULT_CONFIG).providersRacUpdate({
+            return aki(ProvidersApi).providersRacUpdate({
                 id: this.instance.pk,
                 rACProviderRequest: data,
             });
         }
-        return new ProvidersApi(DEFAULT_CONFIG).providersRacCreate({
+        return aki(ProvidersApi).providersRacCreate({
             rACProviderRequest: data,
         });
     }
diff --git a/web/src/admin/providers/rac/RACProviderFormHelpers.ts b/web/src/admin/providers/rac/RACProviderFormHelpers.ts
index 3d9bb02a49..cb84359961 100644
--- a/web/src/admin/providers/rac/RACProviderFormHelpers.ts
+++ b/web/src/admin/providers/rac/RACProviderFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -7,9 +7,7 @@ import { PropertymappingsApi, RACPropertyMapping } from "@goauthentik/api";
 const mappingToSelect = (m: RACPropertyMapping) => [m.pk, m.name, m.name, m];
 
 export async function propertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
-    ).propertymappingsProviderRacList({
+    const propertyMappings = await aki(PropertymappingsApi).propertymappingsProviderRacList({
         ordering: "name",
         pageSize: 20,
         search: search.trim(),
@@ -27,7 +25,7 @@ export function propertyMappingsSelector(instanceMappings?: string[]) {
     }
 
     return async () => {
-        const pm = new PropertymappingsApi(DEFAULT_CONFIG);
+        const pm = aki(PropertymappingsApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 pm.propertymappingsProviderRacRetrieve({ pmUuid: instanceId }),
diff --git a/web/src/admin/providers/rac/RACProviderViewPage.ts b/web/src/admin/providers/rac/RACProviderViewPage.ts
index 0106c026dd..fd403ef025 100644
--- a/web/src/admin/providers/rac/RACProviderViewPage.ts
+++ b/web/src/admin/providers/rac/RACProviderViewPage.ts
@@ -11,7 +11,7 @@ import "#elements/Tabs";
 import "#elements/buttons/ModalButton";
 import "#elements/buttons/SpinnerButton/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -64,7 +64,7 @@ export class RACProviderViewPage extends AKElement {
     }
 
     protected fetchProvider(id: number) {
-        return new ProvidersApi(DEFAULT_CONFIG)
+        return aki(ProvidersApi)
             .providersRacRetrieve({ id })
             .then((prov) => (this.provider = prov));
     }
diff --git a/web/src/admin/providers/radius/RadiusProviderForm.ts b/web/src/admin/providers/radius/RadiusProviderForm.ts
index f051573295..71b4936eda 100644
--- a/web/src/admin/providers/radius/RadiusProviderForm.ts
+++ b/web/src/admin/providers/radius/RadiusProviderForm.ts
@@ -1,6 +1,6 @@
 import { renderForm } from "./RadiusProviderFormForm.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { WithBrandConfig } from "#elements/mixins/branding";
 
@@ -18,19 +18,19 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-provider-radius-form")
 export class RadiusProviderFormPage extends WithBrandConfig(BaseProviderForm<RadiusProvider>) {
     loadInstance(pk: number): Promise<RadiusProvider> {
-        return new ProvidersApi(DEFAULT_CONFIG).providersRadiusRetrieve({
+        return aki(ProvidersApi).providersRadiusRetrieve({
             id: pk,
         });
     }
 
     async send(data: RadiusProvider): Promise<RadiusProvider> {
         if (this.instance) {
-            return new ProvidersApi(DEFAULT_CONFIG).providersRadiusUpdate({
+            return aki(ProvidersApi).providersRadiusUpdate({
                 id: this.instance.pk,
                 radiusProviderRequest: data,
             });
         }
-        return new ProvidersApi(DEFAULT_CONFIG).providersRadiusCreate({
+        return aki(ProvidersApi).providersRadiusCreate({
             radiusProviderRequest: data,
         });
     }
diff --git a/web/src/admin/providers/radius/RadiusProviderFormHelpers.ts b/web/src/admin/providers/radius/RadiusProviderFormHelpers.ts
index 45ee93b776..084c573a2d 100644
--- a/web/src/admin/providers/radius/RadiusProviderFormHelpers.ts
+++ b/web/src/admin/providers/radius/RadiusProviderFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -7,9 +7,7 @@ import { PropertymappingsApi, RadiusProviderPropertyMapping } from "@goauthentik
 const mappingToSelect = (m: RadiusProviderPropertyMapping) => [m.pk, m.name, m.name, m];
 
 export async function propertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
-    ).propertymappingsProviderRadiusList({
+    const propertyMappings = await aki(PropertymappingsApi).propertymappingsProviderRadiusList({
         ordering: "name",
         pageSize: 20,
         search: search.trim(),
@@ -27,7 +25,7 @@ export function propertyMappingsSelector(instanceMappings?: string[]) {
     }
 
     return async () => {
-        const pm = new PropertymappingsApi(DEFAULT_CONFIG);
+        const pm = aki(PropertymappingsApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 pm.propertymappingsProviderRadiusRetrieve({ pmUuid: instanceId }),
diff --git a/web/src/admin/providers/radius/RadiusProviderViewPage.ts b/web/src/admin/providers/radius/RadiusProviderViewPage.ts
index 0cc08020b3..43daebe6c1 100644
--- a/web/src/admin/providers/radius/RadiusProviderViewPage.ts
+++ b/web/src/admin/providers/radius/RadiusProviderViewPage.ts
@@ -7,7 +7,7 @@ import "#elements/Tabs";
 import "#elements/buttons/ModalButton";
 import "#elements/buttons/SpinnerButton/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -56,7 +56,7 @@ export class RadiusProviderViewPage extends AKElement {
     }
 
     fetchProvider(id: number) {
-        new ProvidersApi(DEFAULT_CONFIG)
+        aki(ProvidersApi)
             .providersRadiusRetrieve({ id })
             .then((prov) => (this.provider = prov));
     }
diff --git a/web/src/admin/providers/saml/SAMLProviderForm.ts b/web/src/admin/providers/saml/SAMLProviderForm.ts
index e946ad08a7..3d691f8f38 100644
--- a/web/src/admin/providers/saml/SAMLProviderForm.ts
+++ b/web/src/admin/providers/saml/SAMLProviderForm.ts
@@ -1,6 +1,6 @@
 import { renderForm } from "./SAMLProviderFormForm.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { type AkCryptoCertificateSearch } from "#admin/common/ak-crypto-certificate-search";
 import { BaseProviderForm } from "#admin/providers/BaseProviderForm";
@@ -42,7 +42,7 @@ export class SAMLProviderFormPage extends BaseProviderForm<SAMLProvider> {
     protected signingKeyType: KeyTypeEnum | null = null;
 
     async loadInstance(pk: number): Promise<SAMLProvider> {
-        const provider = await new ProvidersApi(DEFAULT_CONFIG).providersSamlRetrieve({
+        const provider = await aki(ProvidersApi).providersSamlRetrieve({
             id: pk,
         });
         this.hasSigningKp = !!provider.signingKp;
@@ -62,12 +62,12 @@ export class SAMLProviderFormPage extends BaseProviderForm<SAMLProvider> {
         }
 
         if (this.instance) {
-            return new ProvidersApi(DEFAULT_CONFIG).providersSamlUpdate({
+            return aki(ProvidersApi).providersSamlUpdate({
                 id: this.instance.pk,
                 sAMLProviderRequest: data,
             });
         }
-        return new ProvidersApi(DEFAULT_CONFIG).providersSamlCreate({
+        return aki(ProvidersApi).providersSamlCreate({
             sAMLProviderRequest: data,
         });
     }
diff --git a/web/src/admin/providers/saml/SAMLProviderFormForm.ts b/web/src/admin/providers/saml/SAMLProviderFormForm.ts
index 28508a289e..1437348d23 100644
--- a/web/src/admin/providers/saml/SAMLProviderFormForm.ts
+++ b/web/src/admin/providers/saml/SAMLProviderFormForm.ts
@@ -20,7 +20,7 @@ import {
     SAMLSupportedKeyTypes,
 } from "./SAMLProviderOptions.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { RadioOption } from "#elements/forms/Radio";
 
@@ -315,9 +315,10 @@ export function renderForm({
                             if (query !== undefined) {
                                 args.search = query;
                             }
-                            const items = await new PropertymappingsApi(
-                                DEFAULT_CONFIG,
-                            ).propertymappingsProviderSamlList(args);
+                            const items =
+                                await aki(PropertymappingsApi).propertymappingsProviderSamlList(
+                                    args,
+                                );
                             return items.results;
                         }}
                         .renderElement=${(item: SAMLPropertyMapping): string => {
@@ -350,9 +351,10 @@ export function renderForm({
                             if (query !== undefined) {
                                 args.search = query;
                             }
-                            const items = await new PropertymappingsApi(
-                                DEFAULT_CONFIG,
-                            ).propertymappingsProviderSamlList(args);
+                            const items =
+                                await aki(PropertymappingsApi).propertymappingsProviderSamlList(
+                                    args,
+                                );
                             return items.results;
                         }}
                         .renderElement=${(item: SAMLPropertyMapping): string => {
diff --git a/web/src/admin/providers/saml/SAMLProviderFormHelpers.ts b/web/src/admin/providers/saml/SAMLProviderFormHelpers.ts
index f61c4ed605..0baa8456fd 100644
--- a/web/src/admin/providers/saml/SAMLProviderFormHelpers.ts
+++ b/web/src/admin/providers/saml/SAMLProviderFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -7,9 +7,7 @@ import { PropertymappingsApi, SAMLPropertyMapping } from "@goauthentik/api";
 const mappingToSelect = (m: SAMLPropertyMapping) => [m.pk, m.name, m.name, m];
 
 export async function propertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
-    ).propertymappingsProviderSamlList({
+    const propertyMappings = await aki(PropertymappingsApi).propertymappingsProviderSamlList({
         ordering: "saml_name",
         pageSize: 20,
         search: search.trim(),
@@ -30,7 +28,7 @@ export function propertyMappingsSelector(instanceMappings?: string[]) {
     }
 
     return async () => {
-        const pm = new PropertymappingsApi(DEFAULT_CONFIG);
+        const pm = aki(PropertymappingsApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 pm.propertymappingsProviderSamlRetrieve({ pmUuid: instanceId }),
diff --git a/web/src/admin/providers/saml/SAMLProviderImportForm.ts b/web/src/admin/providers/saml/SAMLProviderImportForm.ts
index 1aff41c4ce..f8eb8bb02a 100644
--- a/web/src/admin/providers/saml/SAMLProviderImportForm.ts
+++ b/web/src/admin/providers/saml/SAMLProviderImportForm.ts
@@ -1,6 +1,6 @@
 import { renderForm } from "./SAMLProviderImportFormForm.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { SentryIgnoredError } from "#common/sentry/index";
 
 import { Form } from "#elements/forms/Form";
@@ -21,7 +21,7 @@ export class SAMLProviderImportForm extends Form<SAMLProvider> {
         if (!file) {
             throw new SentryIgnoredError("No form data");
         }
-        return new ProvidersApi(DEFAULT_CONFIG).providersSamlImportMetadataCreate({
+        return aki(ProvidersApi).providersSamlImportMetadataCreate({
             file: file,
             name: data.name,
             authorizationFlow: data.authorizationFlow || "",
diff --git a/web/src/admin/providers/saml/SAMLProviderViewPage.ts b/web/src/admin/providers/saml/SAMLProviderViewPage.ts
index e7e64b1597..217991d82c 100644
--- a/web/src/admin/providers/saml/SAMLProviderViewPage.ts
+++ b/web/src/admin/providers/saml/SAMLProviderViewPage.ts
@@ -11,7 +11,7 @@ import "#elements/buttons/SpinnerButton/index";
 
 import { logoutMethodLabel } from "./SAMLProviderOptions.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 import { MessageLevel } from "#common/messages";
 
@@ -102,7 +102,7 @@ export class SAMLProviderViewPage extends AKElement {
     }
 
     fetchPreview(): void {
-        new ProvidersApi(DEFAULT_CONFIG)
+        aki(ProvidersApi)
             .providersSamlPreviewUserRetrieve({
                 id: this.provider?.pk || 0,
                 forUser: this.previewUser?.pk,
@@ -113,7 +113,7 @@ export class SAMLProviderViewPage extends AKElement {
     }
 
     fetchCertificate(kpUuid: string) {
-        return new CryptoApi(DEFAULT_CONFIG).cryptoCertificatekeypairsRetrieve({ kpUuid });
+        return aki(CryptoApi).cryptoCertificatekeypairsRetrieve({ kpUuid });
     }
 
     fetchSigningCertificate(kpUuid: string) {
@@ -131,21 +131,23 @@ export class SAMLProviderViewPage extends AKElement {
     }
 
     fetchProvider(id: number) {
-        new ProvidersApi(DEFAULT_CONFIG).providersSamlRetrieve({ id }).then((prov) => {
-            this.provider = prov;
-            // Clear existing signing certificate if the provider has none
-            if (!this.provider.signingKp) {
-                this.signer = null;
-            } else {
-                this.fetchSigningCertificate(this.provider.signingKp);
-            }
-            // Clear existing verification certificate if the provider has none
-            if (!this.provider.verificationKp) {
-                this.verifier = null;
-            } else {
-                this.fetchVerificationCertificate(this.provider.verificationKp);
-            }
-        });
+        aki(ProvidersApi)
+            .providersSamlRetrieve({ id })
+            .then((prov) => {
+                this.provider = prov;
+                // Clear existing signing certificate if the provider has none
+                if (!this.provider.signingKp) {
+                    this.signer = null;
+                } else {
+                    this.fetchSigningCertificate(this.provider.signingKp);
+                }
+                // Clear existing verification certificate if the provider has none
+                if (!this.provider.verificationKp) {
+                    this.verifier = null;
+                } else {
+                    this.fetchVerificationCertificate(this.provider.verificationKp);
+                }
+            });
     }
 
     willUpdate(changedProperties: PropertyValues<this>) {
@@ -292,13 +294,7 @@ export class SAMLProviderViewPage extends AKElement {
         if (!this.provider) {
             return nothing;
         }
-        return html`${
-            this.provider?.assignedApplicationName
-                ? nothing
-                : html`<div slot="header" class="pf-c-banner pf-m-warning">
-                      ${msg("Warning: Provider is not used by an Application.")}
-                  </div>`
-        }
+        return html`${this.provider?.assignedApplicationName ? nothing : html`<div slot="header" class="pf-c-banner pf-m-warning">${msg("Warning: Provider is not used by an Application.")}</div>`}
             <div class="pf-c-page__main-section pf-m-no-padding-mobile pf-l-grid pf-m-gutter">
                 <div class="pf-c-card pf-l-grid__item pf-m-12-col">
                     <div class="pf-c-card__body">
@@ -329,9 +325,7 @@ export class SAMLProviderViewPage extends AKElement {
                             </div>
                             <div class="pf-c-description-list__group">
                                 <dt class="pf-c-description-list__term">
-                                    <span class="pf-c-description-list__text">${msg(
-                                        "Audience",
-                                    )}</span>
+                                    <span class="pf-c-description-list__text">${msg("Audience")}</span>
                                 </dt>
                                 <dd class="pf-c-description-list__description">
                                     <div class="pf-c-description-list__text">
@@ -341,9 +335,7 @@ export class SAMLProviderViewPage extends AKElement {
                             </div>
                             <div class="pf-c-description-list__group">
                                 <dt class="pf-c-description-list__term">
-                                    <span class="pf-c-description-list__text">${msg(
-                                        "ACS URL",
-                                    )}</span>
+                                    <span class="pf-c-description-list__text">${msg("ACS URL")}</span>
                                 </dt>
                                 <dd class="pf-c-description-list__description">
                                     <div class="pf-c-description-list__text">
@@ -353,9 +345,7 @@ export class SAMLProviderViewPage extends AKElement {
                             </div>
                             <div class="pf-c-description-list__group">
                                 <dt class="pf-c-description-list__term">
-                                    <span class="pf-c-description-list__text">${msg(
-                                        "SLS URL",
-                                    )}</span>
+                                    <span class="pf-c-description-list__text">${msg("SLS URL")}</span>
                                 </dt>
                                 <dd class="pf-c-description-list__description">
                                     <div class="pf-c-description-list__text">
@@ -365,9 +355,7 @@ export class SAMLProviderViewPage extends AKElement {
                             </div>
                             <div class="pf-c-description-list__group">
                                 <dt class="pf-c-description-list__term">
-                                    <span class="pf-c-description-list__text">${msg(
-                                        "Logout Method",
-                                    )}</span>
+                                    <span class="pf-c-description-list__text">${msg("Logout Method")}</span>
                                 </dt>
                                 <dd class="pf-c-description-list__description">
                                     <div class="pf-c-description-list__text">
@@ -462,7 +450,7 @@ export class SAMLProviderViewPage extends AKElement {
                       id="page-metadata"
                       aria-label="${msg("Metadata")}"
                       @activate=${() => {
-                          new ProvidersApi(DEFAULT_CONFIG)
+                          aki(ProvidersApi)
                               .providersSamlMetadataRetrieve({
                                   id: this.provider?.pk || 0,
                               })
@@ -538,9 +526,7 @@ export class SAMLProviderViewPage extends AKElement {
                                         if (query !== undefined) {
                                             args.search = query;
                                         }
-                                        const users = await new CoreApi(
-                                            DEFAULT_CONFIG,
-                                        ).coreUsersList(args);
+                                        const users = await aki(CoreApi).coreUsersList(args);
                                         return users.results;
                                     }}
                                     .renderElement=${(user: User): string => {
diff --git a/web/src/admin/providers/scim/SCIMProviderForm.ts b/web/src/admin/providers/scim/SCIMProviderForm.ts
index f82d28a998..ef7368a935 100644
--- a/web/src/admin/providers/scim/SCIMProviderForm.ts
+++ b/web/src/admin/providers/scim/SCIMProviderForm.ts
@@ -1,6 +1,6 @@
 import { renderForm } from "./SCIMProviderFormForm.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BaseProviderForm } from "#admin/providers/BaseProviderForm";
 
@@ -11,19 +11,19 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-provider-scim-form")
 export class SCIMProviderFormPage extends BaseProviderForm<SCIMProvider> {
     loadInstance(pk: number): Promise<SCIMProvider> {
-        return new ProvidersApi(DEFAULT_CONFIG).providersScimRetrieve({
+        return aki(ProvidersApi).providersScimRetrieve({
             id: pk,
         });
     }
 
     async send(data: SCIMProvider): Promise<SCIMProvider> {
         if (this.instance?.pk) {
-            return new ProvidersApi(DEFAULT_CONFIG).providersScimUpdate({
+            return aki(ProvidersApi).providersScimUpdate({
                 id: this.instance.pk,
                 sCIMProviderRequest: data,
             });
         }
-        return new ProvidersApi(DEFAULT_CONFIG).providersScimCreate({
+        return aki(ProvidersApi).providersScimCreate({
             sCIMProviderRequest: data,
         });
     }
diff --git a/web/src/admin/providers/scim/SCIMProviderFormForm.ts b/web/src/admin/providers/scim/SCIMProviderFormForm.ts
index f857b5df0f..67fa0896f9 100644
--- a/web/src/admin/providers/scim/SCIMProviderFormForm.ts
+++ b/web/src/admin/providers/scim/SCIMProviderFormForm.ts
@@ -19,7 +19,7 @@ import {
     propertyMappingsSelector,
 } from "./SCIMProviderFormHelpers.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import {
     CompatibilityModeEnum,
@@ -59,7 +59,7 @@ export function renderAuthOAuth(provider?: Partial<SCIMProvider>, _errors: Valid
                     if (query !== undefined) {
                         args.search = query;
                     }
-                    const sources = await new SourcesApi(DEFAULT_CONFIG).sourcesOauthList(args);
+                    const sources = await aki(SourcesApi).sourcesOauthList(args);
                     return sources.results;
                 }}
                 .renderElement=${(source: OAuthSource): string => {
diff --git a/web/src/admin/providers/scim/SCIMProviderFormHelpers.ts b/web/src/admin/providers/scim/SCIMProviderFormHelpers.ts
index 36f653bfd2..22fc7407ad 100644
--- a/web/src/admin/providers/scim/SCIMProviderFormHelpers.ts
+++ b/web/src/admin/providers/scim/SCIMProviderFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -8,9 +8,7 @@ const mappingToSelect = (m: SCIMMapping) => [m.pk, m.name, m.name, m];
 const groupToSelect = (g: Group) => [g.pk, g.name, g.name, g];
 
 export async function propertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
-    ).propertymappingsProviderScimList({
+    const propertyMappings = await aki(PropertymappingsApi).propertymappingsProviderScimList({
         ordering: "managed",
         pageSize: 20,
         search: search.trim(),
@@ -35,7 +33,7 @@ export function propertyMappingsSelector(
     }
 
     return async () => {
-        const pm = new PropertymappingsApi(DEFAULT_CONFIG);
+        const pm = aki(PropertymappingsApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 pm.propertymappingsProviderScimRetrieve({ pmUuid: instanceId }),
@@ -50,7 +48,7 @@ export function propertyMappingsSelector(
 }
 
 export async function groupsProvider(page = 1, search = "") {
-    const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList({
+    const groups = await aki(CoreApi).coreGroupsList({
         ordering: "name",
         includeUsers: false,
         pageSize: 20,
@@ -80,7 +78,7 @@ export function groupsSelector(
     return async () => {
         const groups = await Promise.allSettled(
             instanceGroups.map((groupId) =>
-                new CoreApi(DEFAULT_CONFIG).coreGroupsRetrieve({ groupUuid: groupId }),
+                aki(CoreApi).coreGroupsRetrieve({ groupUuid: groupId }),
             ),
         );
 
diff --git a/web/src/admin/providers/scim/SCIMProviderGroupList.ts b/web/src/admin/providers/scim/SCIMProviderGroupList.ts
index 90b3f9eb45..0f682d2a5f 100644
--- a/web/src/admin/providers/scim/SCIMProviderGroupList.ts
+++ b/web/src/admin/providers/scim/SCIMProviderGroupList.ts
@@ -3,7 +3,7 @@ import "#elements/forms/ModalForm";
 import "#components/sync/SyncObjectForm";
 import "#admin/common/ak-flow-search/ak-flow-search-no-default";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -38,7 +38,7 @@ export class SCIMProviderGroupList extends Table<SCIMProviderGroup> {
                     .provider=${this.providerId}
                     model=${SyncObjectModelEnum.AuthentikCoreModelsGroup}
                     .sync=${(data: ProvidersScimSyncObjectCreateRequest) => {
-                        return new ProvidersApi(DEFAULT_CONFIG).providersScimSyncObjectCreate(data);
+                        return aki(ProvidersApi).providersScimSyncObjectCreate(data);
                     }}
                     slot="form"
                 >
@@ -54,7 +54,7 @@ export class SCIMProviderGroupList extends Table<SCIMProviderGroup> {
             object-label=${msg("SCIM Group(s)")}
             .objects=${this.selectedElements}
             .delete=${(item: SCIMProviderGroup) => {
-                return new ProvidersApi(DEFAULT_CONFIG).providersScimGroupsDestroy({
+                return aki(ProvidersApi).providersScimGroupsDestroy({
                     id: item.id,
                 });
             }}
@@ -66,7 +66,7 @@ export class SCIMProviderGroupList extends Table<SCIMProviderGroup> {
     }
 
     async apiEndpoint(): Promise<PaginatedResponse<SCIMProviderGroup>> {
-        return new ProvidersApi(DEFAULT_CONFIG).providersScimGroupsList({
+        return aki(ProvidersApi).providersScimGroupsList({
             ...(await this.defaultEndpointConfig()),
             providerId: this.providerId,
         });
diff --git a/web/src/admin/providers/scim/SCIMProviderUserList.ts b/web/src/admin/providers/scim/SCIMProviderUserList.ts
index d137c1ac9c..28597d52d2 100644
--- a/web/src/admin/providers/scim/SCIMProviderUserList.ts
+++ b/web/src/admin/providers/scim/SCIMProviderUserList.ts
@@ -3,7 +3,7 @@ import "#elements/forms/ModalForm";
 import "#components/sync/SyncObjectForm";
 import "#admin/common/ak-flow-search/ak-flow-search-no-default";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { formatUserDisplayName } from "#common/users";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
@@ -39,7 +39,7 @@ export class SCIMProviderUserList extends Table<SCIMProviderUser> {
                     .provider=${this.providerId}
                     model=${SyncObjectModelEnum.AuthentikCoreModelsUser}
                     .sync=${(data: ProvidersScimSyncObjectCreateRequest) => {
-                        return new ProvidersApi(DEFAULT_CONFIG).providersScimSyncObjectCreate(data);
+                        return aki(ProvidersApi).providersScimSyncObjectCreate(data);
                     }}
                     slot="form"
                 >
@@ -55,7 +55,7 @@ export class SCIMProviderUserList extends Table<SCIMProviderUser> {
             object-label=${msg("SCIM User(s)")}
             .objects=${this.selectedElements}
             .delete=${(item: SCIMProviderUser) => {
-                return new ProvidersApi(DEFAULT_CONFIG).providersScimUsersDestroy({
+                return aki(ProvidersApi).providersScimUsersDestroy({
                     id: item.id,
                 });
             }}
@@ -67,7 +67,7 @@ export class SCIMProviderUserList extends Table<SCIMProviderUser> {
     }
 
     async apiEndpoint(): Promise<PaginatedResponse<SCIMProviderUser>> {
-        return new ProvidersApi(DEFAULT_CONFIG).providersScimUsersList({
+        return aki(ProvidersApi).providersScimUsersList({
             ...(await this.defaultEndpointConfig()),
             providerId: this.providerId,
         });
diff --git a/web/src/admin/providers/scim/SCIMProviderViewPage.ts b/web/src/admin/providers/scim/SCIMProviderViewPage.ts
index ab80988bc6..0ec298933c 100644
--- a/web/src/admin/providers/scim/SCIMProviderViewPage.ts
+++ b/web/src/admin/providers/scim/SCIMProviderViewPage.ts
@@ -15,7 +15,7 @@ import "#elements/tasks/ScheduleList";
 import "#elements/tasks/TaskList";
 import "#elements/timestamp/ak-timestamp";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -79,7 +79,7 @@ export class SCIMProviderViewPage extends AKElement {
     }
 
     fetchProvider(id: number) {
-        new ProvidersApi(DEFAULT_CONFIG)
+        aki(ProvidersApi)
             .providersScimRetrieve({ id })
             .then((prov) => (this.provider = prov));
     }
@@ -302,11 +302,9 @@ export class SCIMProviderViewPage extends AKElement {
                         : nothing}
                     <ak-sync-status-card
                         .fetch=${() => {
-                            return new ProvidersApi(DEFAULT_CONFIG).providersScimSyncStatusRetrieve(
-                                {
-                                    id: this.provider?.pk || 0,
-                                },
-                            );
+                            return aki(ProvidersApi).providersScimSyncStatusRetrieve({
+                                id: this.provider?.pk || 0,
+                            });
                         }}
                     >
                         ${this.renderSyncStatusExtra()}
diff --git a/web/src/admin/providers/ssf/SSFProviderFormPage.ts b/web/src/admin/providers/ssf/SSFProviderFormPage.ts
index 7aaa7f3c5d..15a3aeca9b 100644
--- a/web/src/admin/providers/ssf/SSFProviderFormPage.ts
+++ b/web/src/admin/providers/ssf/SSFProviderFormPage.ts
@@ -8,7 +8,7 @@ import "#elements/forms/SearchSelect/index";
 import "#elements/utils/TimeDeltaHelp";
 import "#components/ak-switch-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ifPresent } from "#elements/utils/attributes";
 
@@ -35,7 +35,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-provider-ssf-form")
 export class SSFProviderFormPage extends BaseProviderForm<SSFProvider> {
     async loadInstance(pk: number): Promise<SSFProvider> {
-        const provider = await new ProvidersApi(DEFAULT_CONFIG).providersSsfRetrieve({
+        const provider = await aki(ProvidersApi).providersSsfRetrieve({
             id: pk,
         });
         return provider;
@@ -43,12 +43,12 @@ export class SSFProviderFormPage extends BaseProviderForm<SSFProvider> {
 
     async send(data: SSFProvider): Promise<SSFProvider> {
         if (this.instance) {
-            return new ProvidersApi(DEFAULT_CONFIG).providersSsfUpdate({
+            return aki(ProvidersApi).providersSsfUpdate({
                 id: this.instance.pk,
                 sSFProviderRequest: data,
             });
         }
-        return new ProvidersApi(DEFAULT_CONFIG).providersSsfCreate({
+        return aki(ProvidersApi).providersSsfCreate({
             sSFProviderRequest: data,
         });
     }
diff --git a/web/src/admin/providers/ssf/SSFProviderViewPage.ts b/web/src/admin/providers/ssf/SSFProviderViewPage.ts
index b7578da5c8..0cd909967f 100644
--- a/web/src/admin/providers/ssf/SSFProviderViewPage.ts
+++ b/web/src/admin/providers/ssf/SSFProviderViewPage.ts
@@ -9,7 +9,7 @@ import "#elements/buttons/ModalButton";
 import "#elements/buttons/SpinnerButton/index";
 import "#elements/tasks/TaskList";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -39,7 +39,7 @@ import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
 export class SSFProviderViewPage extends AKElement {
     @property({ type: Number })
     set providerID(value: number) {
-        new ProvidersApi(DEFAULT_CONFIG)
+        aki(ProvidersApi)
             .providersSsfRetrieve({
                 id: value,
             })
diff --git a/web/src/admin/providers/ssf/StreamTable.ts b/web/src/admin/providers/ssf/StreamTable.ts
index 183530c448..dec233083d 100644
--- a/web/src/admin/providers/ssf/StreamTable.ts
+++ b/web/src/admin/providers/ssf/StreamTable.ts
@@ -3,7 +3,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -36,7 +36,7 @@ export class SSFProviderStreamList extends Table<SSFStream> {
     static styles: CSSResult[] = [...super.styles, PFDescriptionList];
 
     async apiEndpoint(): Promise<PaginatedResponse<SSFStream>> {
-        return new SsfApi(DEFAULT_CONFIG).ssfStreamsList({
+        return aki(SsfApi).ssfStreamsList({
             provider: this.providerId,
             ...(await this.defaultEndpointConfig()),
             pageSize: 10,
@@ -49,7 +49,7 @@ export class SSFProviderStreamList extends Table<SSFStream> {
             object-label=${msg("Stream(s)")}
             .objects=${this.selectedElements}
             .delete=${(item: SSFStream) => {
-                return new SsfApi(DEFAULT_CONFIG).ssfStreamsDestroy({
+                return aki(SsfApi).ssfStreamsDestroy({
                     uuid: item.pk,
                 });
             }}
diff --git a/web/src/admin/providers/wsfed/WSFederationProviderForm.ts b/web/src/admin/providers/wsfed/WSFederationProviderForm.ts
index 9f76cb3086..d636f6abd7 100644
--- a/web/src/admin/providers/wsfed/WSFederationProviderForm.ts
+++ b/web/src/admin/providers/wsfed/WSFederationProviderForm.ts
@@ -2,7 +2,7 @@ import "#elements/forms/FormGroup";
 
 import { renderForm } from "./WSFederationProviderFormForm.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import AkCryptoCertificateSearch from "#admin/common/ak-crypto-certificate-search";
 import { BaseProviderForm } from "#admin/providers/BaseProviderForm";
@@ -21,7 +21,7 @@ export class WSFederationProviderForm extends BaseProviderForm<WSFederationProvi
     protected signingKeyType: KeyTypeEnum | null = null;
 
     async loadInstance(pk: number): Promise<WSFederationProvider> {
-        const provider = await new ProvidersApi(DEFAULT_CONFIG).providersWsfedRetrieve({
+        const provider = await aki(ProvidersApi).providersWsfedRetrieve({
             id: pk,
         });
         this.hasSigningKp = !!provider.signingKp;
@@ -30,12 +30,12 @@ export class WSFederationProviderForm extends BaseProviderForm<WSFederationProvi
 
     async send(data: WSFederationProvider): Promise<WSFederationProvider> {
         if (this.instance) {
-            return new ProvidersApi(DEFAULT_CONFIG).providersWsfedUpdate({
+            return aki(ProvidersApi).providersWsfedUpdate({
                 id: this.instance.pk,
                 wSFederationProviderRequest: data,
             });
         }
-        return new ProvidersApi(DEFAULT_CONFIG).providersWsfedCreate({
+        return aki(ProvidersApi).providersWsfedCreate({
             wSFederationProviderRequest: data,
         });
     }
diff --git a/web/src/admin/providers/wsfed/WSFederationProviderFormForm.ts b/web/src/admin/providers/wsfed/WSFederationProviderFormForm.ts
index 20d6e9c41c..a8d0e5d623 100644
--- a/web/src/admin/providers/wsfed/WSFederationProviderFormForm.ts
+++ b/web/src/admin/providers/wsfed/WSFederationProviderFormForm.ts
@@ -10,7 +10,7 @@ import "#elements/forms/Radio";
 import "#elements/forms/SearchSelect/ak-search-select-ez";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { withQuery } from "#elements/forms/SearchSelect/utils";
 
@@ -69,7 +69,7 @@ export function renderForm({
     const keyType = signingKeyType ?? KeyTypeEnum.Rsa;
     const samlPropertyMappingSearch = async (query?: string) =>
         (
-            await new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderSamlList(
+            await aki(PropertymappingsApi).propertymappingsProviderSamlList(
                 withQuery(query, { ordering: "saml_name" }),
             )
         ).results;
diff --git a/web/src/admin/providers/wsfed/WSFederationProviderViewPage.ts b/web/src/admin/providers/wsfed/WSFederationProviderViewPage.ts
index 6118b7c101..a3a38e3535 100644
--- a/web/src/admin/providers/wsfed/WSFederationProviderViewPage.ts
+++ b/web/src/admin/providers/wsfed/WSFederationProviderViewPage.ts
@@ -9,7 +9,7 @@ import "#elements/buttons/ActionButton/index";
 import "#elements/buttons/ModalButton";
 import "#elements/buttons/SpinnerButton/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 import { MessageLevel } from "#common/messages";
 
@@ -94,7 +94,7 @@ export class WSFederationProviderViewPage extends AKElement {
     }
 
     fetchPreview(): void {
-        new ProvidersApi(DEFAULT_CONFIG)
+        aki(ProvidersApi)
             .providersWsfedPreviewUserRetrieve({
                 id: this.provider?.pk || 0,
                 forUser: this.previewUser?.pk,
@@ -105,7 +105,7 @@ export class WSFederationProviderViewPage extends AKElement {
     }
 
     fetchCertificate(kpUuid: string) {
-        return new CryptoApi(DEFAULT_CONFIG).cryptoCertificatekeypairsRetrieve({ kpUuid });
+        return aki(CryptoApi).cryptoCertificatekeypairsRetrieve({ kpUuid });
     }
 
     fetchSigningCertificate(kpUuid: string) {
@@ -116,15 +116,17 @@ export class WSFederationProviderViewPage extends AKElement {
     }
 
     fetchProvider(id: number) {
-        new ProvidersApi(DEFAULT_CONFIG).providersWsfedRetrieve({ id }).then((prov) => {
-            this.provider = prov;
-            // Clear existing signing certificate if the provider has none
-            if (!this.provider.signingKp) {
-                this.signer = null;
-            } else {
-                this.fetchSigningCertificate(this.provider.signingKp);
-            }
-        });
+        aki(ProvidersApi)
+            .providersWsfedRetrieve({ id })
+            .then((prov) => {
+                this.provider = prov;
+                // Clear existing signing certificate if the provider has none
+                if (!this.provider.signingKp) {
+                    this.signer = null;
+                } else {
+                    this.fetchSigningCertificate(this.provider.signingKp);
+                }
+            });
     }
 
     protected override willUpdate(changedProperties: PropertyValues<this>) {
@@ -264,13 +266,7 @@ export class WSFederationProviderViewPage extends AKElement {
         if (!this.provider) {
             return nothing;
         }
-        return html`${
-            this.provider?.assignedApplicationName
-                ? nothing
-                : html`<div slot="header" class="pf-c-banner pf-m-warning">
-                      ${msg("Warning: Provider is not used by an Application.")}
-                  </div>`
-        }
+        return html`${this.provider?.assignedApplicationName ? nothing : html`<div slot="header" class="pf-c-banner pf-m-warning">${msg("Warning: Provider is not used by an Application.")}</div>`}
             <div class="pf-c-page__main-section pf-m-no-padding-mobile pf-l-grid pf-m-gutter">
                 <div class="pf-c-card pf-l-grid__item pf-m-12-col">
                     <div class="pf-c-card__body">
@@ -357,7 +353,7 @@ export class WSFederationProviderViewPage extends AKElement {
                       id="page-metadata"
                       aria-label="${msg("Metadata")}"
                       @activate=${() => {
-                          new ProvidersApi(DEFAULT_CONFIG)
+                          aki(ProvidersApi)
                               .providersWsfedMetadataRetrieve({
                                   id: this.provider?.pk || 0,
                               })
@@ -433,9 +429,7 @@ export class WSFederationProviderViewPage extends AKElement {
                                         if (query !== undefined) {
                                             args.search = query;
                                         }
-                                        const users = await new CoreApi(
-                                            DEFAULT_CONFIG,
-                                        ).coreUsersList(args);
+                                        const users = await aki(CoreApi).coreUsersList(args);
                                         return users.results;
                                     }}
                                     .renderElement=${(user: User): string => {
diff --git a/web/src/admin/rbac/ak-initial-permissions-form.ts b/web/src/admin/rbac/ak-initial-permissions-form.ts
index b6c75663fe..d2e8628be0 100644
--- a/web/src/admin/rbac/ak-initial-permissions-form.ts
+++ b/web/src/admin/rbac/ak-initial-permissions-form.ts
@@ -5,7 +5,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 import "#components/ak-text-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PFSize } from "#common/enums";
 
 import { DataProvision, DualSelectPair } from "#elements/ak-dual-select/types";
@@ -44,7 +44,7 @@ export class InitialPermissionsForm extends ModelForm<InitialPermissions, string
     public override size = PFSize.XLarge;
 
     loadInstance(pk: string): Promise<InitialPermissions> {
-        return new RbacApi(DEFAULT_CONFIG).rbacInitialPermissionsRetrieve({
+        return aki(RbacApi).rbacInitialPermissionsRetrieve({
             id: Number(pk),
         });
     }
@@ -57,12 +57,12 @@ export class InitialPermissionsForm extends ModelForm<InitialPermissions, string
 
     async send(data: InitialPermissions): Promise<InitialPermissions> {
         if (this.instance?.pk) {
-            return new RbacApi(DEFAULT_CONFIG).rbacInitialPermissionsPartialUpdate({
+            return aki(RbacApi).rbacInitialPermissionsPartialUpdate({
                 id: this.instance.pk,
                 patchedInitialPermissionsRequest: data,
             });
         }
-        return new RbacApi(DEFAULT_CONFIG).rbacInitialPermissionsCreate({
+        return aki(RbacApi).rbacInitialPermissionsCreate({
             initialPermissionsRequest: data,
         });
     }
@@ -87,7 +87,7 @@ export class InitialPermissionsForm extends ModelForm<InitialPermissions, string
                         if (query !== undefined) {
                             args.search = query;
                         }
-                        const roles = await new RbacApi(DEFAULT_CONFIG).rbacRolesList(args);
+                        const roles = await aki(RbacApi).rbacRolesList(args);
                         return roles.results;
                     }}
                     .renderElement=${(role: Role): string => {
@@ -113,7 +113,7 @@ export class InitialPermissionsForm extends ModelForm<InitialPermissions, string
             <ak-form-element-horizontal label=${msg("Permissions")} name="permissions">
                 <ak-dual-select-provider
                     .provider=${(page: number, search?: string): Promise<DataProvision> => {
-                        return new RbacApi(DEFAULT_CONFIG)
+                        return aki(RbacApi)
                             .rbacPermissionsList({
                                 page: page,
                                 search: search,
diff --git a/web/src/admin/rbac/ak-initial-permissions-list.ts b/web/src/admin/rbac/ak-initial-permissions-list.ts
index 4ea40895e0..7c291812cf 100644
--- a/web/src/admin/rbac/ak-initial-permissions-list.ts
+++ b/web/src/admin/rbac/ak-initial-permissions-list.ts
@@ -4,7 +4,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButton, ModalInvokerButton } from "#elements/dialogs";
 import { PaginatedResponse, TableColumn } from "#elements/table/Table";
@@ -37,9 +37,7 @@ export class InitialPermissionsListPage extends TablePage<InitialPermissions> {
     public override order = "name";
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<InitialPermissions>> {
-        return new RbacApi(DEFAULT_CONFIG).rbacInitialPermissionsList(
-            await this.defaultEndpointConfig(),
-        );
+        return aki(RbacApi).rbacInitialPermissionsList(await this.defaultEndpointConfig());
     }
 
     protected override columns: TableColumn[] = [
@@ -54,12 +52,12 @@ export class InitialPermissionsListPage extends TablePage<InitialPermissions> {
             object-label=${msg("Initial Permissions")}
             .objects=${this.selectedElements}
             .usedBy=${(item: InitialPermissions) => {
-                return new RbacApi(DEFAULT_CONFIG).rbacInitialPermissionsUsedByList({
+                return aki(RbacApi).rbacInitialPermissionsUsedByList({
                     id: item.pk,
                 });
             }}
             .delete=${(item: InitialPermissions) => {
-                return new RbacApi(DEFAULT_CONFIG).rbacInitialPermissionsDestroy({
+                return aki(RbacApi).rbacInitialPermissionsDestroy({
                     id: item.pk,
                 });
             }}
diff --git a/web/src/admin/rbac/ak-rbac-permission-table.ts b/web/src/admin/rbac/ak-rbac-permission-table.ts
index 2a86f81b02..8cbbdf1b28 100644
--- a/web/src/admin/rbac/ak-rbac-permission-table.ts
+++ b/web/src/admin/rbac/ak-rbac-permission-table.ts
@@ -1,6 +1,6 @@
 import "#elements/buttons/SpinnerButton/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { groupBy } from "#common/utils";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
@@ -22,7 +22,7 @@ export class RBACPermissionTable extends Table<Permission> {
     public override order = "content_type__app_label,content_type__model";
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<Permission>> {
-        return new RbacApi(DEFAULT_CONFIG).rbacPermissionsList(await this.defaultEndpointConfig());
+        return aki(RbacApi).rbacPermissionsList(await this.defaultEndpointConfig());
     }
 
     protected override groupBy(items: Permission[]): [string, Permission[]][] {
diff --git a/web/src/admin/rbac/ak-rbac-role-object-permission-form.ts b/web/src/admin/rbac/ak-rbac-role-object-permission-form.ts
index 25aa3c02b7..c65481d8b9 100644
--- a/web/src/admin/rbac/ak-rbac-role-object-permission-form.ts
+++ b/web/src/admin/rbac/ak-rbac-role-object-permission-form.ts
@@ -4,7 +4,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/Radio";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 import { SlottedTemplateResult } from "#elements/types";
@@ -55,7 +55,7 @@ export class RoleObjectPermissionForm extends ModelForm<RoleAssignData, number>
 
     async load(): Promise<void> {
         const [appLabel, modelName] = (this.model || "").split(".");
-        this.modelPermissions = await new RbacApi(DEFAULT_CONFIG).rbacPermissionsList({
+        this.modelPermissions = await aki(RbacApi).rbacPermissionsList({
             contentTypeModel: modelName,
             contentTypeAppLabel: appLabel,
             ordering: "codename",
@@ -73,7 +73,7 @@ export class RoleObjectPermissionForm extends ModelForm<RoleAssignData, number>
     send(data: RoleAssignData): Promise<unknown> {
         const [app, _model] = this.model?.split(".") || "";
 
-        return new RbacApi(DEFAULT_CONFIG).rbacPermissionsAssignedByRolesAssign({
+        return aki(RbacApi).rbacPermissionsAssignedByRolesAssign({
             uuid: data.role,
             permissionAssignRequest: {
                 permissions: Object.keys(data.permissions)
@@ -106,7 +106,7 @@ export class RoleObjectPermissionForm extends ModelForm<RoleAssignData, number>
                             if (query !== undefined) {
                                 args.search = query;
                             }
-                            const roles = await new RbacApi(DEFAULT_CONFIG).rbacRolesList(args);
+                            const roles = await aki(RbacApi).rbacRolesList(args);
                             return roles.results;
                         }}
                         .renderElement=${(role: Role): string => {
diff --git a/web/src/admin/rbac/ak-rbac-role-object-permission-table.ts b/web/src/admin/rbac/ak-rbac-role-object-permission-table.ts
index a9d5744917..ea970bafc3 100644
--- a/web/src/admin/rbac/ak-rbac-role-object-permission-table.ts
+++ b/web/src/admin/rbac/ak-rbac-role-object-permission-table.ts
@@ -3,7 +3,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { createPaginatedResponse } from "#common/api/responses";
 
 import { ModalInvokerButton } from "#elements/dialogs";
@@ -46,13 +46,13 @@ export class RoleAssignedObjectPermissionTable extends Table<RoleAssignedObjectP
         if (!this.objectPk || !this.model) {
             return createPaginatedResponse([]);
         }
-        const perms = await new RbacApi(DEFAULT_CONFIG).rbacPermissionsAssignedByRolesList({
+        const perms = await aki(RbacApi).rbacPermissionsAssignedByRolesList({
             ...(await this.defaultEndpointConfig()),
             model: this.model,
             objectPk: this.objectPk.toString(),
         });
         const [appLabel, modelName] = this.model.split(".");
-        const modelPermissions = await new RbacApi(DEFAULT_CONFIG).rbacPermissionsList({
+        const modelPermissions = await aki(RbacApi).rbacPermissionsList({
             contentTypeModel: modelName,
             contentTypeAppLabel: appLabel,
             ordering: "codename",
@@ -92,9 +92,7 @@ export class RoleAssignedObjectPermissionTable extends Table<RoleAssignedObjectP
                 return [{ key: msg("Permission"), value: item.name }];
             }}
             .delete=${(item: RoleAssignedObjectPermission) => {
-                return new RbacApi(
-                    DEFAULT_CONFIG,
-                ).rbacPermissionsAssignedByRolesUnassignPartialUpdate({
+                return aki(RbacApi).rbacPermissionsAssignedByRolesUnassignPartialUpdate({
                     uuid: item.rolePk,
                     patchedPermissionAssignRequest: {
                         objectPk: this.objectPk?.toString(),
diff --git a/web/src/admin/roles/ak-related-role-table.ts b/web/src/admin/roles/ak-related-role-table.ts
index b0b630f00f..ccaac4e51f 100644
--- a/web/src/admin/roles/ak-related-role-table.ts
+++ b/web/src/admin/roles/ak-related-role-table.ts
@@ -7,7 +7,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { renderModal } from "#elements/dialogs";
 import { AKFormSubmitEvent, Form } from "#elements/forms/Form";
@@ -30,7 +30,7 @@ export class AddRelatedRoleForm extends Form<{ roles: string[] }> {
     public static override verboseName = msg("Role");
     public static override verboseNamePlural = msg("Roles");
 
-    #api = new RbacApi(DEFAULT_CONFIG);
+    #api = aki(RbacApi);
 
     @property({ attribute: false })
     public user: User | null = null;
@@ -113,7 +113,7 @@ export class AddRelatedRoleForm extends Form<{ roles: string[] }> {
 
 @customElement("ak-related-role-table")
 export class RelatedRoleTable extends Table<Role> {
-    #api = new RbacApi(DEFAULT_CONFIG);
+    #api = aki(RbacApi);
 
     checkbox = true;
     clearOnRefresh = true;
diff --git a/web/src/admin/roles/ak-role-assigned-global-permissions-table.ts b/web/src/admin/roles/ak-role-assigned-global-permissions-table.ts
index 821c9f5dbb..8b2e3bb2ae 100644
--- a/web/src/admin/roles/ak-role-assigned-global-permissions-table.ts
+++ b/web/src/admin/roles/ak-role-assigned-global-permissions-table.ts
@@ -2,7 +2,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#admin/roles/ak-role-permission-form";
 import "#elements/forms/ModalForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { groupBy } from "#common/utils";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
@@ -28,7 +28,7 @@ export class RoleAssignedGlobalPermissionsTable extends Table<Permission> {
     public override order = "content_type__app_label,content_type__model";
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<Permission>> {
-        return new RbacApi(DEFAULT_CONFIG).rbacPermissionsList({
+        return aki(RbacApi).rbacPermissionsList({
             ...(await this.defaultEndpointConfig()),
             role: this.roleUuid ?? undefined,
         });
@@ -67,9 +67,7 @@ export class RoleAssignedGlobalPermissionsTable extends Table<Permission> {
             object-label=${msg("Permission(s)")}
             .objects=${this.selectedElements}
             .delete=${(item: Permission) => {
-                return new RbacApi(
-                    DEFAULT_CONFIG,
-                ).rbacPermissionsAssignedByRolesUnassignPartialUpdate({
+                return aki(RbacApi).rbacPermissionsAssignedByRolesUnassignPartialUpdate({
                     uuid: this.roleUuid || "",
                     patchedPermissionAssignRequest: {
                         permissions: [`${item.appLabel}.${item.codename}`],
diff --git a/web/src/admin/roles/ak-role-assigned-object-permissions-table.ts b/web/src/admin/roles/ak-role-assigned-object-permissions-table.ts
index 3b5282eeba..94718b1573 100644
--- a/web/src/admin/roles/ak-role-assigned-object-permissions-table.ts
+++ b/web/src/admin/roles/ak-role-assigned-object-permissions-table.ts
@@ -1,7 +1,7 @@
 import "#elements/forms/DeleteBulkForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { groupBy } from "#common/utils";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
@@ -24,7 +24,7 @@ export class RoleAssignedObjectPermissionTable extends Table<ExtraRoleObjectPerm
     public override clearOnRefresh = true;
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<ExtraRoleObjectPermission>> {
-        return new RbacApi(DEFAULT_CONFIG).rbacPermissionsRolesList({
+        return aki(RbacApi).rbacPermissionsRolesList({
             ...(await this.defaultEndpointConfig()),
             uuid: this.roleUUID || "",
         });
@@ -57,9 +57,7 @@ export class RoleAssignedObjectPermissionTable extends Table<ExtraRoleObjectPerm
                 ];
             }}
             .delete=${(item: ExtraRoleObjectPermission) => {
-                return new RbacApi(
-                    DEFAULT_CONFIG,
-                ).rbacPermissionsAssignedByRolesUnassignPartialUpdate({
+                return aki(RbacApi).rbacPermissionsAssignedByRolesUnassignPartialUpdate({
                     uuid: this.roleUUID || "",
                     patchedPermissionAssignRequest: {
                         permissions: [`${item.appLabel}.${item.codename}`],
diff --git a/web/src/admin/roles/ak-role-form.ts b/web/src/admin/roles/ak-role-form.ts
index 4d20167119..fed307ee99 100644
--- a/web/src/admin/roles/ak-role-form.ts
+++ b/web/src/admin/roles/ak-role-form.ts
@@ -4,7 +4,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 import "#components/ak-text-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PFSize } from "#common/enums";
 
 import { ModelForm } from "#elements/forms/ModelForm";
@@ -24,7 +24,7 @@ export class RoleForm extends ModelForm<Role, string> {
     public override size = PFSize.Medium;
 
     loadInstance(pk: string): Promise<Role> {
-        return new RbacApi(DEFAULT_CONFIG).rbacRolesRetrieve({
+        return aki(RbacApi).rbacRolesRetrieve({
             uuid: pk,
         });
     }
@@ -37,12 +37,12 @@ export class RoleForm extends ModelForm<Role, string> {
 
     async send(data: Role): Promise<Role> {
         if (this.instance?.pk) {
-            return new RbacApi(DEFAULT_CONFIG).rbacRolesPartialUpdate({
+            return aki(RbacApi).rbacRolesPartialUpdate({
                 uuid: this.instance.pk,
                 patchedRoleRequest: data,
             });
         }
-        return new RbacApi(DEFAULT_CONFIG).rbacRolesCreate({
+        return aki(RbacApi).rbacRolesCreate({
             roleRequest: data,
         });
     }
diff --git a/web/src/admin/roles/ak-role-list.ts b/web/src/admin/roles/ak-role-list.ts
index af1273d6ce..3404ed830c 100644
--- a/web/src/admin/roles/ak-role-list.ts
+++ b/web/src/admin/roles/ak-role-list.ts
@@ -4,7 +4,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButton, ModalInvokerButton } from "#elements/dialogs";
 import { getURLParam, updateURLParams } from "#elements/router/RouteMatch";
@@ -41,7 +41,7 @@ export class RoleListPage extends TablePage<Role> {
     protected hideManaged = getURLParam<boolean>("hideManaged", true);
 
     protected async apiEndpoint(): Promise<PaginatedResponse<Role>> {
-        return new RbacApi(DEFAULT_CONFIG).rbacRolesList({
+        return aki(RbacApi).rbacRolesList({
             ...(await this.defaultEndpointConfig()),
             managedIsnull: this.hideManaged ? true : undefined,
         });
@@ -59,12 +59,12 @@ export class RoleListPage extends TablePage<Role> {
             object-label=${msg("Role(s)")}
             .objects=${this.selectedElements}
             .usedBy=${(item: Role) => {
-                return new RbacApi(DEFAULT_CONFIG).rbacRolesUsedByList({
+                return aki(RbacApi).rbacRolesUsedByList({
                     uuid: item.pk,
                 });
             }}
             .delete=${(item: Role) => {
-                return new RbacApi(DEFAULT_CONFIG).rbacRolesDestroy({
+                return aki(RbacApi).rbacRolesDestroy({
                     uuid: item.pk,
                 });
             }}
diff --git a/web/src/admin/roles/ak-role-permission-form.ts b/web/src/admin/roles/ak-role-permission-form.ts
index 5b73bce445..9a080a9c0f 100644
--- a/web/src/admin/roles/ak-role-permission-form.ts
+++ b/web/src/admin/roles/ak-role-permission-form.ts
@@ -6,7 +6,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/Radio";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { renderModal } from "#elements/dialogs";
 import { AKFormSubmitEvent } from "#elements/forms/Form";
@@ -48,7 +48,7 @@ export class RolePermissionForm extends ModelForm<RolePermissionAssign, number>
         if (!this.roleUUID) {
             return;
         }
-        await new RbacApi(DEFAULT_CONFIG).rbacPermissionsAssignedByRolesAssign({
+        await aki(RbacApi).rbacPermissionsAssignedByRolesAssign({
             uuid: this.roleUUID,
             permissionAssignRequest: {
                 permissions: data.permissions,
diff --git a/web/src/admin/roles/ak-role-view.ts b/web/src/admin/roles/ak-role-view.ts
index b280b6d003..266e396cc4 100644
--- a/web/src/admin/roles/ak-role-view.ts
+++ b/web/src/admin/roles/ak-role-view.ts
@@ -6,7 +6,7 @@ import "#admin/events/ObjectChangelog";
 import "#admin/events/UserEvents";
 import "#elements/Tabs";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -36,7 +36,7 @@ import PFDisplay from "@patternfly/patternfly/utilities/Display/display.css";
 export class RoleViewPage extends WithLicenseSummary(AKElement) {
     @property({ type: String })
     set roleId(id: string) {
-        new RbacApi(DEFAULT_CONFIG)
+        aki(RbacApi)
             .rbacRolesRetrieve({
                 uuid: id,
             })
diff --git a/web/src/admin/sources/SourceListPage.ts b/web/src/admin/sources/SourceListPage.ts
index b88e7f0feb..13e5d7131e 100644
--- a/web/src/admin/sources/SourceListPage.ts
+++ b/web/src/admin/sources/SourceListPage.ts
@@ -8,7 +8,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButtonByTagName, ModalInvokerButton } from "#elements/dialogs";
 import { PFColor } from "#elements/Label";
@@ -40,7 +40,7 @@ export class SourceListPage extends TablePage<Source> {
     public override order = "name";
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<Source>> {
-        return new SourcesApi(DEFAULT_CONFIG).sourcesAllList(await this.defaultEndpointConfig());
+        return aki(SourcesApi).sourcesAllList(await this.defaultEndpointConfig());
     }
 
     protected columns: TableColumn[] = [
@@ -59,12 +59,12 @@ export class SourceListPage extends TablePage<Source> {
             object-label=${msg("Source(s)")}
             .objects=${nonBuiltInSources}
             .usedBy=${(item: Source) => {
-                return new SourcesApi(DEFAULT_CONFIG).sourcesAllUsedByList({
+                return aki(SourcesApi).sourcesAllUsedByList({
                     slug: item.slug,
                 });
             }}
             .delete=${(item: Source) => {
-                return new SourcesApi(DEFAULT_CONFIG).sourcesAllDestroy({
+                return aki(SourcesApi).sourcesAllDestroy({
                     slug: item.slug,
                 });
             }}
diff --git a/web/src/admin/sources/SourceViewPage.ts b/web/src/admin/sources/SourceViewPage.ts
index 2c20a0b93c..c42de05802 100644
--- a/web/src/admin/sources/SourceViewPage.ts
+++ b/web/src/admin/sources/SourceViewPage.ts
@@ -8,7 +8,7 @@ import "#admin/sources/telegram/TelegramSourceViewPage";
 import "#elements/EmptyState";
 import "#elements/buttons/SpinnerButton/ak-spinner-button";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { AKElement } from "#elements/Base";
 
@@ -23,7 +23,7 @@ import { customElement, property } from "lit/decorators.js";
 export class SourceViewPage extends AKElement {
     @property({ type: String })
     set sourceSlug(slug: string) {
-        new SourcesApi(DEFAULT_CONFIG)
+        aki(SourcesApi)
             .sourcesAllRetrieve({
                 slug: slug,
             })
diff --git a/web/src/admin/sources/ak-source-wizard.ts b/web/src/admin/sources/ak-source-wizard.ts
index 9147cf79e4..5d92045250 100644
--- a/web/src/admin/sources/ak-source-wizard.ts
+++ b/web/src/admin/sources/ak-source-wizard.ts
@@ -8,7 +8,7 @@ import "#admin/sources/telegram/TelegramSourceForm";
 import "#elements/wizard/FormWizardPage";
 import "#elements/wizard/Wizard";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { LitPropertyRecord } from "#elements/types";
 import { CreateWizard } from "#elements/wizard/CreateWizard";
@@ -23,7 +23,7 @@ import { customElement } from "@lit/reactive-element/decorators/custom-element.j
 
 @customElement("ak-source-wizard")
 export class AKSourceWizard extends CreateWizard {
-    #api = new SourcesApi(DEFAULT_CONFIG);
+    #api = aki(SourcesApi);
 
     public static override verboseName = msg("Source");
     public static override verboseNamePlural = msg("Sources");
diff --git a/web/src/admin/sources/kerberos/KerberosSourceForm.ts b/web/src/admin/sources/kerberos/KerberosSourceForm.ts
index 3aaef2eda5..652b8bc7d3 100644
--- a/web/src/admin/sources/kerberos/KerberosSourceForm.ts
+++ b/web/src/admin/sources/kerberos/KerberosSourceForm.ts
@@ -14,7 +14,7 @@ import "#elements/forms/SearchSelect/index";
 
 import { propertyMappingsProvider, propertyMappingsSelector } from "./KerberosSourceFormHelpers.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { RadioOption } from "#elements/forms/Radio";
 
@@ -67,20 +67,20 @@ function createSyncOutgoingTriggerModeOptions(): RadioOption<SyncOutgoingTrigger
 @customElement("ak-source-kerberos-form")
 export class KerberosSourceForm extends BaseSourceForm<KerberosSource> {
     async loadInstance(pk: string): Promise<KerberosSource> {
-        return new SourcesApi(DEFAULT_CONFIG).sourcesKerberosRetrieve({
+        return aki(SourcesApi).sourcesKerberosRetrieve({
             slug: pk,
         });
     }
 
     async send(data: KerberosSource): Promise<KerberosSource> {
         if (this.instance) {
-            return new SourcesApi(DEFAULT_CONFIG).sourcesKerberosPartialUpdate({
+            return aki(SourcesApi).sourcesKerberosPartialUpdate({
                 slug: this.instance.slug,
                 patchedKerberosSourceRequest: data,
             });
         }
 
-        return new SourcesApi(DEFAULT_CONFIG).sourcesKerberosCreate({
+        return aki(SourcesApi).sourcesKerberosCreate({
             kerberosSourceRequest: data as unknown as KerberosSourceRequest,
         });
     }
diff --git a/web/src/admin/sources/kerberos/KerberosSourceFormHelpers.ts b/web/src/admin/sources/kerberos/KerberosSourceFormHelpers.ts
index ee08f23111..4113767ab9 100644
--- a/web/src/admin/sources/kerberos/KerberosSourceFormHelpers.ts
+++ b/web/src/admin/sources/kerberos/KerberosSourceFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -7,9 +7,7 @@ import { KerberosSourcePropertyMapping, PropertymappingsApi } from "@goauthentik
 const mappingToSelect = (m: KerberosSourcePropertyMapping) => [m.pk, m.name, m.name, m];
 
 export async function propertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
-    ).propertymappingsSourceKerberosList({
+    const propertyMappings = await aki(PropertymappingsApi).propertymappingsSourceKerberosList({
         ordering: "managed",
         pageSize: 20,
         search: search.trim(),
@@ -32,7 +30,7 @@ export function propertyMappingsSelector(object: string, instanceMappings?: stri
     }
 
     return async () => {
-        const pm = new PropertymappingsApi(DEFAULT_CONFIG);
+        const pm = aki(PropertymappingsApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 pm.propertymappingsSourceKerberosRetrieve({ pmUuid: instanceId }),
diff --git a/web/src/admin/sources/kerberos/KerberosSourceViewPage.ts b/web/src/admin/sources/kerberos/KerberosSourceViewPage.ts
index 02e23e78bf..ee446cc3d5 100644
--- a/web/src/admin/sources/kerberos/KerberosSourceViewPage.ts
+++ b/web/src/admin/sources/kerberos/KerberosSourceViewPage.ts
@@ -11,7 +11,7 @@ import "#elements/buttons/SpinnerButton/index";
 import "#elements/forms/ModalForm";
 import "#components/sync/SyncStatusCard";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -38,7 +38,7 @@ import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
 export class KerberosSourceViewPage extends AKElement {
     @property({ type: String })
     set sourceSlug(slug: string) {
-        new SourcesApi(DEFAULT_CONFIG)
+        aki(SourcesApi)
             .sourcesKerberosRetrieve({
                 slug: slug,
             })
@@ -142,9 +142,7 @@ export class KerberosSourceViewPage extends AKElement {
                         >
                             <ak-sync-status-card
                                 .fetch=${() => {
-                                    return new SourcesApi(
-                                        DEFAULT_CONFIG,
-                                    ).sourcesKerberosSyncStatusRetrieve({
+                                    return aki(SourcesApi).sourcesKerberosSyncStatusRetrieve({
                                         slug: this.source?.slug,
                                     });
                                 }}
diff --git a/web/src/admin/sources/ldap/LDAPSourceForm.ts b/web/src/admin/sources/ldap/LDAPSourceForm.ts
index c4cd9166fe..c4c5f37439 100644
--- a/web/src/admin/sources/ldap/LDAPSourceForm.ts
+++ b/web/src/admin/sources/ldap/LDAPSourceForm.ts
@@ -10,7 +10,7 @@ import "#elements/forms/SearchSelect/index";
 
 import { propertyMappingsProvider, propertyMappingsSelector } from "./LDAPSourceFormHelpers.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { RadioOption } from "#elements/forms/Radio";
 
@@ -59,20 +59,20 @@ function createSyncOutgoingTriggerModeOptions(): RadioOption<SyncOutgoingTrigger
 @customElement("ak-source-ldap-form")
 export class LDAPSourceForm extends BaseSourceForm<LDAPSource> {
     loadInstance(pk: string): Promise<LDAPSource> {
-        return new SourcesApi(DEFAULT_CONFIG).sourcesLdapRetrieve({
+        return aki(SourcesApi).sourcesLdapRetrieve({
             slug: pk,
         });
     }
 
     async send(data: LDAPSource): Promise<LDAPSource> {
         if (this.instance) {
-            return new SourcesApi(DEFAULT_CONFIG).sourcesLdapPartialUpdate({
+            return aki(SourcesApi).sourcesLdapPartialUpdate({
                 slug: this.instance.slug,
                 patchedLDAPSourceRequest: data,
             });
         }
 
-        return new SourcesApi(DEFAULT_CONFIG).sourcesLdapCreate({
+        return aki(SourcesApi).sourcesLdapCreate({
             lDAPSourceRequest: data as unknown as LDAPSourceRequest,
         });
     }
@@ -261,9 +261,7 @@ export class LDAPSourceForm extends BaseSourceForm<LDAPSource> {
                                 if (query !== undefined) {
                                     args.search = query;
                                 }
-                                const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(
-                                    args,
-                                );
+                                const groups = await aki(CoreApi).coreGroupsList(args);
                                 return groups.results;
                             }}
                             .renderElement=${(group: Group): string => {
diff --git a/web/src/admin/sources/ldap/LDAPSourceFormHelpers.ts b/web/src/admin/sources/ldap/LDAPSourceFormHelpers.ts
index e90255e91f..e40eb5c150 100644
--- a/web/src/admin/sources/ldap/LDAPSourceFormHelpers.ts
+++ b/web/src/admin/sources/ldap/LDAPSourceFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -7,9 +7,7 @@ import { LDAPSourcePropertyMapping, PropertymappingsApi } from "@goauthentik/api
 const mappingToSelect = (m: LDAPSourcePropertyMapping) => [m.pk, m.name, m.name, m];
 
 export async function propertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
-    ).propertymappingsSourceLdapList({
+    const propertyMappings = await aki(PropertymappingsApi).propertymappingsSourceLdapList({
         ordering: "managed",
         pageSize: 20,
         search: search.trim(),
@@ -32,7 +30,7 @@ export function propertyMappingsSelector(instanceMappings?: string[]) {
     }
 
     return async () => {
-        const pm = new PropertymappingsApi(DEFAULT_CONFIG);
+        const pm = aki(PropertymappingsApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 pm.propertymappingsSourceLdapRetrieve({ pmUuid: instanceId }),
diff --git a/web/src/admin/sources/ldap/LDAPSourceGroupForm.ts b/web/src/admin/sources/ldap/LDAPSourceGroupForm.ts
index fe54a0072c..843aea66e0 100644
--- a/web/src/admin/sources/ldap/LDAPSourceGroupForm.ts
+++ b/web/src/admin/sources/ldap/LDAPSourceGroupForm.ts
@@ -2,7 +2,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 import "#components/ak-text-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 
@@ -30,14 +30,14 @@ export class LDAPSourceGroupForm extends ModelForm<GroupLDAPSourceConnection, nu
     }
 
     protected async loadInstance(pk: number): Promise<GroupLDAPSourceConnection> {
-        return new SourcesApi(DEFAULT_CONFIG).sourcesGroupConnectionsLdapRetrieve({
+        return aki(SourcesApi).sourcesGroupConnectionsLdapRetrieve({
             id: pk,
         });
     }
 
     async send(data: GroupLDAPSourceConnection) {
         data.source = this.source?.pk || "";
-        return new SourcesApi(DEFAULT_CONFIG).sourcesGroupConnectionsLdapCreate({
+        return aki(SourcesApi).sourcesGroupConnectionsLdapCreate({
             groupLDAPSourceConnectionRequest: data,
         });
     }
@@ -52,7 +52,7 @@ export class LDAPSourceGroupForm extends ModelForm<GroupLDAPSourceConnection, nu
                         if (query !== undefined) {
                             args.search = query;
                         }
-                        const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(args);
+                        const groups = await aki(CoreApi).coreGroupsList(args);
                         return groups.results;
                     }}
                     .renderElement=${(group: Group): string => {
diff --git a/web/src/admin/sources/ldap/LDAPSourceGroupList.ts b/web/src/admin/sources/ldap/LDAPSourceGroupList.ts
index ca2eb304b2..5eac90a930 100644
--- a/web/src/admin/sources/ldap/LDAPSourceGroupList.ts
+++ b/web/src/admin/sources/ldap/LDAPSourceGroupList.ts
@@ -2,7 +2,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "#admin/sources/ldap/LDAPSourceGroupForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -29,7 +29,7 @@ export class LDAPSourceGroupList extends Table<GroupLDAPSourceConnection> {
             object-label=${msg("LDAP Group(s)")}
             .objects=${this.selectedElements}
             .delete=${(item: GroupLDAPSourceConnection) => {
-                return new SourcesApi(DEFAULT_CONFIG).sourcesGroupConnectionsLdapDestroy({
+                return aki(SourcesApi).sourcesGroupConnectionsLdapDestroy({
                     id: item.pk,
                 });
             }}
@@ -52,7 +52,7 @@ export class LDAPSourceGroupList extends Table<GroupLDAPSourceConnection> {
     }
 
     async apiEndpoint(): Promise<PaginatedResponse<GroupLDAPSourceConnection>> {
-        return new SourcesApi(DEFAULT_CONFIG).sourcesGroupConnectionsLdapList({
+        return aki(SourcesApi).sourcesGroupConnectionsLdapList({
             ...(await this.defaultEndpointConfig()),
             sourceSlug: this.source?.slug,
         });
diff --git a/web/src/admin/sources/ldap/LDAPSourceUserForm.ts b/web/src/admin/sources/ldap/LDAPSourceUserForm.ts
index 4c767bd7a8..2e24b101a9 100644
--- a/web/src/admin/sources/ldap/LDAPSourceUserForm.ts
+++ b/web/src/admin/sources/ldap/LDAPSourceUserForm.ts
@@ -2,7 +2,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 import "#components/ak-text-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 
@@ -30,14 +30,14 @@ export class LDAPSourceUserForm extends ModelForm<UserLDAPSourceConnection, numb
     }
 
     protected async loadInstance(pk: number): Promise<UserLDAPSourceConnection> {
-        return new SourcesApi(DEFAULT_CONFIG).sourcesUserConnectionsLdapRetrieve({
+        return aki(SourcesApi).sourcesUserConnectionsLdapRetrieve({
             id: pk,
         });
     }
 
     async send(data: UserLDAPSourceConnection) {
         data.source = this.source?.pk || "";
-        return new SourcesApi(DEFAULT_CONFIG).sourcesUserConnectionsLdapCreate({
+        return aki(SourcesApi).sourcesUserConnectionsLdapCreate({
             userLDAPSourceConnectionRequest: data,
         });
     }
@@ -52,7 +52,7 @@ export class LDAPSourceUserForm extends ModelForm<UserLDAPSourceConnection, numb
                         if (query !== undefined) {
                             args.search = query;
                         }
-                        const users = await new CoreApi(DEFAULT_CONFIG).coreUsersList(args);
+                        const users = await aki(CoreApi).coreUsersList(args);
                         return users.results;
                     }}
                     .renderElement=${(user: User): string => {
diff --git a/web/src/admin/sources/ldap/LDAPSourceUserList.ts b/web/src/admin/sources/ldap/LDAPSourceUserList.ts
index d8eba9e046..4d0419e262 100644
--- a/web/src/admin/sources/ldap/LDAPSourceUserList.ts
+++ b/web/src/admin/sources/ldap/LDAPSourceUserList.ts
@@ -2,7 +2,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "#admin/sources/ldap/LDAPSourceUserForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -29,7 +29,7 @@ export class LDAPSourceUserList extends Table<UserLDAPSourceConnection> {
             object-label=${msg("LDAP User(s)")}
             .objects=${this.selectedElements}
             .delete=${(item: UserLDAPSourceConnection) => {
-                return new SourcesApi(DEFAULT_CONFIG).sourcesUserConnectionsLdapDestroy({
+                return aki(SourcesApi).sourcesUserConnectionsLdapDestroy({
                     id: item.pk,
                 });
             }}
@@ -58,7 +58,7 @@ export class LDAPSourceUserList extends Table<UserLDAPSourceConnection> {
     }
 
     async apiEndpoint(): Promise<PaginatedResponse<UserLDAPSourceConnection>> {
-        return new SourcesApi(DEFAULT_CONFIG).sourcesUserConnectionsLdapList({
+        return aki(SourcesApi).sourcesUserConnectionsLdapList({
             ...(await this.defaultEndpointConfig()),
             sourceSlug: this.source?.slug,
         });
diff --git a/web/src/admin/sources/ldap/LDAPSourceViewPage.ts b/web/src/admin/sources/ldap/LDAPSourceViewPage.ts
index d3ada59cdb..65ac0bc4e5 100644
--- a/web/src/admin/sources/ldap/LDAPSourceViewPage.ts
+++ b/web/src/admin/sources/ldap/LDAPSourceViewPage.ts
@@ -10,7 +10,7 @@ import "#elements/buttons/ActionButton/index";
 import "#elements/buttons/SpinnerButton/index";
 import "#elements/tasks/ScheduleList";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -39,7 +39,7 @@ import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
 export class LDAPSourceViewPage extends AKElement {
     @property({ type: String })
     set sourceSlug(slug: string) {
-        new SourcesApi(DEFAULT_CONFIG)
+        aki(SourcesApi)
             .sourcesLdapRetrieve({
                 slug: slug,
             })
@@ -124,9 +124,7 @@ export class LDAPSourceViewPage extends AKElement {
                             <ak-sync-status-card
                                 .fetch=${() => {
                                     if (!this.source) return Promise.reject();
-                                    return new SourcesApi(
-                                        DEFAULT_CONFIG,
-                                    ).sourcesLdapSyncStatusRetrieve({
+                                    return aki(SourcesApi).sourcesLdapSyncStatusRetrieve({
                                         slug: this.source.slug,
                                     });
                                 }}
diff --git a/web/src/admin/sources/oauth/OAuthSourceDiagram.ts b/web/src/admin/sources/oauth/OAuthSourceDiagram.ts
index a312f091f7..a1151ffa61 100644
--- a/web/src/admin/sources/oauth/OAuthSourceDiagram.ts
+++ b/web/src/admin/sources/oauth/OAuthSourceDiagram.ts
@@ -17,9 +17,7 @@ export class OAuthSourceDiagram extends Diagram {
         const graph = ["graph LR"];
         graph.push(`source[${msg(str`OAuth Source ${this.source.name}`)}]`);
         graph.push(
-            `source --> flow_manager["${UserMatchingModeToLabel(
-                this.source.userMatchingMode || UserMatchingModeEnum.Identifier,
-            )}"]`,
+            `source --> flow_manager["${UserMatchingModeToLabel(this.source.userMatchingMode || UserMatchingModeEnum.Identifier)}"]`,
         );
         if (this.source.enrollmentFlow) {
             graph.push("flow_manager --> flow_enroll[Enrollment flow]");
diff --git a/web/src/admin/sources/oauth/OAuthSourceForm.ts b/web/src/admin/sources/oauth/OAuthSourceForm.ts
index 0702e2dfab..7d60d1dd03 100644
--- a/web/src/admin/sources/oauth/OAuthSourceForm.ts
+++ b/web/src/admin/sources/oauth/OAuthSourceForm.ts
@@ -14,7 +14,7 @@ import "#elements/forms/SearchSelect/index";
 
 import { propertyMappingsProvider, propertyMappingsSelector } from "./OAuthSourceFormHelpers.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { SlottedTemplateResult } from "#elements/types";
 import { ifPreviousValue } from "#elements/utils/properties";
@@ -82,7 +82,7 @@ export class OAuthSourceForm extends BaseSourceForm<OAuthSource> {
     //#region Lifecycle
 
     protected async loadInstance(pk: string): Promise<OAuthSource> {
-        const source = await new SourcesApi(DEFAULT_CONFIG).sourcesOauthRetrieve({
+        const source = await aki(SourcesApi).sourcesOauthRetrieve({
             slug: pk,
         });
         this.providerType = source.type;
@@ -99,19 +99,19 @@ export class OAuthSourceForm extends BaseSourceForm<OAuthSource> {
         data.providerType = (this.providerType?.name || "") as ProviderTypeEnum;
 
         if (this.instance) {
-            return new SourcesApi(DEFAULT_CONFIG).sourcesOauthPartialUpdate({
+            return aki(SourcesApi).sourcesOauthPartialUpdate({
                 slug: this.instance.slug,
                 patchedOAuthSourceRequest: data,
             });
         }
 
-        return new SourcesApi(DEFAULT_CONFIG).sourcesOauthCreate({
+        return aki(SourcesApi).sourcesOauthCreate({
             oAuthSourceRequest: data as unknown as OAuthSourceRequest,
         });
     }
 
     protected fetchProviderType(modelName: string): Promise<void> {
-        return new SourcesApi(DEFAULT_CONFIG)
+        return aki(SourcesApi)
             .sourcesOauthSourceTypesList({
                 name: modelName?.replace("oauthsource", ""),
             })
diff --git a/web/src/admin/sources/oauth/OAuthSourceFormHelpers.ts b/web/src/admin/sources/oauth/OAuthSourceFormHelpers.ts
index 41ac2e24ef..4b392baa04 100644
--- a/web/src/admin/sources/oauth/OAuthSourceFormHelpers.ts
+++ b/web/src/admin/sources/oauth/OAuthSourceFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -7,9 +7,7 @@ import { OAuthSourcePropertyMapping, PropertymappingsApi } from "@goauthentik/ap
 const mappingToSelect = (m: OAuthSourcePropertyMapping) => [m.pk, m.name, m.name, m];
 
 export async function propertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
-    ).propertymappingsSourceOauthList({
+    const propertyMappings = await aki(PropertymappingsApi).propertymappingsSourceOauthList({
         ordering: "managed",
         pageSize: 20,
         search: search.trim(),
@@ -30,7 +28,7 @@ export function propertyMappingsSelector(instanceMappings?: string[]) {
     }
 
     return async () => {
-        const pm = new PropertymappingsApi(DEFAULT_CONFIG);
+        const pm = aki(PropertymappingsApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 pm.propertymappingsSourceOauthRetrieve({ pmUuid: instanceId }),
diff --git a/web/src/admin/sources/oauth/OAuthSourceViewPage.ts b/web/src/admin/sources/oauth/OAuthSourceViewPage.ts
index d71eb23450..a3d130a41e 100644
--- a/web/src/admin/sources/oauth/OAuthSourceViewPage.ts
+++ b/web/src/admin/sources/oauth/OAuthSourceViewPage.ts
@@ -6,7 +6,7 @@ import "#elements/CodeMirror";
 import "#elements/Tabs";
 import "#elements/buttons/SpinnerButton/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -78,7 +78,7 @@ export function ProviderToLabel(provider?: ProviderTypeEnum): string {
 export class OAuthSourceViewPage extends AKElement {
     @property({ type: String })
     set sourceSlug(value: string) {
-        new SourcesApi(DEFAULT_CONFIG)
+        aki(SourcesApi)
             .sourcesOauthRetrieve({
                 slug: value,
             })
diff --git a/web/src/admin/sources/plex/PlexSourceForm.ts b/web/src/admin/sources/plex/PlexSourceForm.ts
index 25bce462c0..db0154c49a 100644
--- a/web/src/admin/sources/plex/PlexSourceForm.ts
+++ b/web/src/admin/sources/plex/PlexSourceForm.ts
@@ -12,7 +12,7 @@ import "#elements/forms/SearchSelect/index";
 
 import { propertyMappingsProvider, propertyMappingsSelector } from "./PlexSourceFormHelpers.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PlexAPIClient, PlexResource, popupCenterScreen } from "#common/helpers/plex";
 import { ascii_letters, digits, randomString } from "#common/utils";
 
@@ -38,7 +38,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-source-plex-form")
 export class PlexSourceForm extends BaseSourceForm<PlexSource> {
     async loadInstance(pk: string): Promise<PlexSource> {
-        const source = await new SourcesApi(DEFAULT_CONFIG).sourcesPlexRetrieve({
+        const source = await aki(SourcesApi).sourcesPlexRetrieve({
             slug: pk,
         });
         this.plexToken = source.plexToken;
@@ -61,13 +61,13 @@ export class PlexSourceForm extends BaseSourceForm<PlexSource> {
     async send(data: PlexSource): Promise<PlexSource> {
         data.plexToken = this.plexToken || "";
         if (this.instance?.pk) {
-            return new SourcesApi(DEFAULT_CONFIG).sourcesPlexUpdate({
+            return aki(SourcesApi).sourcesPlexUpdate({
                 slug: this.instance.slug,
                 plexSourceRequest: data,
             });
         }
 
-        return new SourcesApi(DEFAULT_CONFIG).sourcesPlexCreate({
+        return aki(SourcesApi).sourcesPlexCreate({
             plexSourceRequest: data,
         });
     }
diff --git a/web/src/admin/sources/plex/PlexSourceFormHelpers.ts b/web/src/admin/sources/plex/PlexSourceFormHelpers.ts
index 454e2d1b92..91f8a7d7a6 100644
--- a/web/src/admin/sources/plex/PlexSourceFormHelpers.ts
+++ b/web/src/admin/sources/plex/PlexSourceFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -7,9 +7,7 @@ import { PlexSourcePropertyMapping, PropertymappingsApi } from "@goauthentik/api
 const mappingToSelect = (m: PlexSourcePropertyMapping) => [m.pk, m.name, m.name, m];
 
 export async function propertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
-    ).propertymappingsSourcePlexList({
+    const propertyMappings = await aki(PropertymappingsApi).propertymappingsSourcePlexList({
         ordering: "managed",
         pageSize: 20,
         search: search.trim(),
@@ -28,7 +26,7 @@ export function propertyMappingsSelector(instanceMappings?: string[]) {
     }
 
     return async () => {
-        const pm = new PropertymappingsApi(DEFAULT_CONFIG);
+        const pm = aki(PropertymappingsApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 pm.propertymappingsSourcePlexRetrieve({ pmUuid: instanceId }),
diff --git a/web/src/admin/sources/plex/PlexSourceViewPage.ts b/web/src/admin/sources/plex/PlexSourceViewPage.ts
index 19855cfc96..5270a9a26c 100644
--- a/web/src/admin/sources/plex/PlexSourceViewPage.ts
+++ b/web/src/admin/sources/plex/PlexSourceViewPage.ts
@@ -7,7 +7,7 @@ import "#elements/Tabs";
 import "#elements/buttons/SpinnerButton/index";
 import "#elements/forms/ModalForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -31,7 +31,7 @@ import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
 export class PlexSourceViewPage extends AKElement {
     @property({ type: String })
     set sourceSlug(value: string) {
-        new SourcesApi(DEFAULT_CONFIG)
+        aki(SourcesApi)
             .sourcesPlexRetrieve({
                 slug: value,
             })
diff --git a/web/src/admin/sources/saml/SAMLSourceForm.ts b/web/src/admin/sources/saml/SAMLSourceForm.ts
index 4a3fd7f9bb..8dbeeb6976 100644
--- a/web/src/admin/sources/saml/SAMLSourceForm.ts
+++ b/web/src/admin/sources/saml/SAMLSourceForm.ts
@@ -12,7 +12,7 @@ import "#elements/utils/TimeDeltaHelp";
 
 import { propertyMappingsProvider, propertyMappingsSelector } from "./SAMLSourceFormHelpers.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { type AkCryptoCertificateSearch } from "#admin/common/ak-crypto-certificate-search";
 import { iconHelperText, placeholderHelperText } from "#admin/helperText";
@@ -56,20 +56,20 @@ export class SAMLSourceForm extends BaseSourceForm<SAMLSource> {
     }
 
     async loadInstance(pk: string): Promise<SAMLSource> {
-        return new SourcesApi(DEFAULT_CONFIG).sourcesSamlRetrieve({
+        return aki(SourcesApi).sourcesSamlRetrieve({
             slug: pk,
         });
     }
 
     async send(data: SAMLSource): Promise<SAMLSource> {
         if (this.instance) {
-            return new SourcesApi(DEFAULT_CONFIG).sourcesSamlUpdate({
+            return aki(SourcesApi).sourcesSamlUpdate({
                 slug: this.instance.slug,
                 sAMLSourceRequest: data,
             });
         }
 
-        return new SourcesApi(DEFAULT_CONFIG).sourcesSamlCreate({
+        return aki(SourcesApi).sourcesSamlCreate({
             sAMLSourceRequest: data,
         });
     }
diff --git a/web/src/admin/sources/saml/SAMLSourceFormHelpers.ts b/web/src/admin/sources/saml/SAMLSourceFormHelpers.ts
index bf3e3977b6..538a18d0a9 100644
--- a/web/src/admin/sources/saml/SAMLSourceFormHelpers.ts
+++ b/web/src/admin/sources/saml/SAMLSourceFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -7,9 +7,7 @@ import { PropertymappingsApi, SAMLSourcePropertyMapping } from "@goauthentik/api
 const mappingToSelect = (m: SAMLSourcePropertyMapping) => [m.pk, m.name, m.name, m];
 
 export async function propertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
-    ).propertymappingsSourceSamlList({
+    const propertyMappings = await aki(PropertymappingsApi).propertymappingsSourceSamlList({
         ordering: "managed",
         pageSize: 20,
         search: search.trim(),
@@ -28,7 +26,7 @@ export function propertyMappingsSelector(instanceMappings?: string[]) {
     }
 
     return async () => {
-        const pm = new PropertymappingsApi(DEFAULT_CONFIG);
+        const pm = aki(PropertymappingsApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 pm.propertymappingsSourceSamlRetrieve({ pmUuid: instanceId }),
diff --git a/web/src/admin/sources/saml/SAMLSourceViewPage.ts b/web/src/admin/sources/saml/SAMLSourceViewPage.ts
index e2f8ae5ba0..f3398c86cb 100644
--- a/web/src/admin/sources/saml/SAMLSourceViewPage.ts
+++ b/web/src/admin/sources/saml/SAMLSourceViewPage.ts
@@ -7,7 +7,7 @@ import "#elements/Tabs";
 import "#elements/buttons/SpinnerButton/index";
 import "#elements/forms/ModalForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -32,7 +32,7 @@ import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
 export class SAMLSourceViewPage extends AKElement {
     @property({ type: String })
     set sourceSlug(slug: string) {
-        new SourcesApi(DEFAULT_CONFIG)
+        aki(SourcesApi)
             .sourcesSamlRetrieve({
                 slug: slug,
             })
@@ -168,7 +168,7 @@ export class SAMLSourceViewPage extends AKElement {
                     aria-label="${msg("Metadata")}"
                     class="pf-c-page__main-section pf-m-no-padding-mobile"
                     @activate=${() => {
-                        new SourcesApi(DEFAULT_CONFIG)
+                        aki(SourcesApi)
                             .sourcesSamlMetadataRetrieve({
                                 slug: this.source?.slug || "",
                             })
diff --git a/web/src/admin/sources/scim/SCIMSourceForm.ts b/web/src/admin/sources/scim/SCIMSourceForm.ts
index 67de2b0b2a..9bdab50ab7 100644
--- a/web/src/admin/sources/scim/SCIMSourceForm.ts
+++ b/web/src/admin/sources/scim/SCIMSourceForm.ts
@@ -7,7 +7,7 @@ import "#elements/forms/HorizontalFormElement";
 
 import { propertyMappingsProvider, propertyMappingsSelector } from "./SCIMSourceFormHelpers.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { placeholderHelperText } from "#admin/helperText";
 import { BaseSourceForm } from "#admin/sources/BaseSourceForm";
@@ -22,7 +22,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-source-scim-form")
 export class SCIMSourceForm extends BaseSourceForm<SCIMSource> {
     async loadInstance(pk: string): Promise<SCIMSource> {
-        return new SourcesApi(DEFAULT_CONFIG)
+        return aki(SourcesApi)
             .sourcesScimRetrieve({
                 slug: pk,
             })
@@ -33,12 +33,12 @@ export class SCIMSourceForm extends BaseSourceForm<SCIMSource> {
 
     async send(data: SCIMSource): Promise<SCIMSource> {
         if (this.instance?.slug) {
-            return new SourcesApi(DEFAULT_CONFIG).sourcesScimPartialUpdate({
+            return aki(SourcesApi).sourcesScimPartialUpdate({
                 slug: this.instance.slug,
                 patchedSCIMSourceRequest: data,
             });
         }
-        return new SourcesApi(DEFAULT_CONFIG).sourcesScimCreate({
+        return aki(SourcesApi).sourcesScimCreate({
             sCIMSourceRequest: data as unknown as SCIMSourceRequest,
         });
     }
diff --git a/web/src/admin/sources/scim/SCIMSourceFormHelpers.ts b/web/src/admin/sources/scim/SCIMSourceFormHelpers.ts
index ec89e45d46..188ca3d643 100644
--- a/web/src/admin/sources/scim/SCIMSourceFormHelpers.ts
+++ b/web/src/admin/sources/scim/SCIMSourceFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -7,9 +7,7 @@ import { PropertymappingsApi, SCIMSourcePropertyMapping } from "@goauthentik/api
 const mappingToSelect = (m: SCIMSourcePropertyMapping) => [m.pk, m.name, m.name, m];
 
 export async function propertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
-    ).propertymappingsSourceScimList({
+    const propertyMappings = await aki(PropertymappingsApi).propertymappingsSourceScimList({
         ordering: "managed",
         pageSize: 20,
         search: search.trim(),
@@ -28,7 +26,7 @@ export function propertyMappingsSelector(instanceMappings?: string[]) {
     }
 
     return async () => {
-        const pm = new PropertymappingsApi(DEFAULT_CONFIG);
+        const pm = aki(PropertymappingsApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 pm.propertymappingsSourceScimRetrieve({ pmUuid: instanceId }),
diff --git a/web/src/admin/sources/scim/SCIMSourceGroups.ts b/web/src/admin/sources/scim/SCIMSourceGroups.ts
index 28af4a2dd2..998ed4da5f 100644
--- a/web/src/admin/sources/scim/SCIMSourceGroups.ts
+++ b/web/src/admin/sources/scim/SCIMSourceGroups.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -18,7 +18,7 @@ export class SCIMSourceGroupList extends Table<SCIMSourceGroup> {
     protected override searchEnabled = true;
 
     async apiEndpoint(): Promise<PaginatedResponse<SCIMSourceGroup>> {
-        return new SourcesApi(DEFAULT_CONFIG).sourcesScimGroupsList({
+        return aki(SourcesApi).sourcesScimGroupsList({
             ...(await this.defaultEndpointConfig()),
             sourceSlug: this.sourceSlug,
         });
diff --git a/web/src/admin/sources/scim/SCIMSourceUsers.ts b/web/src/admin/sources/scim/SCIMSourceUsers.ts
index 249690a9ac..8a4f94509e 100644
--- a/web/src/admin/sources/scim/SCIMSourceUsers.ts
+++ b/web/src/admin/sources/scim/SCIMSourceUsers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { formatUserDisplayName } from "#common/users";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
@@ -19,7 +19,7 @@ export class SCIMSourceUserList extends Table<SCIMSourceUser> {
     protected override searchEnabled = true;
 
     async apiEndpoint(): Promise<PaginatedResponse<SCIMSourceUser>> {
-        return new SourcesApi(DEFAULT_CONFIG).sourcesScimUsersList({
+        return aki(SourcesApi).sourcesScimUsersList({
             ...(await this.defaultEndpointConfig()),
             sourceSlug: this.sourceSlug,
         });
diff --git a/web/src/admin/sources/scim/SCIMSourceViewPage.ts b/web/src/admin/sources/scim/SCIMSourceViewPage.ts
index 76cf54fe11..b91ce5449d 100644
--- a/web/src/admin/sources/scim/SCIMSourceViewPage.ts
+++ b/web/src/admin/sources/scim/SCIMSourceViewPage.ts
@@ -9,7 +9,7 @@ import "#elements/buttons/SpinnerButton/index";
 import "#elements/buttons/TokenCopyButton/index";
 import "#elements/forms/ModalForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -34,7 +34,7 @@ import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
 export class SCIMSourceViewPage extends AKElement {
     @property({ type: String })
     set sourceSlug(value: string) {
-        new SourcesApi(DEFAULT_CONFIG)
+        aki(SourcesApi)
             .sourcesScimRetrieve({
                 slug: value,
             })
diff --git a/web/src/admin/sources/telegram/TelegramSourceForm.ts b/web/src/admin/sources/telegram/TelegramSourceForm.ts
index e012a5460a..c9a11b52f6 100644
--- a/web/src/admin/sources/telegram/TelegramSourceForm.ts
+++ b/web/src/admin/sources/telegram/TelegramSourceForm.ts
@@ -8,7 +8,7 @@ import "#components/ak-switch-input";
 
 import { propertyMappingsProvider, propertyMappingsSelector } from "./TelegramSourceFormHelpers.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { policyEngineModes } from "#admin/policies/PolicyEngineModes";
 import { BaseSourceForm } from "#admin/sources/BaseSourceForm";
@@ -30,7 +30,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-source-telegram-form")
 export class TelegramSourceForm extends BaseSourceForm<TelegramSource> {
     async loadInstance(pk: string): Promise<TelegramSource> {
-        const source = await new SourcesApi(DEFAULT_CONFIG).sourcesTelegramRetrieve({
+        const source = await aki(SourcesApi).sourcesTelegramRetrieve({
             slug: pk,
         });
         return source;
@@ -39,12 +39,12 @@ export class TelegramSourceForm extends BaseSourceForm<TelegramSource> {
     async send(data: TelegramSource): Promise<TelegramSource> {
         let source: TelegramSource;
         if (this.instance?.pk) {
-            source = await new SourcesApi(DEFAULT_CONFIG).sourcesTelegramPartialUpdate({
+            source = await aki(SourcesApi).sourcesTelegramPartialUpdate({
                 slug: this.instance.slug,
                 patchedTelegramSourceRequest: data,
             });
         } else {
-            source = await new SourcesApi(DEFAULT_CONFIG).sourcesTelegramCreate({
+            source = await aki(SourcesApi).sourcesTelegramCreate({
                 telegramSourceRequest: data as unknown as TelegramSourceRequest,
             });
         }
diff --git a/web/src/admin/sources/telegram/TelegramSourceFormHelpers.ts b/web/src/admin/sources/telegram/TelegramSourceFormHelpers.ts
index b2ec6d6365..68c9cbd265 100644
--- a/web/src/admin/sources/telegram/TelegramSourceFormHelpers.ts
+++ b/web/src/admin/sources/telegram/TelegramSourceFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -7,9 +7,7 @@ import { PropertymappingsApi, TelegramSourcePropertyMapping } from "@goauthentik
 const mappingToSelect = (m: TelegramSourcePropertyMapping) => [m.pk, m.name, m.name, m];
 
 export async function propertyMappingsProvider(page = 1, search = "") {
-    const propertyMappings = await new PropertymappingsApi(
-        DEFAULT_CONFIG,
-    ).propertymappingsSourceTelegramList({
+    const propertyMappings = await aki(PropertymappingsApi).propertymappingsSourceTelegramList({
         ordering: "managed",
         pageSize: 20,
         search: search.trim(),
@@ -30,7 +28,7 @@ export function propertyMappingsSelector(instanceMappings?: string[]) {
     }
 
     return async () => {
-        const pm = new PropertymappingsApi(DEFAULT_CONFIG);
+        const pm = aki(PropertymappingsApi);
         const mappings = await Promise.allSettled(
             instanceMappings.map((instanceId) =>
                 pm.propertymappingsSourceTelegramRetrieve({ pmUuid: instanceId }),
diff --git a/web/src/admin/sources/telegram/TelegramSourceViewPage.ts b/web/src/admin/sources/telegram/TelegramSourceViewPage.ts
index 20a75f51e7..5656688e0d 100644
--- a/web/src/admin/sources/telegram/TelegramSourceViewPage.ts
+++ b/web/src/admin/sources/telegram/TelegramSourceViewPage.ts
@@ -5,7 +5,7 @@ import "#elements/forms/ModalForm";
 import "#admin/policies/BoundPoliciesList";
 import "#admin/sources/telegram/TelegramSourceForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { AKElement } from "#elements/Base";
 import { sourceBindingTypeNotices } from "#elements/sources/utils";
@@ -27,7 +27,7 @@ import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
 export class TelegramSourceViewPage extends AKElement {
     @property({ type: String })
     set sourceSlug(value: string) {
-        new SourcesApi(DEFAULT_CONFIG)
+        aki(SourcesApi)
             .sourcesTelegramRetrieve({
                 slug: value,
             })
diff --git a/web/src/admin/stages/StageListPage.ts b/web/src/admin/stages/StageListPage.ts
index 386151d1a8..4a27ebb58b 100644
--- a/web/src/admin/stages/StageListPage.ts
+++ b/web/src/admin/stages/StageListPage.ts
@@ -4,7 +4,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButtonByTagName, modalInvoker, ModalInvokerButton } from "#elements/dialogs";
 import { IconPermissionButton } from "#elements/dialogs/components/IconPermissionButton";
@@ -36,7 +36,7 @@ export class StageListPage extends TablePage<Stage> {
     public override searchPlaceholder = msg("Search for a stage name, type, or flow...");
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<Stage>> {
-        return new StagesApi(DEFAULT_CONFIG).stagesAllList(await this.defaultEndpointConfig());
+        return aki(StagesApi).stagesAllList(await this.defaultEndpointConfig());
     }
 
     protected override columns: TableColumn[] = [
@@ -52,12 +52,12 @@ export class StageListPage extends TablePage<Stage> {
             object-label=${msg("Stage(s)")}
             .objects=${this.selectedElements}
             .usedBy=${(item: Stage) => {
-                return new StagesApi(DEFAULT_CONFIG).stagesAllUsedByList({
+                return aki(StagesApi).stagesAllUsedByList({
                     stageUuid: item.pk,
                 });
             }}
             .delete=${(item: Stage) => {
-                return new StagesApi(DEFAULT_CONFIG).stagesAllDestroy({
+                return aki(StagesApi).stagesAllDestroy({
                     stageUuid: item.pk,
                 });
             }}
diff --git a/web/src/admin/stages/account_lockdown/AccountLockdownStageForm.ts b/web/src/admin/stages/account_lockdown/AccountLockdownStageForm.ts
index 39cf18f2b7..0ccd80b6db 100644
--- a/web/src/admin/stages/account_lockdown/AccountLockdownStageForm.ts
+++ b/web/src/admin/stages/account_lockdown/AccountLockdownStageForm.ts
@@ -3,7 +3,7 @@ import "#admin/common/ak-flow-search/ak-flow-search";
 import "#components/ak-switch-input";
 import "#components/ak-text-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { SlottedTemplateResult } from "#elements/types";
 import { ifPresent } from "#elements/utils/attributes";
@@ -18,7 +18,7 @@ import { customElement } from "lit/decorators.js";
 
 @customElement("ak-stage-account-lockdown-form")
 export class AccountLockdownStageForm extends BaseStageForm<AccountLockdownStage> {
-    #api = new StagesApi(DEFAULT_CONFIG);
+    #api = aki(StagesApi);
 
     protected override loadInstance(pk: string): Promise<AccountLockdownStage> {
         return this.#api.stagesAccountLockdownRetrieve({ stageUuid: pk });
diff --git a/web/src/admin/stages/ak-stage-wizard.ts b/web/src/admin/stages/ak-stage-wizard.ts
index eec408cf11..49cf46b038 100644
--- a/web/src/admin/stages/ak-stage-wizard.ts
+++ b/web/src/admin/stages/ak-stage-wizard.ts
@@ -6,7 +6,7 @@ import "#elements/wizard/Wizard";
 import "#elements/forms/FormGroup";
 import "#admin/flows/StageBindingForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { RadioOption } from "#elements/forms/Radio";
 import { SlottedTemplateResult } from "#elements/types";
@@ -23,7 +23,7 @@ import { property } from "lit/decorators.js";
 
 @customElement("ak-stage-wizard")
 export class AKStageWizard extends CreateWizard {
-    #api = new StagesApi(DEFAULT_CONFIG);
+    #api = aki(StagesApi);
 
     @property({ type: Boolean })
     public showBindingPage = false;
diff --git a/web/src/admin/stages/authenticator_duo/AuthenticatorDuoStageForm.ts b/web/src/admin/stages/authenticator_duo/AuthenticatorDuoStageForm.ts
index d451920046..50783b2814 100644
--- a/web/src/admin/stages/authenticator_duo/AuthenticatorDuoStageForm.ts
+++ b/web/src/admin/stages/authenticator_duo/AuthenticatorDuoStageForm.ts
@@ -3,7 +3,7 @@ import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { RenderFlowOption } from "#admin/flows/utils";
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
@@ -25,19 +25,19 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-stage-authenticator-duo-form")
 export class AuthenticatorDuoStageForm extends BaseStageForm<AuthenticatorDuoStage> {
     loadInstance(pk: string): Promise<AuthenticatorDuoStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorDuoRetrieve({
+        return aki(StagesApi).stagesAuthenticatorDuoRetrieve({
             stageUuid: pk,
         });
     }
 
     async send(data: AuthenticatorDuoStage): Promise<AuthenticatorDuoStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorDuoPartialUpdate({
+            return aki(StagesApi).stagesAuthenticatorDuoPartialUpdate({
                 stageUuid: this.instance.pk || "",
                 patchedAuthenticatorDuoStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorDuoCreate({
+        return aki(StagesApi).stagesAuthenticatorDuoCreate({
             authenticatorDuoStageRequest: data as unknown as AuthenticatorDuoStageRequest,
         });
     }
@@ -147,9 +147,7 @@ export class AuthenticatorDuoStageForm extends BaseStageForm<AuthenticatorDuoSta
                                 if (query !== undefined) {
                                     args.search = query;
                                 }
-                                const flows = await new FlowsApi(DEFAULT_CONFIG).flowsInstancesList(
-                                    args,
-                                );
+                                const flows = await aki(FlowsApi).flowsInstancesList(args);
                                 return flows.results;
                             }}
                             .renderElement=${(flow: Flow): string => {
diff --git a/web/src/admin/stages/authenticator_duo/DuoDeviceImportForm.ts b/web/src/admin/stages/authenticator_duo/DuoDeviceImportForm.ts
index d30210b382..7523bfd0b2 100644
--- a/web/src/admin/stages/authenticator_duo/DuoDeviceImportForm.ts
+++ b/web/src/admin/stages/authenticator_duo/DuoDeviceImportForm.ts
@@ -4,7 +4,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 import "#components/ak-text-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { MessageLevel } from "#common/messages";
 
 import { ModalForm } from "#elements/forms/ModalForm";
@@ -36,7 +36,7 @@ export class DuoDeviceImportForm extends ModelForm<AuthenticatorDuoStage, string
     public static override submittingVerb = msg("Importing");
 
     loadInstance(pk: string): Promise<AuthenticatorDuoStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorDuoRetrieve({
+        return aki(StagesApi).stagesAuthenticatorDuoRetrieve({
             stageUuid: pk,
         });
     }
@@ -47,7 +47,7 @@ export class DuoDeviceImportForm extends ModelForm<AuthenticatorDuoStage, string
 
     async send(data: AuthenticatorDuoStage): Promise<void> {
         const importData = data as unknown as AuthenticatorDuoStageManualDeviceImportRequest;
-        return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorDuoImportDeviceManualCreate({
+        return aki(StagesApi).stagesAuthenticatorDuoImportDeviceManualCreate({
             stageUuid: this.instance?.pk || "",
             authenticatorDuoStageManualDeviceImportRequest: importData,
         });
@@ -71,7 +71,7 @@ export class DuoDeviceImportForm extends ModelForm<AuthenticatorDuoStage, string
                         if (query !== undefined) {
                             args.search = query;
                         }
-                        const users = await new CoreApi(DEFAULT_CONFIG).coreUsersList(args);
+                        const users = await aki(CoreApi).coreUsersList(args);
                         return users.results;
                     }}
                     .renderElement=${(user: User): string => {
@@ -107,7 +107,7 @@ export class DuoDeviceImportForm extends ModelForm<AuthenticatorDuoStage, string
                 <ak-action-button
                     class="pf-m-primary"
                     .apiRequest=${() => {
-                        return new StagesApi(DEFAULT_CONFIG)
+                        return aki(StagesApi)
                             .stagesAuthenticatorDuoImportDevicesAutomaticCreate({
                                 stageUuid: this.instance?.pk || "",
                             })
diff --git a/web/src/admin/stages/authenticator_email/AuthenticatorEmailStageForm.ts b/web/src/admin/stages/authenticator_email/AuthenticatorEmailStageForm.ts
index 60129da6d3..be39f749b3 100644
--- a/web/src/admin/stages/authenticator_email/AuthenticatorEmailStageForm.ts
+++ b/web/src/admin/stages/authenticator_email/AuthenticatorEmailStageForm.ts
@@ -5,7 +5,7 @@ import "#elements/forms/Radio";
 import "#elements/forms/SearchSelect/index";
 import "#components/ak-switch-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { SlottedTemplateResult } from "#elements/types";
 
@@ -30,7 +30,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-stage-authenticator-email-form")
 export class AuthenticatorEmailStageForm extends BaseStageForm<AuthenticatorEmailStage> {
     async loadInstance(pk: string): Promise<AuthenticatorEmailStage> {
-        const stage = await new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorEmailRetrieve({
+        const stage = await aki(StagesApi).stagesAuthenticatorEmailRetrieve({
             stageUuid: pk,
         });
         this.showConnectionSettings = !stage.useGlobalSettings;
@@ -38,7 +38,7 @@ export class AuthenticatorEmailStageForm extends BaseStageForm<AuthenticatorEmai
     }
 
     async load(): Promise<void> {
-        this.templates = await new StagesApi(DEFAULT_CONFIG).stagesEmailTemplatesList();
+        this.templates = await aki(StagesApi).stagesEmailTemplatesList();
     }
 
     templates?: TypeCreate[];
@@ -48,12 +48,12 @@ export class AuthenticatorEmailStageForm extends BaseStageForm<AuthenticatorEmai
 
     async send(data: AuthenticatorEmailStage): Promise<AuthenticatorEmailStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorEmailUpdate({
+            return aki(StagesApi).stagesAuthenticatorEmailUpdate({
                 stageUuid: this.instance.pk || "",
                 authenticatorEmailStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorEmailCreate({
+        return aki(StagesApi).stagesAuthenticatorEmailCreate({
             authenticatorEmailStageRequest: data,
         });
     }
@@ -215,9 +215,7 @@ export class AuthenticatorEmailStageForm extends BaseStageForm<AuthenticatorEmai
                                 if (query !== undefined) {
                                     args.search = query;
                                 }
-                                const flows = await new FlowsApi(DEFAULT_CONFIG).flowsInstancesList(
-                                    args,
-                                );
+                                const flows = await aki(FlowsApi).flowsInstancesList(args);
                                 return flows.results;
                             }}
                             .renderElement=${(flow: Flow): string => {
diff --git a/web/src/admin/stages/authenticator_endpoint_gdtc/AuthenticatorEndpointGDTCStageForm.ts b/web/src/admin/stages/authenticator_endpoint_gdtc/AuthenticatorEndpointGDTCStageForm.ts
index cf3c62cd94..0c287c3d34 100644
--- a/web/src/admin/stages/authenticator_endpoint_gdtc/AuthenticatorEndpointGDTCStageForm.ts
+++ b/web/src/admin/stages/authenticator_endpoint_gdtc/AuthenticatorEndpointGDTCStageForm.ts
@@ -2,7 +2,7 @@ import "#elements/CodeMirror";
 import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
 
@@ -17,19 +17,19 @@ import PFBanner from "@patternfly/patternfly/components/Banner/banner.css";
 @customElement("ak-stage-authenticator-endpoint-gdtc-form")
 export class AuthenticatorEndpointGDTCStageForm extends BaseStageForm<AuthenticatorEndpointGDTCStage> {
     loadInstance(pk: string): Promise<AuthenticatorEndpointGDTCStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorEndpointGdtcRetrieve({
+        return aki(StagesApi).stagesAuthenticatorEndpointGdtcRetrieve({
             stageUuid: pk,
         });
     }
 
     async send(data: AuthenticatorEndpointGDTCStage): Promise<AuthenticatorEndpointGDTCStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorEndpointGdtcPartialUpdate({
+            return aki(StagesApi).stagesAuthenticatorEndpointGdtcPartialUpdate({
                 stageUuid: this.instance.pk || "",
                 patchedAuthenticatorEndpointGDTCStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorEndpointGdtcCreate({
+        return aki(StagesApi).stagesAuthenticatorEndpointGdtcCreate({
             authenticatorEndpointGDTCStageRequest: data,
         });
     }
diff --git a/web/src/admin/stages/authenticator_sms/AuthenticatorSMSStageForm.ts b/web/src/admin/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
index 368651b801..a01653d5d1 100644
--- a/web/src/admin/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
+++ b/web/src/admin/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
@@ -4,7 +4,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/Radio";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { RenderFlowOption } from "#admin/flows/utils";
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
@@ -30,7 +30,7 @@ import { customElement, property } from "lit/decorators.js";
 @customElement("ak-stage-authenticator-sms-form")
 export class AuthenticatorSMSStageForm extends BaseStageForm<AuthenticatorSMSStage> {
     loadInstance(pk: string): Promise<AuthenticatorSMSStage> {
-        return new StagesApi(DEFAULT_CONFIG)
+        return aki(StagesApi)
             .stagesAuthenticatorSmsRetrieve({
                 stageUuid: pk,
             })
@@ -49,12 +49,12 @@ export class AuthenticatorSMSStageForm extends BaseStageForm<AuthenticatorSMSSta
 
     async send(data: AuthenticatorSMSStage): Promise<AuthenticatorSMSStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorSmsUpdate({
+            return aki(StagesApi).stagesAuthenticatorSmsUpdate({
                 stageUuid: this.instance.pk || "",
                 authenticatorSMSStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorSmsCreate({
+        return aki(StagesApi).stagesAuthenticatorSmsCreate({
             authenticatorSMSStageRequest: data,
         });
     }
@@ -248,9 +248,10 @@ export class AuthenticatorSMSStageForm extends BaseStageForm<AuthenticatorSMSSta
                                 if (query) {
                                     args.search = query;
                                 }
-                                const items = await new PropertymappingsApi(
-                                    DEFAULT_CONFIG,
-                                ).propertymappingsNotificationList(args);
+                                const items =
+                                    await aki(PropertymappingsApi).propertymappingsNotificationList(
+                                        args,
+                                    );
                                 return items.results;
                             }}
                             .renderElement=${(item: NotificationWebhookMapping): string => {
@@ -290,9 +291,7 @@ export class AuthenticatorSMSStageForm extends BaseStageForm<AuthenticatorSMSSta
                                 if (query !== undefined) {
                                     args.search = query;
                                 }
-                                const flows = await new FlowsApi(DEFAULT_CONFIG).flowsInstancesList(
-                                    args,
-                                );
+                                const flows = await aki(FlowsApi).flowsInstancesList(args);
                                 return flows.results;
                             }}
                             .renderElement=${(flow: Flow): string => {
diff --git a/web/src/admin/stages/authenticator_static/AuthenticatorStaticStageForm.ts b/web/src/admin/stages/authenticator_static/AuthenticatorStaticStageForm.ts
index 8030b5a2db..a5062bceac 100644
--- a/web/src/admin/stages/authenticator_static/AuthenticatorStaticStageForm.ts
+++ b/web/src/admin/stages/authenticator_static/AuthenticatorStaticStageForm.ts
@@ -1,7 +1,7 @@
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { RenderFlowOption } from "#admin/flows/utils";
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
@@ -22,19 +22,19 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-stage-authenticator-static-form")
 export class AuthenticatorStaticStageForm extends BaseStageForm<AuthenticatorStaticStage> {
     loadInstance(pk: string): Promise<AuthenticatorStaticStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorStaticRetrieve({
+        return aki(StagesApi).stagesAuthenticatorStaticRetrieve({
             stageUuid: pk,
         });
     }
 
     async send(data: AuthenticatorStaticStage): Promise<AuthenticatorStaticStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorStaticUpdate({
+            return aki(StagesApi).stagesAuthenticatorStaticUpdate({
                 stageUuid: this.instance.pk || "",
                 authenticatorStaticStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorStaticCreate({
+        return aki(StagesApi).stagesAuthenticatorStaticCreate({
             authenticatorStaticStageRequest: data,
         });
     }
@@ -120,9 +120,7 @@ export class AuthenticatorStaticStageForm extends BaseStageForm<AuthenticatorSta
                                 if (query !== undefined) {
                                     args.search = query;
                                 }
-                                const flows = await new FlowsApi(DEFAULT_CONFIG).flowsInstancesList(
-                                    args,
-                                );
+                                const flows = await aki(FlowsApi).flowsInstancesList(args);
                                 return flows.results;
                             }}
                             .renderElement=${(flow: Flow): string => {
diff --git a/web/src/admin/stages/authenticator_totp/AuthenticatorTOTPStageForm.ts b/web/src/admin/stages/authenticator_totp/AuthenticatorTOTPStageForm.ts
index ca44cb4ecc..aec300992d 100644
--- a/web/src/admin/stages/authenticator_totp/AuthenticatorTOTPStageForm.ts
+++ b/web/src/admin/stages/authenticator_totp/AuthenticatorTOTPStageForm.ts
@@ -2,7 +2,7 @@ import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { RenderFlowOption } from "#admin/flows/utils";
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
@@ -24,19 +24,19 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-stage-authenticator-totp-form")
 export class AuthenticatorTOTPStageForm extends BaseStageForm<AuthenticatorTOTPStage> {
     loadInstance(pk: string): Promise<AuthenticatorTOTPStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorTotpRetrieve({
+        return aki(StagesApi).stagesAuthenticatorTotpRetrieve({
             stageUuid: pk,
         });
     }
 
     async send(data: AuthenticatorTOTPStage): Promise<AuthenticatorTOTPStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorTotpUpdate({
+            return aki(StagesApi).stagesAuthenticatorTotpUpdate({
                 stageUuid: this.instance.pk || "",
                 authenticatorTOTPStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorTotpCreate({
+        return aki(StagesApi).stagesAuthenticatorTotpCreate({
             authenticatorTOTPStageRequest: data,
         });
     }
@@ -104,9 +104,7 @@ export class AuthenticatorTOTPStageForm extends BaseStageForm<AuthenticatorTOTPS
                                 if (query !== undefined) {
                                     args.search = query;
                                 }
-                                const flows = await new FlowsApi(DEFAULT_CONFIG).flowsInstancesList(
-                                    args,
-                                );
+                                const flows = await aki(FlowsApi).flowsInstancesList(args);
                                 return flows.results;
                             }}
                             .renderElement=${(flow: Flow): string => {
diff --git a/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts b/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
index 058fd76d74..1989210307 100644
--- a/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
+++ b/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
@@ -14,7 +14,7 @@ import {
     stagesSelector,
 } from "./AuthenticatorValidateStageFormHelpers.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DataProvision, DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -41,7 +41,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-stage-authenticator-validate-form")
 export class AuthenticatorValidateStageForm extends BaseStageForm<AuthenticatorValidateStage> {
     async loadInstance(pk: string): Promise<AuthenticatorValidateStage> {
-        const stage = await new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorValidateRetrieve({
+        const stage = await aki(StagesApi).stagesAuthenticatorValidateRetrieve({
             stageUuid: pk,
         });
         this.showConfigurationStages =
@@ -50,7 +50,7 @@ export class AuthenticatorValidateStageForm extends BaseStageForm<AuthenticatorV
     }
 
     async load(): Promise<void> {
-        this.stages = await new StagesApi(DEFAULT_CONFIG).stagesAllList({
+        this.stages = await aki(StagesApi).stagesAllList({
             ordering: "name",
         });
     }
@@ -62,12 +62,12 @@ export class AuthenticatorValidateStageForm extends BaseStageForm<AuthenticatorV
 
     async send(data: AuthenticatorValidateStage): Promise<AuthenticatorValidateStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorValidateUpdate({
+            return aki(StagesApi).stagesAuthenticatorValidateUpdate({
                 stageUuid: this.instance.pk || "",
                 authenticatorValidateStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorValidateCreate({
+        return aki(StagesApi).stagesAuthenticatorValidateCreate({
             authenticatorValidateStageRequest: data,
         });
     }
diff --git a/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageFormHelpers.ts b/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageFormHelpers.ts
index 9da4d19225..19fdf09524 100644
--- a/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageFormHelpers.ts
+++ b/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -9,7 +9,7 @@ import { Stage, StagesApi } from "@goauthentik/api";
 const stageToSelect = (stage: Stage) => [stage.pk, `${stage.name} (${stage.verboseName})`];
 
 export async function stagesProvider(page = 1, search = "") {
-    const stages = await new StagesApi(DEFAULT_CONFIG).stagesAllList({
+    const stages = await aki(StagesApi).stagesAllList({
         ordering: "name",
         pageSize: 20,
         search: search.trim(),
@@ -28,7 +28,7 @@ export function stagesSelector(instanceStages: string[] | undefined) {
             stages.filter(([_0, _1, _2, stage]: DualSelectPair<Stage>) => stage !== undefined);
     }
     return async () => {
-        const stagesApi = new StagesApi(DEFAULT_CONFIG);
+        const stagesApi = aki(StagesApi);
         const stages = await Promise.allSettled(
             instanceStages.map((instanceId) =>
                 stagesApi.stagesAllRetrieve({ stageUuid: instanceId }),
@@ -42,9 +42,7 @@ export function stagesSelector(instanceStages: string[] | undefined) {
 }
 
 export async function authenticatorWebauthnDeviceTypesListProvider(page = 1, search = "") {
-    const devicetypes = await new StagesApi(
-        DEFAULT_CONFIG,
-    ).stagesAuthenticatorWebauthnDeviceTypesList({
+    const devicetypes = await aki(StagesApi).stagesAuthenticatorWebauthnDeviceTypesList({
         pageSize: 20,
         search: search.trim(),
         page,
diff --git a/web/src/admin/stages/authenticator_webauthn/AuthenticatorWebAuthnStageForm.ts b/web/src/admin/stages/authenticator_webauthn/AuthenticatorWebAuthnStageForm.ts
index ddfb9d4266..803821d7f8 100644
--- a/web/src/admin/stages/authenticator_webauthn/AuthenticatorWebAuthnStageForm.ts
+++ b/web/src/admin/stages/authenticator_webauthn/AuthenticatorWebAuthnStageForm.ts
@@ -5,7 +5,7 @@ import "#elements/forms/Radio";
 import "#elements/forms/SearchSelect/index";
 import "#components/ak-switch-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DataProvision, DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -32,7 +32,7 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-stage-authenticator-webauthn-form")
 export class AuthenticatorWebAuthnStageForm extends BaseStageForm<AuthenticatorWebAuthnStage> {
     async loadInstance(pk: string): Promise<AuthenticatorWebAuthnStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorWebauthnRetrieve({
+        return aki(StagesApi).stagesAuthenticatorWebauthnRetrieve({
             stageUuid: pk,
         });
     }
@@ -42,12 +42,12 @@ export class AuthenticatorWebAuthnStageForm extends BaseStageForm<AuthenticatorW
             data.authenticatorAttachment = null;
         }
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorWebauthnUpdate({
+            return aki(StagesApi).stagesAuthenticatorWebauthnUpdate({
                 stageUuid: this.instance.pk || "",
                 authenticatorWebAuthnStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorWebauthnCreate({
+        return aki(StagesApi).stagesAuthenticatorWebauthnCreate({
             authenticatorWebAuthnStageRequest: data,
         });
     }
@@ -229,7 +229,7 @@ export class AuthenticatorWebAuthnStageForm extends BaseStageForm<AuthenticatorW
                     >
                         <ak-dual-select-provider
                             .provider=${(page: number, search?: string): Promise<DataProvision> => {
-                                return new StagesApi(DEFAULT_CONFIG)
+                                return aki(StagesApi)
                                     .stagesAuthenticatorWebauthnDeviceTypesList({
                                         page: page,
                                         search: search,
@@ -266,9 +266,7 @@ export class AuthenticatorWebAuthnStageForm extends BaseStageForm<AuthenticatorW
                                 if (query !== undefined) {
                                     args.search = query;
                                 }
-                                const flows = await new FlowsApi(DEFAULT_CONFIG).flowsInstancesList(
-                                    args,
-                                );
+                                const flows = await aki(FlowsApi).flowsInstancesList(args);
                                 return flows.results;
                             }}
                             .renderElement=${(flow: Flow): string => {
diff --git a/web/src/admin/stages/captcha/CaptchaStageForm.ts b/web/src/admin/stages/captcha/CaptchaStageForm.ts
index bb184313c6..6c962e3ac2 100644
--- a/web/src/admin/stages/captcha/CaptchaStageForm.ts
+++ b/web/src/admin/stages/captcha/CaptchaStageForm.ts
@@ -6,7 +6,7 @@ import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/Alert";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { Level } from "#elements/Alert";
 import { SlottedTemplateResult } from "#elements/types";
@@ -39,7 +39,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
 export class CaptchaStageForm extends BaseStageForm<CaptchaStage> {
     public static override readonly styles = [...super.styles, Styles];
 
-    #api = new StagesApi(DEFAULT_CONFIG);
+    #api = aki(StagesApi);
 
     //#region Lifecycle
 
diff --git a/web/src/admin/stages/consent/ConsentStageForm.ts b/web/src/admin/stages/consent/ConsentStageForm.ts
index 2cf1d45ab1..5dffbed513 100644
--- a/web/src/admin/stages/consent/ConsentStageForm.ts
+++ b/web/src/admin/stages/consent/ConsentStageForm.ts
@@ -2,7 +2,7 @@ import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/utils/TimeDeltaHelp";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
 
@@ -16,7 +16,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-stage-consent-form")
 export class ConsentStageForm extends BaseStageForm<ConsentStage> {
     loadInstance(pk: string): Promise<ConsentStage> {
-        return new StagesApi(DEFAULT_CONFIG)
+        return aki(StagesApi)
             .stagesConsentRetrieve({
                 stageUuid: pk,
             })
@@ -31,12 +31,12 @@ export class ConsentStageForm extends BaseStageForm<ConsentStage> {
 
     async send(data: ConsentStage): Promise<ConsentStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesConsentUpdate({
+            return aki(StagesApi).stagesConsentUpdate({
                 stageUuid: this.instance.pk || "",
                 consentStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesConsentCreate({
+        return aki(StagesApi).stagesConsentCreate({
             consentStageRequest: data,
         });
     }
diff --git a/web/src/admin/stages/deny/DenyStageForm.ts b/web/src/admin/stages/deny/DenyStageForm.ts
index a070788781..96c8948e95 100644
--- a/web/src/admin/stages/deny/DenyStageForm.ts
+++ b/web/src/admin/stages/deny/DenyStageForm.ts
@@ -1,6 +1,6 @@
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
 
@@ -14,19 +14,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-stage-deny-form")
 export class DenyStageForm extends BaseStageForm<DenyStage> {
     loadInstance(pk: string): Promise<DenyStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesDenyRetrieve({
+        return aki(StagesApi).stagesDenyRetrieve({
             stageUuid: pk,
         });
     }
 
     async send(data: DenyStage): Promise<DenyStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesDenyUpdate({
+            return aki(StagesApi).stagesDenyUpdate({
                 stageUuid: this.instance.pk || "",
                 denyStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesDenyCreate({
+        return aki(StagesApi).stagesDenyCreate({
             denyStageRequest: data,
         });
     }
diff --git a/web/src/admin/stages/dummy/DummyStageForm.ts b/web/src/admin/stages/dummy/DummyStageForm.ts
index e0b1bc3d53..90b86c2899 100644
--- a/web/src/admin/stages/dummy/DummyStageForm.ts
+++ b/web/src/admin/stages/dummy/DummyStageForm.ts
@@ -1,7 +1,7 @@
 import "#components/ak-switch-input";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
 
@@ -15,19 +15,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-stage-dummy-form")
 export class DummyStageForm extends BaseStageForm<DummyStage> {
     loadInstance(pk: string): Promise<DummyStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesDummyRetrieve({
+        return aki(StagesApi).stagesDummyRetrieve({
             stageUuid: pk,
         });
     }
 
     async send(data: DummyStage): Promise<DummyStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesDummyUpdate({
+            return aki(StagesApi).stagesDummyUpdate({
                 stageUuid: this.instance.pk || "",
                 dummyStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesDummyCreate({
+        return aki(StagesApi).stagesDummyCreate({
             dummyStageRequest: data,
         });
     }
diff --git a/web/src/admin/stages/email/EmailStageForm.ts b/web/src/admin/stages/email/EmailStageForm.ts
index 3d2ef1a681..df9ee1aa17 100644
--- a/web/src/admin/stages/email/EmailStageForm.ts
+++ b/web/src/admin/stages/email/EmailStageForm.ts
@@ -4,7 +4,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/utils/TimeDeltaHelp";
 import "#components/ak-switch-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { SlottedTemplateResult } from "#elements/types";
 
@@ -20,7 +20,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-stage-email-form")
 export class EmailStageForm extends BaseStageForm<EmailStage> {
     async loadInstance(pk: string): Promise<EmailStage> {
-        const stage = await new StagesApi(DEFAULT_CONFIG).stagesEmailRetrieve({
+        const stage = await aki(StagesApi).stagesEmailRetrieve({
             stageUuid: pk,
         });
         this.showConnectionSettings = !stage.useGlobalSettings;
@@ -28,7 +28,7 @@ export class EmailStageForm extends BaseStageForm<EmailStage> {
     }
 
     async load(): Promise<void> {
-        this.templates = await new StagesApi(DEFAULT_CONFIG).stagesEmailTemplatesList();
+        this.templates = await aki(StagesApi).stagesEmailTemplatesList();
     }
 
     templates?: TypeCreate[];
@@ -38,12 +38,12 @@ export class EmailStageForm extends BaseStageForm<EmailStage> {
 
     async send(data: EmailStage): Promise<EmailStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesEmailPartialUpdate({
+            return aki(StagesApi).stagesEmailPartialUpdate({
                 stageUuid: this.instance.pk || "",
                 patchedEmailStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesEmailCreate({
+        return aki(StagesApi).stagesEmailCreate({
             emailStageRequest: data,
         });
     }
diff --git a/web/src/admin/stages/endpoint/EndpointStageForm.ts b/web/src/admin/stages/endpoint/EndpointStageForm.ts
index eb8a6514a2..9042207c8b 100644
--- a/web/src/admin/stages/endpoint/EndpointStageForm.ts
+++ b/web/src/admin/stages/endpoint/EndpointStageForm.ts
@@ -3,7 +3,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 import "#elements/forms/FormGroup";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
 
@@ -24,19 +24,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-endpoints-stage-form")
 export class EndpointStageForm extends BaseStageForm<EndpointStage> {
     loadInstance(pk: string): Promise<EndpointStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesEndpointsRetrieve({
+        return aki(StagesApi).stagesEndpointsRetrieve({
             stageUuid: pk,
         });
     }
 
     async send(data: EndpointStage): Promise<EndpointStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesEndpointsUpdate({
+            return aki(StagesApi).stagesEndpointsUpdate({
                 stageUuid: this.instance.pk || "",
                 endpointStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesEndpointsCreate({
+        return aki(StagesApi).stagesEndpointsCreate({
             endpointStageRequest: data,
         });
     }
@@ -64,9 +64,7 @@ export class EndpointStageForm extends BaseStageForm<EndpointStage> {
                                 if (query !== undefined) {
                                     args.search = query;
                                 }
-                                const users = await new EndpointsApi(
-                                    DEFAULT_CONFIG,
-                                ).endpointsConnectorsList(args);
+                                const users = await aki(EndpointsApi).endpointsConnectorsList(args);
                                 return users.results;
                             }}
                             .renderElement=${(connector: Connector): string => {
diff --git a/web/src/admin/stages/identification/IdentificationStageForm.ts b/web/src/admin/stages/identification/IdentificationStageForm.ts
index a1024c8030..1ef2767c90 100644
--- a/web/src/admin/stages/identification/IdentificationStageForm.ts
+++ b/web/src/admin/stages/identification/IdentificationStageForm.ts
@@ -8,7 +8,7 @@ import "#elements/forms/SearchSelect/index";
 
 import { sourcesProvider, sourcesSelector } from "./IdentificationStageFormHelpers.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { groupBy } from "#common/utils";
 
 import { AKLabel } from "#components/ak-label";
@@ -43,20 +43,20 @@ export class IdentificationStageForm extends BaseStageForm<IdentificationStage>
     ];
 
     loadInstance(pk: string): Promise<IdentificationStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesIdentificationRetrieve({
+        return aki(StagesApi).stagesIdentificationRetrieve({
             stageUuid: pk,
         });
     }
 
     async send(data: IdentificationStage): Promise<IdentificationStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesIdentificationUpdate({
+            return aki(StagesApi).stagesIdentificationUpdate({
                 stageUuid: this.instance.pk || "",
                 identificationStageRequest: data,
             });
         }
 
-        return new StagesApi(DEFAULT_CONFIG).stagesIdentificationCreate({
+        return aki(StagesApi).stagesIdentificationCreate({
             identificationStageRequest: data,
         });
     }
@@ -122,9 +122,7 @@ export class IdentificationStageForm extends BaseStageForm<IdentificationStage>
                                 if (query !== undefined) {
                                     args.search = query;
                                 }
-                                const stages = await new StagesApi(
-                                    DEFAULT_CONFIG,
-                                ).stagesPasswordList(args);
+                                const stages = await aki(StagesApi).stagesPasswordList(args);
                                 return stages.results;
                             }}
                             .groupBy=${(items: Stage[]) =>
@@ -151,9 +149,7 @@ export class IdentificationStageForm extends BaseStageForm<IdentificationStage>
                                 if (query !== undefined) {
                                     args.search = query;
                                 }
-                                const stages = await new StagesApi(
-                                    DEFAULT_CONFIG,
-                                ).stagesCaptchaList(args);
+                                const stages = await aki(StagesApi).stagesCaptchaList(args);
                                 return stages.results;
                             }}
                             .groupBy=${(items: Stage[]) =>
@@ -219,9 +215,8 @@ export class IdentificationStageForm extends BaseStageForm<IdentificationStage>
                                 if (query !== undefined) {
                                     args.search = query;
                                 }
-                                const stages = await new StagesApi(
-                                    DEFAULT_CONFIG,
-                                ).stagesAuthenticatorValidateList(args);
+                                const stages =
+                                    await aki(StagesApi).stagesAuthenticatorValidateList(args);
                                 return stages.results;
                             }}
                             .groupBy=${(items: Stage[]) =>
diff --git a/web/src/admin/stages/identification/IdentificationStageFormHelpers.ts b/web/src/admin/stages/identification/IdentificationStageFormHelpers.ts
index 1bf8b49e3c..068696e9d6 100644
--- a/web/src/admin/stages/identification/IdentificationStageFormHelpers.ts
+++ b/web/src/admin/stages/identification/IdentificationStageFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -7,7 +7,7 @@ import { Source, SourcesApi } from "@goauthentik/api";
 const sourceToSelect = (source: Source) => [source.pk, source.name, source.name, source];
 
 export async function sourcesProvider(page = 1, search = "") {
-    const sources = await new SourcesApi(DEFAULT_CONFIG).sourcesAllList({
+    const sources = await aki(SourcesApi).sourcesAllList({
         ordering: "slug",
         pageSize: 20,
         search: search.trim(),
@@ -26,7 +26,7 @@ export function sourcesSelector(instanceSources: string[] | undefined) {
             sources.filter(([_0, _1, _2, source]: DualSelectPair<Source>) => source !== undefined);
     }
     return async () => {
-        const sourcesApi = new SourcesApi(DEFAULT_CONFIG);
+        const sourcesApi = aki(SourcesApi);
         const sources = await Promise.allSettled(
             instanceSources.map((instanceId) => sourcesApi.sourcesAllList({ pbmUuid: instanceId })),
         );
diff --git a/web/src/admin/stages/invitation/InvitationForm.ts b/web/src/admin/stages/invitation/InvitationForm.ts
index 394a12bde4..c298057c56 100644
--- a/web/src/admin/stages/invitation/InvitationForm.ts
+++ b/web/src/admin/stages/invitation/InvitationForm.ts
@@ -5,7 +5,7 @@ import "#elements/CodeMirror";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { dateTimeLocal } from "#common/temporal";
 
 import { ModelForm } from "#elements/forms/ModelForm";
@@ -24,7 +24,7 @@ export class InvitationForm extends ModelForm<Invitation, string> {
     public static override verboseNamePlural = msg("Invitations");
 
     loadInstance(pk: string): Promise<Invitation> {
-        return new StagesApi(DEFAULT_CONFIG).stagesInvitationInvitationsRetrieve({
+        return aki(StagesApi).stagesInvitationInvitationsRetrieve({
             inviteUuid: pk,
         });
     }
@@ -37,12 +37,12 @@ export class InvitationForm extends ModelForm<Invitation, string> {
 
     async send(data: Invitation): Promise<Invitation> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesInvitationInvitationsUpdate({
+            return aki(StagesApi).stagesInvitationInvitationsUpdate({
                 inviteUuid: this.instance.pk || "",
                 invitationRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesInvitationInvitationsCreate({
+        return aki(StagesApi).stagesInvitationInvitationsCreate({
             invitationRequest: data,
         });
     }
diff --git a/web/src/admin/stages/invitation/InvitationListLink.ts b/web/src/admin/stages/invitation/InvitationListLink.ts
index 48de202694..d7dce81685 100644
--- a/web/src/admin/stages/invitation/InvitationListLink.ts
+++ b/web/src/admin/stages/invitation/InvitationListLink.ts
@@ -2,7 +2,7 @@ import "#admin/stages/invitation/InvitationSendEmailForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { writeToClipboard } from "#common/clipboard";
 
 import { AKElement } from "#elements/Base";
@@ -74,7 +74,7 @@ export class InvitationListLink extends AKElement {
                         }}
                     >
                         ${until(
-                            new StagesApi(DEFAULT_CONFIG)
+                            aki(StagesApi)
                                 .stagesInvitationStagesList({
                                     ordering: "name",
                                     noFlows: false,
diff --git a/web/src/admin/stages/invitation/InvitationListPage.ts b/web/src/admin/stages/invitation/InvitationListPage.ts
index d60288b2b3..e46316fe8f 100644
--- a/web/src/admin/stages/invitation/InvitationListPage.ts
+++ b/web/src/admin/stages/invitation/InvitationListPage.ts
@@ -9,7 +9,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconEditButton, modalInvoker } from "#elements/dialogs";
 import { PFColor } from "#elements/Label";
@@ -58,7 +58,7 @@ export class InvitationListPage extends TablePage<Invitation> {
     protected override async apiEndpoint(): Promise<PaginatedResponse<Invitation>> {
         try {
             // Check if any invitation stages exist
-            const stages = await new StagesApi(DEFAULT_CONFIG).stagesInvitationStagesList({
+            const stages = await aki(StagesApi).stagesInvitationStagesList({
                 noFlows: false,
             });
             this.invitationStageExists = stages.pagination.count > 0;
@@ -74,7 +74,7 @@ export class InvitationListPage extends TablePage<Invitation> {
         } catch {
             // assuming we can't fetch stages, ignore the error
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesInvitationInvitationsList({
+        return aki(StagesApi).stagesInvitationInvitationsList({
             ...(await this.defaultEndpointConfig()),
         });
     }
@@ -92,12 +92,12 @@ export class InvitationListPage extends TablePage<Invitation> {
             object-label=${msg("Invitation(s)")}
             .objects=${this.selectedElements}
             .usedBy=${(item: Invitation) => {
-                return new StagesApi(DEFAULT_CONFIG).stagesInvitationInvitationsUsedByList({
+                return aki(StagesApi).stagesInvitationInvitationsUsedByList({
                     inviteUuid: item.pk,
                 });
             }}
             .delete=${(item: Invitation) => {
-                return new StagesApi(DEFAULT_CONFIG).stagesInvitationInvitationsDestroy({
+                return aki(StagesApi).stagesInvitationInvitationsDestroy({
                     inviteUuid: item.pk,
                 });
             }}
diff --git a/web/src/admin/stages/invitation/InvitationSendEmailForm.ts b/web/src/admin/stages/invitation/InvitationSendEmailForm.ts
index 1218589782..339d41d717 100644
--- a/web/src/admin/stages/invitation/InvitationSendEmailForm.ts
+++ b/web/src/admin/stages/invitation/InvitationSendEmailForm.ts
@@ -1,7 +1,7 @@
 import "#elements/buttons/SpinnerButton/index";
 import "#components/ak-textarea-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { MessageLevel } from "#common/messages";
 
 import { Form } from "#elements/forms/Form";
@@ -41,9 +41,7 @@ export class InvitationSendEmailForm extends Form<InvitationSendEmailRequestWith
 
     fetchAvailableTemplates = async (): Promise<void> => {
         try {
-            this.availableTemplates = await new StagesApi(
-                DEFAULT_CONFIG,
-            ).stagesEmailTemplatesList();
+            this.availableTemplates = await aki(StagesApi).stagesEmailTemplatesList();
         } catch (error) {
             console.error("Failed to fetch email templates:", error);
         }
@@ -80,7 +78,7 @@ export class InvitationSendEmailForm extends Form<InvitationSendEmailRequestWith
         }
 
         try {
-            await new StagesApi(DEFAULT_CONFIG).stagesInvitationInvitationsSendEmailCreate({
+            await aki(StagesApi).stagesInvitationInvitationsSendEmailCreate({
                 inviteUuid: this.invitation?.pk || "",
                 invitationSendEmailRequest: {
                     emailAddresses: addresses,
diff --git a/web/src/admin/stages/invitation/InvitationStageForm.ts b/web/src/admin/stages/invitation/InvitationStageForm.ts
index dfecf75d52..071d06f0ae 100644
--- a/web/src/admin/stages/invitation/InvitationStageForm.ts
+++ b/web/src/admin/stages/invitation/InvitationStageForm.ts
@@ -2,7 +2,7 @@ import "#components/ak-switch-input";
 import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
 
@@ -15,19 +15,19 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-stage-invitation-form")
 export class InvitationStageForm extends BaseStageForm<InvitationStage> {
     loadInstance(pk: string): Promise<InvitationStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesInvitationStagesRetrieve({
+        return aki(StagesApi).stagesInvitationStagesRetrieve({
             stageUuid: pk,
         });
     }
 
     async send(data: InvitationStage): Promise<InvitationStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesInvitationStagesUpdate({
+            return aki(StagesApi).stagesInvitationStagesUpdate({
                 stageUuid: this.instance.pk || "",
                 invitationStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesInvitationStagesCreate({
+        return aki(StagesApi).stagesInvitationStagesCreate({
             invitationStageRequest: data,
         });
     }
diff --git a/web/src/admin/stages/invitation/wizard/InvitationWizardDetailsStep.ts b/web/src/admin/stages/invitation/wizard/InvitationWizardDetailsStep.ts
index 8ff43cdf4a..7df976da6f 100644
--- a/web/src/admin/stages/invitation/wizard/InvitationWizardDetailsStep.ts
+++ b/web/src/admin/stages/invitation/wizard/InvitationWizardDetailsStep.ts
@@ -4,7 +4,7 @@ import "#elements/forms/HorizontalFormElement";
 
 import type { InvitationWizardState } from "./types";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import {
     parseAPIResponseError,
     pluckErrorDetail,
@@ -97,7 +97,7 @@ export class InvitationWizardDetailsStep extends WizardPage {
 
         if (wizardState.needsFlow) {
             try {
-                const result = await new ManagedApi(DEFAULT_CONFIG).managedBlueprintsImportCreate({
+                const result = await aki(ManagedApi).managedBlueprintsImportCreate({
                     path: MINIMAL_BLUEPRINT_PATH,
                     context: JSON.stringify({
                         flow_name: wizardState.newFlowName,
@@ -119,7 +119,7 @@ export class InvitationWizardDetailsStep extends WizardPage {
                 }
 
                 const slugToLookup = wizardState.newFlowSlug!;
-                const flows = await new FlowsApi(DEFAULT_CONFIG).flowsInstancesList({
+                const flows = await aki(FlowsApi).flowsInstancesList({
                     slug: slugToLookup,
                 });
                 const createdFlow = flows.results[0];
@@ -143,9 +143,7 @@ export class InvitationWizardDetailsStep extends WizardPage {
 
         try {
             const flowPk = wizardState.createdFlowPk || wizardState.selectedFlowPk || undefined;
-            const invitation = await new StagesApi(
-                DEFAULT_CONFIG,
-            ).stagesInvitationInvitationsCreate({
+            const invitation = await aki(StagesApi).stagesInvitationInvitationsCreate({
                 invitationRequest: {
                     name: wizardState.invitationName!,
                     expires: wizardState.invitationExpires
diff --git a/web/src/admin/stages/invitation/wizard/InvitationWizardEmailStep.ts b/web/src/admin/stages/invitation/wizard/InvitationWizardEmailStep.ts
index 4a78bc8a41..c4aa98d119 100644
--- a/web/src/admin/stages/invitation/wizard/InvitationWizardEmailStep.ts
+++ b/web/src/admin/stages/invitation/wizard/InvitationWizardEmailStep.ts
@@ -3,7 +3,7 @@ import "#elements/forms/HorizontalFormElement";
 
 import type { InvitationWizardState } from "./types";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import {
     parseAPIResponseError,
     pluckErrorDetail,
@@ -55,9 +55,7 @@ export class InvitationWizardEmailStep extends WizardPage {
     activeCallback = async (): Promise<void> => {
         this.host.valid = this.toAddresses.trim().length > 0;
         try {
-            this.availableTemplates = await new StagesApi(
-                DEFAULT_CONFIG,
-            ).stagesEmailTemplatesList();
+            this.availableTemplates = await aki(StagesApi).stagesEmailTemplatesList();
         } catch {
             this.availableTemplates = [];
         }
@@ -97,7 +95,7 @@ export class InvitationWizardEmailStep extends WizardPage {
         const bcc = this.parseEmailAddresses(this.bccAddresses);
 
         try {
-            await new StagesApi(DEFAULT_CONFIG).stagesInvitationInvitationsSendEmailCreate({
+            await aki(StagesApi).stagesInvitationInvitationsSendEmailCreate({
                 inviteUuid: invitationPk,
                 invitationSendEmailRequest: {
                     emailAddresses: to,
diff --git a/web/src/admin/stages/invitation/wizard/InvitationWizardFlowStep.ts b/web/src/admin/stages/invitation/wizard/InvitationWizardFlowStep.ts
index 05900faee6..20959adadb 100644
--- a/web/src/admin/stages/invitation/wizard/InvitationWizardFlowStep.ts
+++ b/web/src/admin/stages/invitation/wizard/InvitationWizardFlowStep.ts
@@ -5,7 +5,7 @@ import "#elements/forms/SearchSelect/index";
 
 import type { InvitationWizardState } from "./types";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { WizardPage } from "#elements/wizard/WizardPage";
 
@@ -78,7 +78,7 @@ export class InvitationWizardFlowStep extends WizardPage {
         this.loading = true;
 
         try {
-            const stages = await new StagesApi(DEFAULT_CONFIG).stagesInvitationStagesList({
+            const stages = await aki(StagesApi).stagesInvitationStagesList({
                 noFlows: false,
             });
 
diff --git a/web/src/admin/stages/mtls/MTLSStageForm.ts b/web/src/admin/stages/mtls/MTLSStageForm.ts
index b1507277f8..7027d7d481 100644
--- a/web/src/admin/stages/mtls/MTLSStageForm.ts
+++ b/web/src/admin/stages/mtls/MTLSStageForm.ts
@@ -5,7 +5,7 @@ import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/Radio";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { certificateProvider, certificateSelector } from "#admin/brands/Certificates";
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
@@ -26,19 +26,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-stage-mtls-form")
 export class MTLSStageForm extends BaseStageForm<MutualTLSStage> {
     loadInstance(pk: string): Promise<MutualTLSStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesMtlsRetrieve({
+        return aki(StagesApi).stagesMtlsRetrieve({
             stageUuid: pk,
         });
     }
 
     async send(data: MutualTLSStage): Promise<MutualTLSStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesMtlsUpdate({
+            return aki(StagesApi).stagesMtlsUpdate({
                 stageUuid: this.instance.pk || "",
                 mutualTLSStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesMtlsCreate({
+        return aki(StagesApi).stagesMtlsCreate({
             mutualTLSStageRequest: data,
         });
     }
diff --git a/web/src/admin/stages/password/PasswordStageForm.ts b/web/src/admin/stages/password/PasswordStageForm.ts
index ebcd455c2b..40a54a06a4 100644
--- a/web/src/admin/stages/password/PasswordStageForm.ts
+++ b/web/src/admin/stages/password/PasswordStageForm.ts
@@ -4,7 +4,7 @@ import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { AKLabel } from "#components/ak-label";
 
@@ -28,19 +28,19 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-stage-password-form")
 export class PasswordStageForm extends BaseStageForm<PasswordStage> {
     loadInstance(pk: string): Promise<PasswordStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesPasswordRetrieve({
+        return aki(StagesApi).stagesPasswordRetrieve({
             stageUuid: pk,
         });
     }
 
     async send(data: PasswordStage): Promise<PasswordStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesPasswordUpdate({
+            return aki(StagesApi).stagesPasswordUpdate({
                 stageUuid: this.instance.pk || "",
                 passwordStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesPasswordCreate({
+        return aki(StagesApi).stagesPasswordCreate({
             passwordStageRequest: data,
         });
     }
@@ -125,9 +125,7 @@ export class PasswordStageForm extends BaseStageForm<PasswordStage> {
                                 if (query !== undefined) {
                                     args.search = query;
                                 }
-                                const flows = await new FlowsApi(DEFAULT_CONFIG).flowsInstancesList(
-                                    args,
-                                );
+                                const flows = await aki(FlowsApi).flowsInstancesList(args);
                                 return flows.results;
                             }}
                             .renderElement=${(flow: Flow): string => {
diff --git a/web/src/admin/stages/prompt/PromptForm.ts b/web/src/admin/stages/prompt/PromptForm.ts
index a0b53d8474..4ac6092a7a 100644
--- a/web/src/admin/stages/prompt/PromptForm.ts
+++ b/web/src/admin/stages/prompt/PromptForm.ts
@@ -3,7 +3,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#flow/stages/prompt/PromptStage";
 import "#components/ak-switch-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { parseAPIResponseError } from "#common/errors/network";
 
 import { ModelForm } from "#elements/forms/ModelForm";
@@ -61,18 +61,18 @@ export class PromptForm extends ModelForm<Prompt, string> {
 
     send(data: Prompt): Promise<unknown> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesPromptPromptsUpdate({
+            return aki(StagesApi).stagesPromptPromptsUpdate({
                 promptUuid: this.instance.pk || "",
                 promptRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesPromptPromptsCreate({
+        return aki(StagesApi).stagesPromptPromptsCreate({
             promptRequest: data,
         });
     }
 
     async loadInstance(pk: string): Promise<Prompt> {
-        const prompt = await new StagesApi(DEFAULT_CONFIG).stagesPromptPromptsRetrieve({
+        const prompt = await aki(StagesApi).stagesPromptPromptsRetrieve({
             promptUuid: pk,
         });
         await this.refreshPreview(prompt);
@@ -86,7 +86,7 @@ export class PromptForm extends ModelForm<Prompt, string> {
             return;
         }
 
-        return new StagesApi(DEFAULT_CONFIG)
+        return aki(StagesApi)
             .stagesPromptPromptsPreviewCreate({
                 promptRequest,
             })
diff --git a/web/src/admin/stages/prompt/PromptListPage.ts b/web/src/admin/stages/prompt/PromptListPage.ts
index 4d09ac85cf..fb44874afe 100644
--- a/web/src/admin/stages/prompt/PromptListPage.ts
+++ b/web/src/admin/stages/prompt/PromptListPage.ts
@@ -6,7 +6,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PFSize } from "#common/enums";
 
 import { IconEditButton, ModalInvokerButton } from "#elements/dialogs";
@@ -38,9 +38,7 @@ export class PromptListPage extends TablePage<Prompt> {
     public override order = "name";
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<Prompt>> {
-        return new StagesApi(DEFAULT_CONFIG).stagesPromptPromptsList(
-            await this.defaultEndpointConfig(),
-        );
+        return aki(StagesApi).stagesPromptPromptsList(await this.defaultEndpointConfig());
     }
 
     protected columns: TableColumn[] = [
@@ -58,12 +56,12 @@ export class PromptListPage extends TablePage<Prompt> {
             object-label=${msg("Prompt(s)")}
             .objects=${this.selectedElements}
             .usedBy=${(item: Prompt) => {
-                return new StagesApi(DEFAULT_CONFIG).stagesPromptPromptsUsedByList({
+                return aki(StagesApi).stagesPromptPromptsUsedByList({
                     promptUuid: item.pk,
                 });
             }}
             .delete=${(item: Prompt) => {
-                return new StagesApi(DEFAULT_CONFIG).stagesPromptPromptsDestroy({
+                return aki(StagesApi).stagesPromptPromptsDestroy({
                     promptUuid: item.pk,
                 });
             }}
diff --git a/web/src/admin/stages/prompt/PromptStageForm.ts b/web/src/admin/stages/prompt/PromptStageForm.ts
index 2d0df17211..aae65aeda0 100644
--- a/web/src/admin/stages/prompt/PromptStageForm.ts
+++ b/web/src/admin/stages/prompt/PromptStageForm.ts
@@ -11,7 +11,7 @@ import {
     promptFieldsSelector,
 } from "./PromptStageFormHelpers.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PFSize } from "#common/enums";
 
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
@@ -26,19 +26,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-stage-prompt-form")
 export class PromptStageForm extends BaseStageForm<PromptStage> {
     loadInstance(pk: string): Promise<PromptStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesPromptStagesRetrieve({
+        return aki(StagesApi).stagesPromptStagesRetrieve({
             stageUuid: pk,
         });
     }
 
     async send(data: PromptStage): Promise<PromptStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesPromptStagesUpdate({
+            return aki(StagesApi).stagesPromptStagesUpdate({
                 stageUuid: this.instance.pk || "",
                 promptStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesPromptStagesCreate({
+        return aki(StagesApi).stagesPromptStagesCreate({
             promptStageRequest: data,
         });
     }
diff --git a/web/src/admin/stages/prompt/PromptStageFormHelpers.ts b/web/src/admin/stages/prompt/PromptStageFormHelpers.ts
index fa28bc2da8..94935528ee 100644
--- a/web/src/admin/stages/prompt/PromptStageFormHelpers.ts
+++ b/web/src/admin/stages/prompt/PromptStageFormHelpers.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { DualSelectPair } from "#elements/ak-dual-select/types";
 
@@ -14,7 +14,7 @@ const promptToSelect = (p: Prompt) => [
 ];
 
 export async function promptFieldsProvider(page = 1, search = "") {
-    const prompts = await new StagesApi(DEFAULT_CONFIG).stagesPromptPromptsList({
+    const prompts = await aki(StagesApi).stagesPromptPromptsList({
         ordering: "field_name,order",
         pageSize: 20,
         search: search.trim(),
@@ -33,7 +33,7 @@ export function promptFieldsSelector(instanceFields: string[] | undefined) {
             options.filter(([_0, _1, _2, prompt]: DualSelectPair<Prompt>) => prompt !== undefined);
     }
     return async () => {
-        const stages = new StagesApi(DEFAULT_CONFIG);
+        const stages = aki(StagesApi);
         const prompts = await Promise.allSettled(
             instanceFields.map((instanceId) =>
                 stages.stagesPromptPromptsRetrieve({ promptUuid: instanceId }),
@@ -49,7 +49,7 @@ export function promptFieldsSelector(instanceFields: string[] | undefined) {
 const policyToSelect = (p: Policy) => [p.pk, `${p.name} (${p.verboseName})`, p.name, p];
 
 export async function policiesProvider(page = 1, search = "") {
-    const policies = await new PoliciesApi(DEFAULT_CONFIG).policiesAllList({
+    const policies = await aki(PoliciesApi).policiesAllList({
         ordering: "name",
         pageSize: 20,
         search: search.trim(),
@@ -69,7 +69,7 @@ export function policiesSelector(instancePolicies: string[] | undefined) {
     }
 
     return async () => {
-        const policy = new PoliciesApi(DEFAULT_CONFIG);
+        const policy = aki(PoliciesApi);
         const policies = await Promise.allSettled(
             instancePolicies.map((instanceId) =>
                 policy.policiesAllRetrieve({ policyUuid: instanceId }),
diff --git a/web/src/admin/stages/redirect/RedirectStageForm.ts b/web/src/admin/stages/redirect/RedirectStageForm.ts
index ecfdcb3a75..497911ce43 100644
--- a/web/src/admin/stages/redirect/RedirectStageForm.ts
+++ b/web/src/admin/stages/redirect/RedirectStageForm.ts
@@ -2,7 +2,7 @@ import "#components/ak-switch-input";
 import "#elements/forms/SearchSelect/ak-search-select";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { RenderFlowOption } from "#admin/flows/utils";
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
@@ -26,7 +26,7 @@ export class RedirectStageForm extends BaseStageForm<RedirectStage> {
     mode: string = RedirectStageModeEnum.Static;
 
     loadInstance(pk: string): Promise<RedirectStage> {
-        return new StagesApi(DEFAULT_CONFIG)
+        return aki(StagesApi)
             .stagesRedirectRetrieve({
                 stageUuid: pk,
             })
@@ -38,12 +38,12 @@ export class RedirectStageForm extends BaseStageForm<RedirectStage> {
 
     async send(data: RedirectStage): Promise<RedirectStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesRedirectUpdate({
+            return aki(StagesApi).stagesRedirectUpdate({
                 stageUuid: this.instance.pk || "",
                 redirectStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesRedirectCreate({
+        return aki(StagesApi).stagesRedirectCreate({
             redirectStageRequest: data,
         });
     }
@@ -117,9 +117,7 @@ export class RedirectStageForm extends BaseStageForm<RedirectStage> {
                                 if (query !== undefined) {
                                     args.search = query;
                                 }
-                                const flows = await new FlowsApi(DEFAULT_CONFIG).flowsInstancesList(
-                                    args,
-                                );
+                                const flows = await aki(FlowsApi).flowsInstancesList(args);
                                 return flows.results;
                             }}
                             .renderElement=${(flow: Flow): string => RenderFlowOption(flow)}
diff --git a/web/src/admin/stages/source/SourceStageForm.ts b/web/src/admin/stages/source/SourceStageForm.ts
index a16571d936..b7073baacd 100644
--- a/web/src/admin/stages/source/SourceStageForm.ts
+++ b/web/src/admin/stages/source/SourceStageForm.ts
@@ -2,7 +2,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 import "#elements/utils/TimeDeltaHelp";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
 
@@ -22,19 +22,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-stage-source-form")
 export class SourceStageForm extends BaseStageForm<SourceStage> {
     loadInstance(pk: string): Promise<SourceStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesSourceRetrieve({
+        return aki(StagesApi).stagesSourceRetrieve({
             stageUuid: pk,
         });
     }
 
     async send(data: SourceStage): Promise<SourceStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesSourceUpdate({
+            return aki(StagesApi).stagesSourceUpdate({
                 stageUuid: this.instance.pk || "",
                 sourceStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesSourceCreate({
+        return aki(StagesApi).stagesSourceCreate({
             sourceStageRequest: data,
         });
     }
@@ -63,7 +63,7 @@ export class SourceStageForm extends BaseStageForm<SourceStage> {
                         if (query !== undefined) {
                             args.search = query;
                         }
-                        const users = await new SourcesApi(DEFAULT_CONFIG).sourcesAllList(args);
+                        const users = await aki(SourcesApi).sourcesAllList(args);
                         return users.results;
                     }}
                     .renderElement=${(source: Source): string => {
diff --git a/web/src/admin/stages/user_delete/UserDeleteStageForm.ts b/web/src/admin/stages/user_delete/UserDeleteStageForm.ts
index a03ebc9f5b..094001506b 100644
--- a/web/src/admin/stages/user_delete/UserDeleteStageForm.ts
+++ b/web/src/admin/stages/user_delete/UserDeleteStageForm.ts
@@ -1,6 +1,6 @@
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
 
@@ -14,19 +14,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-stage-user-delete-form")
 export class UserDeleteStageForm extends BaseStageForm<UserDeleteStage> {
     loadInstance(pk: string): Promise<UserDeleteStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesUserDeleteRetrieve({
+        return aki(StagesApi).stagesUserDeleteRetrieve({
             stageUuid: pk,
         });
     }
 
     async send(data: UserDeleteStage): Promise<UserDeleteStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesUserDeleteUpdate({
+            return aki(StagesApi).stagesUserDeleteUpdate({
                 stageUuid: this.instance.pk || "",
                 userDeleteStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesUserDeleteCreate({
+        return aki(StagesApi).stagesUserDeleteCreate({
             userDeleteStageRequest: data,
         });
     }
diff --git a/web/src/admin/stages/user_login/UserLoginStageForm.ts b/web/src/admin/stages/user_login/UserLoginStageForm.ts
index 7384c5e926..932fca4a11 100644
--- a/web/src/admin/stages/user_login/UserLoginStageForm.ts
+++ b/web/src/admin/stages/user_login/UserLoginStageForm.ts
@@ -5,7 +5,7 @@ import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/utils/TimeDeltaHelp";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
 
@@ -18,19 +18,19 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-stage-user-login-form")
 export class UserLoginStageForm extends BaseStageForm<UserLoginStage> {
     loadInstance(pk: string): Promise<UserLoginStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesUserLoginRetrieve({
+        return aki(StagesApi).stagesUserLoginRetrieve({
             stageUuid: pk,
         });
     }
 
     async send(data: UserLoginStage): Promise<UserLoginStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesUserLoginUpdate({
+            return aki(StagesApi).stagesUserLoginUpdate({
                 stageUuid: this.instance.pk || "",
                 userLoginStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesUserLoginCreate({
+        return aki(StagesApi).stagesUserLoginCreate({
             userLoginStageRequest: data,
         });
     }
diff --git a/web/src/admin/stages/user_logout/UserLogoutStageForm.ts b/web/src/admin/stages/user_logout/UserLogoutStageForm.ts
index eaab31804b..44f2d6d91a 100644
--- a/web/src/admin/stages/user_logout/UserLogoutStageForm.ts
+++ b/web/src/admin/stages/user_logout/UserLogoutStageForm.ts
@@ -1,6 +1,6 @@
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
 
@@ -14,19 +14,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-stage-user-logout-form")
 export class UserLogoutStageForm extends BaseStageForm<UserLogoutStage> {
     loadInstance(pk: string): Promise<UserLogoutStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesUserLogoutRetrieve({
+        return aki(StagesApi).stagesUserLogoutRetrieve({
             stageUuid: pk,
         });
     }
 
     async send(data: UserLogoutStage): Promise<UserLogoutStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesUserLogoutUpdate({
+            return aki(StagesApi).stagesUserLogoutUpdate({
                 stageUuid: this.instance.pk || "",
                 userLogoutStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesUserLogoutCreate({
+        return aki(StagesApi).stagesUserLogoutCreate({
             userLogoutStageRequest: data,
         });
     }
diff --git a/web/src/admin/stages/user_write/UserWriteStageForm.ts b/web/src/admin/stages/user_write/UserWriteStageForm.ts
index 74cf87b548..ca84ba6a78 100644
--- a/web/src/admin/stages/user_write/UserWriteStageForm.ts
+++ b/web/src/admin/stages/user_write/UserWriteStageForm.ts
@@ -6,7 +6,7 @@ import "#components/ak-text-input";
 import "#components/ak-radio-input";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { RadioOption } from "#elements/forms/Radio";
 
@@ -32,19 +32,19 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-stage-user-write-form")
 export class UserWriteStageForm extends BaseStageForm<UserWriteStage> {
     loadInstance(pk: string): Promise<UserWriteStage> {
-        return new StagesApi(DEFAULT_CONFIG).stagesUserWriteRetrieve({
+        return aki(StagesApi).stagesUserWriteRetrieve({
             stageUuid: pk,
         });
     }
 
     async send(data: UserWriteStage): Promise<UserWriteStage> {
         if (this.instance) {
-            return new StagesApi(DEFAULT_CONFIG).stagesUserWriteUpdate({
+            return aki(StagesApi).stagesUserWriteUpdate({
                 stageUuid: this.instance.pk || "",
                 userWriteStageRequest: data,
             });
         }
-        return new StagesApi(DEFAULT_CONFIG).stagesUserWriteCreate({
+        return aki(StagesApi).stagesUserWriteCreate({
             userWriteStageRequest: data,
         });
     }
@@ -170,9 +170,7 @@ export class UserWriteStageForm extends BaseStageForm<UserWriteStage> {
                                 if (query !== undefined) {
                                     args.search = query;
                                 }
-                                const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(
-                                    args,
-                                );
+                                const groups = await aki(CoreApi).coreGroupsList(args);
                                 return groups.results;
                             }}
                             .renderElement=${(group: Group): string => {
diff --git a/web/src/admin/tokens/TokenForm.ts b/web/src/admin/tokens/TokenForm.ts
index fd9943c225..3e44b12251 100644
--- a/web/src/admin/tokens/TokenForm.ts
+++ b/web/src/admin/tokens/TokenForm.ts
@@ -5,7 +5,7 @@ import "#elements/forms/SearchSelect/index";
 import "#components/ak-text-input";
 import "#components/ak-switch-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { dateTimeLocal } from "#common/temporal";
 
 import { ModelForm } from "#elements/forms/ModelForm";
@@ -37,7 +37,7 @@ export class TokenForm extends ModelForm<Token, string> {
     }
 
     async loadInstance(pk: string): Promise<Token> {
-        const token = await new CoreApi(DEFAULT_CONFIG).coreTokensRetrieve({
+        const token = await aki(CoreApi).coreTokensRetrieve({
             identifier: pk,
         });
 
@@ -56,12 +56,12 @@ export class TokenForm extends ModelForm<Token, string> {
 
     async send(data: Token): Promise<Token> {
         if (this.instance?.identifier) {
-            return new CoreApi(DEFAULT_CONFIG).coreTokensUpdate({
+            return aki(CoreApi).coreTokensUpdate({
                 identifier: this.instance.identifier,
                 tokenRequest: data,
             });
         }
-        return new CoreApi(DEFAULT_CONFIG).coreTokensCreate({
+        return aki(CoreApi).coreTokensCreate({
             tokenRequest: data,
         });
     }
@@ -113,7 +113,7 @@ export class TokenForm extends ModelForm<Token, string> {
                             args.search = query;
                         }
 
-                        const users = await new CoreApi(DEFAULT_CONFIG).coreUsersList(args);
+                        const users = await aki(CoreApi).coreUsersList(args);
                         const instanceUser = this.instance?.userObj;
 
                         if (!instanceUser) {
diff --git a/web/src/admin/tokens/TokenListPage.ts b/web/src/admin/tokens/TokenListPage.ts
index fa3ce6424a..e3a032f756 100644
--- a/web/src/admin/tokens/TokenListPage.ts
+++ b/web/src/admin/tokens/TokenListPage.ts
@@ -7,7 +7,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { intentToLabel } from "#common/labels";
 
 import { IconTokenCopyButton } from "#elements/buttons/IconTokenCopyButton";
@@ -44,7 +44,7 @@ export class TokenListPage extends TablePage<Token> {
     public override order = "expires";
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<Token>> {
-        return new CoreApi(DEFAULT_CONFIG).coreTokensList(await this.defaultEndpointConfig());
+        return aki(CoreApi).coreTokensList(await this.defaultEndpointConfig());
     }
 
     protected columns: TableColumn[] = [
@@ -65,12 +65,12 @@ export class TokenListPage extends TablePage<Token> {
                 return [{ key: msg("Identifier"), value: item.identifier }];
             }}
             .usedBy=${(item: Token) => {
-                return new CoreApi(DEFAULT_CONFIG).coreTokensUsedByList({
+                return aki(CoreApi).coreTokensUsedByList({
                     identifier: item.identifier,
                 });
             }}
             .delete=${(item: Token) => {
-                return new CoreApi(DEFAULT_CONFIG).coreTokensDestroy({
+                return aki(CoreApi).coreTokensDestroy({
                     identifier: item.identifier,
                 });
             }}
diff --git a/web/src/admin/users/ServiceAccountForm.ts b/web/src/admin/users/ServiceAccountForm.ts
index 8e04fa902a..fe11c00c11 100644
--- a/web/src/admin/users/ServiceAccountForm.ts
+++ b/web/src/admin/users/ServiceAccountForm.ts
@@ -4,7 +4,7 @@ import "#components/ak-text-input";
 import "#components/ak-radio-input";
 import "#components/ak-switch-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { dateTimeLocal } from "#common/temporal";
 
 import { Form } from "#elements/forms/Form";
@@ -59,7 +59,7 @@ export class ServiceAccountForm extends Form<UserServiceAccountRequest> {
     }
 
     async send(data: UserServiceAccountRequest): Promise<UserServiceAccountResponse> {
-        const result = await new CoreApi(DEFAULT_CONFIG).coreUsersServiceAccountCreate({
+        const result = await aki(CoreApi).coreUsersServiceAccountCreate({
             userServiceAccountRequest: data,
         });
         this.result = result;
@@ -67,7 +67,7 @@ export class ServiceAccountForm extends Form<UserServiceAccountRequest> {
             this.parentElement.showSubmitButton = false;
         }
         if (this.targetGroup) {
-            await new CoreApi(DEFAULT_CONFIG).coreGroupsAddUserCreate({
+            await aki(CoreApi).coreGroupsAddUserCreate({
                 groupUuid: this.targetGroup.pk,
                 userAccountRequest: {
                     pk: this.result.userPk,
@@ -75,7 +75,7 @@ export class ServiceAccountForm extends Form<UserServiceAccountRequest> {
             });
         }
         if (this.targetRole) {
-            await new RbacApi(DEFAULT_CONFIG).rbacRolesAddUserCreate({
+            await aki(RbacApi).rbacRolesAddUserCreate({
                 uuid: this.targetRole.pk,
                 userAccountSerializerForRoleRequest: {
                     pk: this.result.userPk,
diff --git a/web/src/admin/users/UserActiveForm.ts b/web/src/admin/users/UserActiveForm.ts
index 18b7ada37d..c626d9eef5 100644
--- a/web/src/admin/users/UserActiveForm.ts
+++ b/web/src/admin/users/UserActiveForm.ts
@@ -1,7 +1,7 @@
 import "#elements/buttons/SpinnerButton/index";
 import "#elements/forms/FormGroup";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { formatDisambiguatedUserDisplayName } from "#common/users";
 
 import { modalInvoker } from "#elements/dialogs";
@@ -24,7 +24,7 @@ export class UserActivationToggleForm extends WithLocale(DestructiveModelForm<Us
     public static override verboseName = msg("User");
     public static override verboseNamePlural = msg("Users");
 
-    protected coreAPI = new CoreApi(DEFAULT_CONFIG);
+    protected coreAPI = aki(CoreApi);
 
     protected override send(): Promise<unknown> {
         if (!this.instance) {
diff --git a/web/src/admin/users/UserApplicationTable.ts b/web/src/admin/users/UserApplicationTable.ts
index 2ee499f0ab..05a08c1ad3 100644
--- a/web/src/admin/users/UserApplicationTable.ts
+++ b/web/src/admin/users/UserApplicationTable.ts
@@ -1,7 +1,7 @@
 import "#elements/AppIcon";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -23,7 +23,7 @@ export class UserApplicationTable extends Table<Application> {
     static styles: CSSResult[] = [...super.styles, applicationListStyle];
 
     async apiEndpoint(): Promise<PaginatedResponse<Application>> {
-        return new CoreApi(DEFAULT_CONFIG).coreApplicationsList({
+        return aki(CoreApi).coreApplicationsList({
             ...(await this.defaultEndpointConfig()),
             forUser: this.user?.pk,
         });
diff --git a/web/src/admin/users/UserBulkRevokeSessionsForm.ts b/web/src/admin/users/UserBulkRevokeSessionsForm.ts
index 611a81b3e6..1f1dc050ac 100644
--- a/web/src/admin/users/UserBulkRevokeSessionsForm.ts
+++ b/web/src/admin/users/UserBulkRevokeSessionsForm.ts
@@ -1,6 +1,6 @@
 import "#elements/buttons/SpinnerButton/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { createPaginatedResponse } from "#common/api/responses";
 import { EVENT_REFRESH } from "#common/constants";
 import { MessageLevel } from "#common/messages";
@@ -31,7 +31,7 @@ export class UserBulkRevokeSessionsTable extends StaticTable<User> {
         // Fetch session counts for each user
         for (const user of this.items ?? []) {
             try {
-                const sessions = await new CoreApi(DEFAULT_CONFIG).coreAuthenticatedSessionsList({
+                const sessions = await aki(CoreApi).coreAuthenticatedSessionsList({
                     userUsername: user.username,
                 });
                 this.sessionCounts.set(user.pk, sessions.pagination.count);
@@ -87,9 +87,7 @@ export class UserBulkRevokeSessionsForm extends ModalButton {
 
             // Delete all sessions for these users in a single API call
             if (userIds.length > 0) {
-                const response = await new CoreApi(
-                    DEFAULT_CONFIG,
-                ).coreAuthenticatedSessionsBulkDeleteDestroy({
+                const response = await aki(CoreApi).coreAuthenticatedSessionsBulkDeleteDestroy({
                     userPks: userIds,
                 });
                 this.revokedCount = response.deleted || 0;
diff --git a/web/src/admin/users/UserChart.ts b/web/src/admin/users/UserChart.ts
index 695bbb178a..ab58c01117 100644
--- a/web/src/admin/users/UserChart.ts
+++ b/web/src/admin/users/UserChart.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { EventChart } from "#elements/charts/EventChart";
 
@@ -15,7 +15,7 @@ export class UserChart extends EventChart {
     username?: string;
 
     async apiRequest(): Promise<EventVolume[]> {
-        return new EventsApi(DEFAULT_CONFIG).eventsEventsVolumeList({
+        return aki(EventsApi).eventsEventsVolumeList({
             actions: [
                 EventActions.Login,
                 EventActions.LoginFailed,
diff --git a/web/src/admin/users/UserDevicesTable.ts b/web/src/admin/users/UserDevicesTable.ts
index 3c576e554d..4dcd2907a8 100644
--- a/web/src/admin/users/UserDevicesTable.ts
+++ b/web/src/admin/users/UserDevicesTable.ts
@@ -1,6 +1,6 @@
 import "#elements/forms/DeleteBulkForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { createPaginatedResponse } from "#common/api/responses";
 import { deviceTypeName } from "#common/labels";
 import { SentryIgnoredError } from "#common/sentry/index";
@@ -23,7 +23,7 @@ export class UserDeviceTable extends Table<Device> {
     clearOnRefresh = true;
 
     async apiEndpoint(): Promise<PaginatedResponse<Device>> {
-        return new AuthenticatorsApi(DEFAULT_CONFIG)
+        return aki(AuthenticatorsApi)
             .authenticatorsAdminAllList({
                 user: this.userId,
             })
@@ -42,7 +42,7 @@ export class UserDeviceTable extends Table<Device> {
     ];
 
     async deleteWrapper(device: Device) {
-        const api = new AuthenticatorsApi(DEFAULT_CONFIG);
+        const api = aki(AuthenticatorsApi);
         switch (device.type) {
             case "authentik_stages_authenticator_duo.DuoDevice":
                 return api.authenticatorsAdminDuoDestroy({ id: parseInt(device.pk, 10) });
diff --git a/web/src/admin/users/UserForm.ts b/web/src/admin/users/UserForm.ts
index e908012d9e..65db512b34 100644
--- a/web/src/admin/users/UserForm.ts
+++ b/web/src/admin/users/UserForm.ts
@@ -6,7 +6,7 @@ import "#components/ak-text-input";
 import "#components/ak-radio-input";
 import "#components/ak-switch-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { DefaultUIConfig } from "#common/ui/config";
 
 import { ModelForm } from "#elements/forms/ModelForm";
@@ -47,8 +47,8 @@ const UserTypeOptions: readonly RadioOption<UserTypeEnum>[] = [
 ];
 @customElement("ak-user-form")
 export class UserForm extends ModelForm<User, number> {
-    #coreAPI = new CoreApi(DEFAULT_CONFIG);
-    #rbacAPI = new RbacApi(DEFAULT_CONFIG);
+    #coreAPI = aki(CoreApi);
+    #rbacAPI = aki(RbacApi);
 
     public static override verboseName = msg("User");
     public static override verboseNamePlural = msg("Users");
diff --git a/web/src/admin/users/UserImpersonateForm.ts b/web/src/admin/users/UserImpersonateForm.ts
index f37da04769..9f0d48acb9 100644
--- a/web/src/admin/users/UserImpersonateForm.ts
+++ b/web/src/admin/users/UserImpersonateForm.ts
@@ -1,6 +1,6 @@
 import "#components/ak-text-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { APIMessage, MessageLevel } from "#common/messages";
 
 import { asInstanceInvoker } from "#elements/dialogs";
@@ -26,7 +26,7 @@ export class UserImpersonateForm extends Form<ImpersonationRequest> {
 
     protected refreshReasonRequirement = async () => {
         try {
-            const settings = await new AdminApi(DEFAULT_CONFIG).adminSettingsRetrieve();
+            const settings = await aki(AdminApi).adminSettingsRetrieve();
             this.requireReason = settings.impersonationRequireReason ?? false;
         } catch (error) {
             console.error("Failed to fetch impersonation settings:", error);
@@ -49,7 +49,7 @@ export class UserImpersonateForm extends Form<ImpersonationRequest> {
     }
 
     async send(data: ImpersonationRequest): Promise<void> {
-        return new CoreApi(DEFAULT_CONFIG)
+        return aki(CoreApi)
             .coreUsersImpersonateCreate({
                 id: this.instancePk || 0,
                 impersonationRequest: data,
diff --git a/web/src/admin/users/UserListPage.ts b/web/src/admin/users/UserListPage.ts
index 756d8c2df6..c362b3ff20 100644
--- a/web/src/admin/users/UserListPage.ts
+++ b/web/src/admin/users/UserListPage.ts
@@ -14,7 +14,7 @@ import "#elements/forms/DeleteBulkForm";
 import "#elements/forms/ModalForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { userTypeToLabel } from "#common/labels";
 import { DefaultUIConfig } from "#common/ui/config";
 import { formatUserDisplayName } from "#common/users";
@@ -80,7 +80,7 @@ export class UserListPage extends WithLicenseSummary(
         `,
     ];
 
-    #api = new CoreApi(DEFAULT_CONFIG);
+    #api = aki(CoreApi);
 
     public override expandable = true;
     public override checkbox = true;
diff --git a/web/src/admin/users/UserPasswordForm.ts b/web/src/admin/users/UserPasswordForm.ts
index ddbe51b987..c9d0729f8c 100644
--- a/web/src/admin/users/UserPasswordForm.ts
+++ b/web/src/admin/users/UserPasswordForm.ts
@@ -1,7 +1,7 @@
 import "#elements/buttons/SpinnerButton/index";
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PFSize } from "#common/enums";
 
 import { Form } from "#elements/forms/Form";
@@ -77,7 +77,7 @@ export class UserPasswordForm extends Form<UserPasswordSetRequest> {
     }
 
     protected override async send(data: UserPasswordSetRequest): Promise<void> {
-        return new CoreApi(DEFAULT_CONFIG).coreUsersSetPasswordCreate({
+        return aki(CoreApi).coreUsersSetPasswordCreate({
             id: this.instancePk || 0,
             userPasswordSetRequest: data,
         });
diff --git a/web/src/admin/users/UserRecoveryLinkForm.ts b/web/src/admin/users/UserRecoveryLinkForm.ts
index 4bf555cce1..e8603e4361 100644
--- a/web/src/admin/users/UserRecoveryLinkForm.ts
+++ b/web/src/admin/users/UserRecoveryLinkForm.ts
@@ -1,6 +1,6 @@
 import "#components/ak-text-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { writeToClipboard } from "#common/clipboard";
 
 import { Form } from "#elements/forms/Form";
@@ -13,7 +13,7 @@ import { customElement, property } from "lit/decorators.js";
 
 @customElement("ak-user-recovery-link-form")
 export class UserRecoveryLinkForm extends Form<UserRecoveryLinkRequest> {
-    #api = new CoreApi(DEFAULT_CONFIG);
+    #api = aki(CoreApi);
 
     @property({ attribute: false })
     public user!: User;
diff --git a/web/src/admin/users/UserResetEmailForm.ts b/web/src/admin/users/UserResetEmailForm.ts
index b4d5ccfe53..236e4f44d3 100644
--- a/web/src/admin/users/UserResetEmailForm.ts
+++ b/web/src/admin/users/UserResetEmailForm.ts
@@ -2,7 +2,7 @@ import "#components/ak-text-input";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { groupBy } from "#common/utils";
 
 import { Form } from "#elements/forms/Form";
@@ -33,7 +33,7 @@ export class UserResetEmailForm extends Form<UserRecoveryEmailRequest> {
     }
 
     async send(data: UserRecoveryEmailRequest): Promise<void> {
-        return new CoreApi(DEFAULT_CONFIG).coreUsersRecoveryEmailCreate({
+        return aki(CoreApi).coreUsersRecoveryEmailCreate({
             id: this.user.pk,
             userRecoveryEmailRequest: data,
         });
@@ -54,7 +54,7 @@ export class UserResetEmailForm extends Form<UserRecoveryEmailRequest> {
                         if (query !== undefined) {
                             args.search = query;
                         }
-                        const stages = await new StagesApi(DEFAULT_CONFIG).stagesEmailList(args);
+                        const stages = await aki(StagesApi).stagesEmailList(args);
                         return stages.results;
                     }}
                     .groupBy=${(items: Stage[]) => {
diff --git a/web/src/admin/users/UserViewPage.ts b/web/src/admin/users/UserViewPage.ts
index 1f88d45d98..24873cec9d 100644
--- a/web/src/admin/users/UserViewPage.ts
+++ b/web/src/admin/users/UserViewPage.ts
@@ -27,7 +27,7 @@ import "#elements/user/sources/SourceSettings";
 import "./UserDevicesTable.js";
 import "#elements/ak-mdx/ak-mdx";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { AKRefreshEvent } from "#common/events";
 import { userTypeToLabel } from "#common/labels";
 import {
@@ -75,7 +75,7 @@ import PFSizing from "@patternfly/patternfly/utilities/Sizing/sizing.css";
 export class UserViewPage extends WithLicenseSummary(
     WithLocale(WithBrandConfig(WithCapabilitiesConfig(WithSession(AKElement)))),
 ) {
-    #api = new CoreApi(DEFAULT_CONFIG);
+    #api = aki(CoreApi);
 
     @property({ type: Number, useDefault: true })
     public userId: number | null = null;
diff --git a/web/src/admin/users/ak-user-group-table.ts b/web/src/admin/users/ak-user-group-table.ts
index e33857dd58..82846db5a7 100644
--- a/web/src/admin/users/ak-user-group-table.ts
+++ b/web/src/admin/users/ak-user-group-table.ts
@@ -1,7 +1,7 @@
 import "#components/ak-status-label";
 import "#elements/buttons/SpinnerButton/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -27,7 +27,7 @@ export class UserGroupTable extends Table<Group> {
     public override order = "name";
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<Group>> {
-        return new CoreApi(DEFAULT_CONFIG).coreGroupsList({
+        return aki(CoreApi).coreGroupsList({
             ...(await this.defaultEndpointConfig()),
             includeUsers: false,
         });
diff --git a/web/src/admin/users/ak-user-role-table.ts b/web/src/admin/users/ak-user-role-table.ts
index 5357560f3a..11fe0aacba 100644
--- a/web/src/admin/users/ak-user-role-table.ts
+++ b/web/src/admin/users/ak-user-role-table.ts
@@ -1,7 +1,7 @@
 import "#components/ak-status-label";
 import "#elements/buttons/SpinnerButton/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -23,7 +23,7 @@ export class UserRoleTable extends Table<Role> {
     public override order = "name";
 
     protected async apiEndpoint(): Promise<PaginatedResponse<Role>> {
-        return new RbacApi(DEFAULT_CONFIG).rbacRolesList({
+        return aki(RbacApi).rbacRolesList({
             ...(await this.defaultEndpointConfig()),
         });
     }
diff --git a/web/src/admin/users/oauth/UserAccessTokenList.ts b/web/src/admin/users/oauth/UserAccessTokenList.ts
index 9cfba13805..d39676aaab 100644
--- a/web/src/admin/users/oauth/UserAccessTokenList.ts
+++ b/web/src/admin/users/oauth/UserAccessTokenList.ts
@@ -3,7 +3,7 @@ import "#elements/chips/Chip";
 import "#elements/chips/ChipGroup";
 import "#elements/forms/DeleteBulkForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn, Timestamp } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -26,7 +26,7 @@ export class UserOAuthAccessTokenList extends Table<TokenModel> {
     static styles: CSSResult[] = [...super.styles, PFFlex];
 
     async apiEndpoint(): Promise<PaginatedResponse<TokenModel>> {
-        return new Oauth2Api(DEFAULT_CONFIG).oauth2AccessTokensList({
+        return aki(Oauth2Api).oauth2AccessTokensList({
             ...(await this.defaultEndpointConfig()),
             user: this.userId,
         });
@@ -61,12 +61,12 @@ export class UserOAuthAccessTokenList extends Table<TokenModel> {
             object-label=${msg("Access Tokens(s)")}
             .objects=${this.selectedElements}
             .usedBy=${(item: ExpiringBaseGrantModel) => {
-                return new Oauth2Api(DEFAULT_CONFIG).oauth2AccessTokensUsedByList({
+                return aki(Oauth2Api).oauth2AccessTokensUsedByList({
                     id: item.pk,
                 });
             }}
             .delete=${(item: ExpiringBaseGrantModel) => {
-                return new Oauth2Api(DEFAULT_CONFIG).oauth2AccessTokensDestroy({
+                return aki(Oauth2Api).oauth2AccessTokensDestroy({
                     id: item.pk,
                 });
             }}
diff --git a/web/src/admin/users/oauth/UserRefreshTokenList.ts b/web/src/admin/users/oauth/UserRefreshTokenList.ts
index 07d154f3a0..27b12643c3 100644
--- a/web/src/admin/users/oauth/UserRefreshTokenList.ts
+++ b/web/src/admin/users/oauth/UserRefreshTokenList.ts
@@ -3,7 +3,7 @@ import "#elements/chips/Chip";
 import "#elements/chips/ChipGroup";
 import "#elements/forms/DeleteBulkForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn, Timestamp } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -26,7 +26,7 @@ export class UserOAuthRefreshTokenList extends Table<TokenModel> {
     static styles: CSSResult[] = [...super.styles, PFFlex];
 
     async apiEndpoint(): Promise<PaginatedResponse<TokenModel>> {
-        return new Oauth2Api(DEFAULT_CONFIG).oauth2RefreshTokensList({
+        return aki(Oauth2Api).oauth2RefreshTokensList({
             ...(await this.defaultEndpointConfig()),
             user: this.userId,
         });
@@ -62,12 +62,12 @@ export class UserOAuthRefreshTokenList extends Table<TokenModel> {
             object-label=${msg("Refresh Tokens(s)")}
             .objects=${this.selectedElements}
             .usedBy=${(item: ExpiringBaseGrantModel) => {
-                return new Oauth2Api(DEFAULT_CONFIG).oauth2RefreshTokensUsedByList({
+                return aki(Oauth2Api).oauth2RefreshTokensUsedByList({
                     id: item.pk,
                 });
             }}
             .delete=${(item: ExpiringBaseGrantModel) => {
-                return new Oauth2Api(DEFAULT_CONFIG).oauth2RefreshTokensDestroy({
+                return aki(Oauth2Api).oauth2RefreshTokensDestroy({
                     id: item.pk,
                 });
             }}
diff --git a/web/src/common/api/client.ts b/web/src/common/api/client.ts
new file mode 100644
index 0000000000..d5bfcf3bdc
--- /dev/null
+++ b/web/src/common/api/client.ts
@@ -0,0 +1,47 @@
+import {
+    CSRFMiddleware,
+    DevRepeatedRequestsMiddleware,
+    EventMiddleware,
+    LocaleMiddleware,
+    LoggingMiddleware,
+} from "#common/api/middleware";
+import { globalAK } from "#common/global";
+import { SentryMiddleware } from "#common/sentry/middleware";
+
+import { CapabilitiesEnum, Configuration } from "@goauthentik/api";
+
+type APIConstructor<T> = new (config: Configuration) => T;
+
+let configuration: Configuration | null = null;
+
+const endpoints = new Map<APIConstructor<unknown>, unknown>();
+
+function apiConfiguration(): Configuration {
+    if (!configuration) {
+        const { locale, api, brand, config } = globalAK();
+        configuration = new Configuration({
+            basePath: `${api.base}api/v3`,
+            middleware: [
+                new CSRFMiddleware(),
+                new EventMiddleware(),
+                new LoggingMiddleware(brand),
+                new SentryMiddleware(),
+                new LocaleMiddleware(locale),
+                ...(config.capabilities.includes(CapabilitiesEnum.CanDebug)
+                    ? [new DevRepeatedRequestsMiddleware()]
+                    : []),
+            ],
+        });
+        Object.freeze(configuration);
+    }
+    return configuration;
+}
+
+export function aki<T>(APIClass: APIConstructor<T>): T {
+    let endpoint = endpoints.get(APIClass) as T | undefined;
+    if (!endpoint) {
+        endpoint = new APIClass(apiConfiguration());
+        endpoints.set(APIClass, endpoint);
+    }
+    return endpoint;
+}
diff --git a/web/src/common/api/config.ts b/web/src/common/api/config.ts
index e8a89c09df..70f2c8ea1f 100644
--- a/web/src/common/api/config.ts
+++ b/web/src/common/api/config.ts
@@ -26,6 +26,9 @@ export const DEFAULT_CONFIG = new Configuration({
     ],
 });
 
+// https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/freeze
+Object.freeze(DEFAULT_CONFIG);
+
 export function brandSetFavicon(brand: CurrentBrand) {
     /**
      *  <link rel="icon" href="/static/dist/assets/icons/icon.png">
diff --git a/web/src/common/helpers/plex.ts b/web/src/common/helpers/plex.ts
index dcfa4b8bc9..45e79bbf95 100644
--- a/web/src/common/helpers/plex.ts
+++ b/web/src/common/helpers/plex.ts
@@ -62,9 +62,7 @@ export class PlexAPIClient {
         });
         const pin: PlexPinResponse = await pinResponse.json();
         return {
-            authUrl: `https://app.plex.tv/auth#!?clientID=${encodeURIComponent(
-                clientIdentifier,
-            )}&code=${pin.code}`,
+            authUrl: `https://app.plex.tv/auth#!?clientID=${encodeURIComponent(clientIdentifier)}&code=${pin.code}`,
             pin: pin,
         };
     }
diff --git a/web/src/common/users.ts b/web/src/common/users.ts
index 9bfc7d4e56..db053fa9aa 100644
--- a/web/src/common/users.ts
+++ b/web/src/common/users.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { isResponseErrorLike } from "#common/errors/network";
 import { UIConfig, UserDisplay } from "#common/ui/config";
 
@@ -161,7 +161,7 @@ export function redirectToAuthFlow(nextPathname = "/flows/-/default/authenticati
  * Start account lockdown and follow the returned flow link.
  */
 export async function startAccountLockdown(user?: number): Promise<void> {
-    const response = await new CoreApi(DEFAULT_CONFIG).coreUsersAccountLockdownCreate({
+    const response = await aki(CoreApi).coreUsersAccountLockdownCreate({
         userAccountLockdownRequest: user !== undefined ? { user } : {},
     });
     if (response.link) {
@@ -179,7 +179,7 @@ export async function startAccountLockdown(user?: number): Promise<void> {
  * @category Session
  */
 export async function me(requestInit?: RequestInit): Promise<SessionUser> {
-    return new CoreApi(DEFAULT_CONFIG)
+    return aki(CoreApi)
         .coreUsersMeRetrieve(requestInit)
         .catch(async (error: unknown) => {
             if (isResponseErrorLike(error)) {
diff --git a/web/src/components/ak-event-info.ts b/web/src/components/ak-event-info.ts
index 10b952db1b..6e52a90b32 100644
--- a/web/src/components/ak-event-info.ts
+++ b/web/src/components/ak-event-info.ts
@@ -1,7 +1,7 @@
 import "#elements/Expand";
 import "#elements/Spinner";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PFSize } from "#common/enums";
 import { EventContext, EventContextProperty, EventModel, EventWithContext } from "#common/events";
 
@@ -348,7 +348,7 @@ ${JSON.stringify(value.new_value, null, 4)}</pre
                     <div class="pf-c-card__body">
                         <span
                             >${until(
-                                new FlowsApi(DEFAULT_CONFIG)
+                                aki(FlowsApi)
                                     .flowsInstancesList({
                                         flowUuid: this.event.context.flow as string,
                                     })
diff --git a/web/src/components/ak-file-search-input.ts b/web/src/components/ak-file-search-input.ts
index 557c4e95e6..330d6118b8 100644
--- a/web/src/components/ak-file-search-input.ts
+++ b/web/src/components/ak-file-search-input.ts
@@ -1,7 +1,7 @@
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { parseAPIResponseError, pluckErrorDetail } from "#common/errors/network";
 import { docLink } from "#common/global";
 
@@ -79,7 +79,7 @@ export class AKFileSearchInput extends AKElement {
     }
 
     async #fetch(query?: string): Promise<FileItem[]> {
-        const api = new AdminApi(DEFAULT_CONFIG);
+        const api = aki(AdminApi);
         return api
             .adminFileList({
                 usage: this.usage as UsageEnum,
diff --git a/web/src/components/ak-nav-buttons.ts b/web/src/components/ak-nav-buttons.ts
index 9639379c2e..2a0787ca62 100644
--- a/web/src/components/ak-nav-buttons.ts
+++ b/web/src/components/ak-nav-buttons.ts
@@ -3,7 +3,7 @@ import "#components/ak-switch-input";
 import "#elements/buttons/ActionButton/ak-action-button";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { globalAK } from "#common/global";
 import { formatUserDisplayName } from "#common/users";
 
@@ -158,7 +158,7 @@ export class NavigationButtons extends WithNotifications(WithSession(AKElement))
         if (!this.impersonating) return nothing;
 
         const onClick = async () => {
-            await new CoreApi(DEFAULT_CONFIG).coreUsersImpersonateEndRetrieve();
+            await aki(CoreApi).coreUsersImpersonateEndRetrieve();
             window.location.reload();
         };
 
diff --git a/web/src/components/stories/ak-radio-input.stories.ts b/web/src/components/stories/ak-radio-input.stories.ts
index 3ea17c27f4..73fe0a7dd9 100644
--- a/web/src/components/stories/ak-radio-input.stories.ts
+++ b/web/src/components/stories/ak-radio-input.stories.ts
@@ -48,11 +48,8 @@ export const RadioInput = () => {
 
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     const displayChange = (ev: any) => {
-        document.getElementById("radio-message-pad")!.innerText = `Value selected: ${JSON.stringify(
-            ev.target.value,
-            null,
-            2,
-        )}`;
+        document.getElementById("radio-message-pad")!.innerText =
+            `Value selected: ${JSON.stringify(ev.target.value, null, 2)}`;
     };
 
     return container(
diff --git a/web/src/components/stories/ak-slug-input.stories.ts b/web/src/components/stories/ak-slug-input.stories.ts
index dc922df332..047ba57616 100644
--- a/web/src/components/stories/ak-slug-input.stories.ts
+++ b/web/src/components/stories/ak-slug-input.stories.ts
@@ -41,11 +41,8 @@ const container = (testItem: TemplateResult) =>
 export const SlugInput = () => {
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     const displayChange = (ev: any) => {
-        document.getElementById("text-message-pad")!.innerText = `Value selected: ${JSON.stringify(
-            ev.target.value,
-            null,
-            2,
-        )}`;
+        document.getElementById("text-message-pad")!.innerText =
+            `Value selected: ${JSON.stringify(ev.target.value, null, 2)}`;
     };
 
     return container(
diff --git a/web/src/components/stories/ak-text-input.stories.ts b/web/src/components/stories/ak-text-input.stories.ts
index 6664c07391..3196d4ba03 100644
--- a/web/src/components/stories/ak-text-input.stories.ts
+++ b/web/src/components/stories/ak-text-input.stories.ts
@@ -40,11 +40,8 @@ const container = (testItem: TemplateResult) =>
 export const TextInput = () => {
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     const displayChange = (ev: any) => {
-        document.getElementById("text-message-pad")!.innerText = `Value selected: ${JSON.stringify(
-            ev.target.value,
-            null,
-            2,
-        )}`;
+        document.getElementById("text-message-pad")!.innerText =
+            `Value selected: ${JSON.stringify(ev.target.value, null, 2)}`;
     };
 
     return container(
diff --git a/web/src/components/sync/SyncObjectForm.ts b/web/src/components/sync/SyncObjectForm.ts
index d65ed9b485..cd93d4cbad 100644
--- a/web/src/components/sync/SyncObjectForm.ts
+++ b/web/src/components/sync/SyncObjectForm.ts
@@ -3,7 +3,7 @@ import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/SearchSelect/index";
 import "#components/ak-switch-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { Form } from "#elements/forms/Form";
 
@@ -67,7 +67,7 @@ export class SyncObjectForm extends Form<SyncObjectRequest> {
                     if (query !== undefined) {
                         args.search = query;
                     }
-                    const users = await new CoreApi(DEFAULT_CONFIG).coreUsersList(args);
+                    const users = await aki(CoreApi).coreUsersList(args);
                     return users.results;
                 }}
                 .renderElement=${(user: User): string => {
@@ -94,7 +94,7 @@ export class SyncObjectForm extends Form<SyncObjectRequest> {
                     if (query !== undefined) {
                         args.search = query;
                     }
-                    const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(args);
+                    const groups = await aki(CoreApi).coreGroupsList(args);
                     return groups.results;
                 }}
                 .renderElement=${(group: Group): string => {
diff --git a/web/src/elements/buttons/IconEnrollmentTokenCopyButton.ts b/web/src/elements/buttons/IconEnrollmentTokenCopyButton.ts
index 4ec65e4c7a..681bf2b033 100644
--- a/web/src/elements/buttons/IconEnrollmentTokenCopyButton.ts
+++ b/web/src/elements/buttons/IconEnrollmentTokenCopyButton.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconCopyButton } from "#elements/buttons/IconCopyButton";
 import { SlottedTemplateResult } from "#elements/types";
@@ -16,8 +16,7 @@ export function IconEnrollmentTokenCopyButton(tokenUuid?: string | null): Slotte
                 return Promise.resolve(new Blob([""], { type: "text/plain" }));
             }
 
-            return new EndpointsApi(DEFAULT_CONFIG)
-
+            return aki(EndpointsApi)
                 .endpointsAgentsEnrollmentTokensViewKeyRetrieve({
                     tokenUuid,
                 })
diff --git a/web/src/elements/buttons/IconTokenCopyButton.ts b/web/src/elements/buttons/IconTokenCopyButton.ts
index 698023a25d..78becec75c 100644
--- a/web/src/elements/buttons/IconTokenCopyButton.ts
+++ b/web/src/elements/buttons/IconTokenCopyButton.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { IconCopyButton } from "#elements/buttons/IconCopyButton";
 import { SlottedTemplateResult } from "#elements/types";
@@ -16,7 +16,7 @@ export function IconTokenCopyButton(identifier?: string | null): SlottedTemplate
                 return Promise.resolve(new Blob([""], { type: "text/plain" }));
             }
 
-            return new CoreApi(DEFAULT_CONFIG)
+            return aki(CoreApi)
                 .coreTokensViewKeyRetrieve({ identifier })
                 .then((tokenView) => new Blob([tokenView.key], { type: "text/plain" }));
         };
diff --git a/web/src/elements/buttons/TokenCopyButton/ak-token-copy-button.stories.ts b/web/src/elements/buttons/TokenCopyButton/ak-token-copy-button.stories.ts
index dbf034a6b3..626f5ab092 100644
--- a/web/src/elements/buttons/TokenCopyButton/ak-token-copy-button.stories.ts
+++ b/web/src/elements/buttons/TokenCopyButton/ak-token-copy-button.stories.ts
@@ -46,9 +46,7 @@ const container = (testItem: TemplateResult) =>
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 const displayMessage = (result: any) => {
     const doc = new DOMParser().parseFromString(
-        `<li><p><i>Event</i>: ${
-            "result" in result.detail ? result.detail.result.key : result.detail.error
-        }</p><p style="padding-left: 2.5rem">The key should also be in your clipboard</p></li>`,
+        `<li><p><i>Event</i>: ${"result" in result.detail ? result.detail.result.key : result.detail.error}</p><p style="padding-left: 2.5rem">The key should also be in your clipboard</p></li>`,
         "text/xml",
     );
     const target = document.querySelector("#action-button-message-pad");
diff --git a/web/src/elements/buttons/TokenCopyButton/ak-token-copy-button.ts b/web/src/elements/buttons/TokenCopyButton/ak-token-copy-button.ts
index 268aa68f9f..d7717e0348 100644
--- a/web/src/elements/buttons/TokenCopyButton/ak-token-copy-button.ts
+++ b/web/src/elements/buttons/TokenCopyButton/ak-token-copy-button.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { writeToClipboard } from "#common/clipboard";
 import { parseAPIResponseError, pluckErrorDetail } from "#common/errors/network";
 import { MessageLevel } from "#common/messages";
@@ -46,7 +46,7 @@ export class AKTokenCopyButton extends BaseTaskButton<null> {
         }
 
         // Safari permission hack.
-        const data = new CoreApi(DEFAULT_CONFIG)
+        const data = aki(CoreApi)
             .coreTokensViewKeyRetrieve({ identifier })
             .then((tokenView) => new Blob([tokenView.key], { type: "text/plain" }));
 
diff --git a/web/src/elements/commands/ak-command-palette-user-modal.ts b/web/src/elements/commands/ak-command-palette-user-modal.ts
index 3fcd94c3cc..76811318f5 100644
--- a/web/src/elements/commands/ak-command-palette-user-modal.ts
+++ b/web/src/elements/commands/ak-command-palette-user-modal.ts
@@ -1,6 +1,6 @@
 import "#elements/LoadingOverlay";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { isCausedByAbortError } from "#common/errors/network";
 
 import { AKCommandPaletteModal } from "#elements/commands/ak-command-palette-modal";
@@ -17,7 +17,7 @@ import { customElement, state } from "lit/decorators.js";
 
 @customElement("ak-command-palette-user-modal")
 export class AKCommandPaletteUserModal extends AKCommandPaletteModal {
-    #api = new CoreApi(DEFAULT_CONFIG);
+    #api = aki(CoreApi);
     protected loadingOverlay = this.ownerDocument.createElement("ak-loading-overlay");
 
     public override placeholder = msg("Type a username or email address...", {
diff --git a/web/src/elements/controllers/BrandContextController.ts b/web/src/elements/controllers/BrandContextController.ts
index 7b72019a37..8e5f09e49d 100644
--- a/web/src/elements/controllers/BrandContextController.ts
+++ b/web/src/elements/controllers/BrandContextController.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ReactiveContextController } from "#elements/controllers/ReactiveContextController";
 import { BrandingContext, BrandingMixin } from "#elements/mixins/branding";
@@ -26,7 +26,7 @@ export class BrandingContextController extends ReactiveContextController<Current
     }
 
     protected apiEndpoint(requestInit?: RequestInit) {
-        return new CoreApi(DEFAULT_CONFIG).coreBrandsCurrentRetrieve(requestInit);
+        return aki(CoreApi).coreBrandsCurrentRetrieve(requestInit);
     }
 
     protected doRefresh(brand: CurrentBrand) {
diff --git a/web/src/elements/controllers/ConfigContextController.ts b/web/src/elements/controllers/ConfigContextController.ts
index 4fba2676e0..4e781090b6 100644
--- a/web/src/elements/controllers/ConfigContextController.ts
+++ b/web/src/elements/controllers/ConfigContextController.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ReactiveContextController } from "#elements/controllers/ReactiveContextController";
 import { AKConfigMixin, AuthentikConfigContext, kAKConfig } from "#elements/mixins/config";
@@ -30,7 +30,7 @@ export class ConfigContextController extends ReactiveContextController<Config> {
     }
 
     protected apiEndpoint(requestInit?: RequestInit) {
-        return new RootApi(DEFAULT_CONFIG).rootConfigRetrieve(requestInit);
+        return aki(RootApi).rootConfigRetrieve(requestInit);
     }
 
     protected doRefresh(authentikConfig: Config) {
diff --git a/web/src/elements/controllers/LicenseContextController.ts b/web/src/elements/controllers/LicenseContextController.ts
index 0cf7c4d7d0..b92fe5bb0e 100644
--- a/web/src/elements/controllers/LicenseContextController.ts
+++ b/web/src/elements/controllers/LicenseContextController.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH_ENTERPRISE } from "#common/constants";
 import { isGuest } from "#common/users";
 
@@ -29,7 +29,7 @@ export class LicenseContextController extends ReactiveContextController<LicenseS
     }
 
     protected apiEndpoint(requestInit?: RequestInit) {
-        return new EnterpriseApi(DEFAULT_CONFIG).enterpriseLicenseSummaryRetrieve({}, requestInit);
+        return aki(EnterpriseApi).enterpriseLicenseSummaryRetrieve({}, requestInit);
     }
 
     protected doRefresh(licenseSummary: LicenseSummary) {
diff --git a/web/src/elements/controllers/NotificationsContextController.ts b/web/src/elements/controllers/NotificationsContextController.ts
index 53aba4ef42..d5e515292f 100644
--- a/web/src/elements/controllers/NotificationsContextController.ts
+++ b/web/src/elements/controllers/NotificationsContextController.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { isAPIResultReady } from "#common/api/responses";
 import { actionToLabel } from "#common/labels";
 import { MessageLevel } from "#common/messages";
@@ -62,7 +62,7 @@ export class NotificationsContextController extends ReactiveContextController<No
 
         this.logger.debug("Fetching notifications...");
 
-        return new EventsApi(DEFAULT_CONFIG)
+        return aki(EventsApi)
             .eventsNotificationsList(
                 {
                     seen: false,
diff --git a/web/src/elements/controllers/SessionContextController.ts b/web/src/elements/controllers/SessionContextController.ts
index 30e1faadd6..5a570d441a 100644
--- a/web/src/elements/controllers/SessionContextController.ts
+++ b/web/src/elements/controllers/SessionContextController.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { type APIResult, isAPIResultReady } from "#common/api/responses";
 import { globalAK } from "#common/global";
 import { applyThemeChoice, formatColorScheme } from "#common/theme";
@@ -180,7 +180,7 @@ export class SessionContextController extends ReactiveContextController<APIResul
                 group,
                 weight,
                 action: async () => {
-                    await new CoreApi(DEFAULT_CONFIG).coreUsersImpersonateEndRetrieve();
+                    await aki(CoreApi).coreUsersImpersonateEndRetrieve();
                     window.location.reload();
                 },
             });
diff --git a/web/src/elements/controllers/VersionContextController.ts b/web/src/elements/controllers/VersionContextController.ts
index be8178c7ab..8f7220ceb0 100644
--- a/web/src/elements/controllers/VersionContextController.ts
+++ b/web/src/elements/controllers/VersionContextController.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { isGuest } from "#common/users";
 
 import { ReactiveContextController } from "#elements/controllers/ReactiveContextController";
@@ -27,7 +27,7 @@ export class VersionContextController extends ReactiveContextController<Version>
     }
 
     protected apiEndpoint(requestInit?: RequestInit) {
-        return new AdminApi(DEFAULT_CONFIG).adminVersionRetrieve(requestInit);
+        return aki(AdminApi).adminVersionRetrieve(requestInit);
     }
 
     protected doRefresh(version: Version) {
diff --git a/web/src/elements/decorators/listen.ts b/web/src/elements/decorators/listen.ts
index 52645a7586..2502102cc6 100644
--- a/web/src/elements/decorators/listen.ts
+++ b/web/src/elements/decorators/listen.ts
@@ -99,9 +99,7 @@ function registerEventCallbacks<T extends ListenerMixin>(target: T): ListenDecor
 
             if (!isEventListenerLike(listener)) {
                 throw new TypeError(
-                    `Listener "${String(
-                        propKey,
-                    )}" is not a valid event listener. It must be a function or an object with a handleEvent method.`,
+                    `Listener "${String(propKey)}" is not a valid event listener. It must be a function or an object with a handleEvent method.`,
                 );
             }
 
diff --git a/web/src/elements/forms/SearchSelect/stories/ak-search-select-view.stories.ts b/web/src/elements/forms/SearchSelect/stories/ak-search-select-view.stories.ts
index 6fa07142a3..6a99b8003f 100644
--- a/web/src/elements/forms/SearchSelect/stories/ak-search-select-view.stories.ts
+++ b/web/src/elements/forms/SearchSelect/stories/ak-search-select-view.stories.ts
@@ -47,11 +47,8 @@ const longGoodForYouPairs: SelectOptions<string> = {
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 const displayChange = (ev: any) => {
-    document.getElementById("message-pad")!.innerText = `Value selected: ${JSON.stringify(
-        ev.value,
-        null,
-        2,
-    )}`;
+    document.getElementById("message-pad")!.innerText =
+        `Value selected: ${JSON.stringify(ev.value, null, 2)}`;
 };
 
 export const Default = () => {
diff --git a/web/src/elements/forms/stories/Radio.stories.ts b/web/src/elements/forms/stories/Radio.stories.ts
index 2940b7000b..e1d85cbc8b 100644
--- a/web/src/elements/forms/stories/Radio.stories.ts
+++ b/web/src/elements/forms/stories/Radio.stories.ts
@@ -45,11 +45,8 @@ const testOptions = [
 
 export const BasicRadioElement = () => {
     const displayChange = (ev: InputEvent) => {
-        document.getElementById("radio-message-pad")!.innerText = `Value selected: ${JSON.stringify(
-            (ev.target as HTMLInputElement)!.value,
-            null,
-            2,
-        )}`;
+        document.getElementById("radio-message-pad")!.innerText =
+            `Value selected: ${JSON.stringify((ev.target as HTMLInputElement)!.value, null, 2)}`;
     };
 
     return container(
diff --git a/web/src/elements/mixins/notifications.ts b/web/src/elements/mixins/notifications.ts
index cc15550995..a1401f295e 100644
--- a/web/src/elements/mixins/notifications.ts
+++ b/web/src/elements/mixins/notifications.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { APIResult, isAPIResultReady } from "#common/api/responses";
 import { MessageLevel } from "#common/messages";
 
@@ -117,7 +117,7 @@ export const WithNotifications = createMixin<NotificationsMixin>(
             ): Promise<void> => {
                 this.#logger.debug(`Marking notification ${notificationID} as read...`);
 
-                return new EventsApi(DEFAULT_CONFIG)
+                return aki(EventsApi)
                     .eventsNotificationsPartialUpdate(
                         {
                             uuid: notificationID || "",
@@ -131,7 +131,7 @@ export const WithNotifications = createMixin<NotificationsMixin>(
             };
 
             public clearNotifications = (): Promise<void> => {
-                return new EventsApi(DEFAULT_CONFIG)
+                return aki(EventsApi)
                     .eventsNotificationsMarkAllSeenCreate()
                     .then(() => {
                         showMessage({
diff --git a/web/src/elements/router/RouteMatch.ts b/web/src/elements/router/RouteMatch.ts
index 0b18e52ee3..3f3a4212c7 100644
--- a/web/src/elements/router/RouteMatch.ts
+++ b/web/src/elements/router/RouteMatch.ts
@@ -36,9 +36,7 @@ export class RouteMatch {
     }
 
     toString(): string {
-        return `<RouteMatch url=${this.sanitizedURL()} route=${this.route} arguments=${JSON.stringify(
-            this.arguments,
-        )}>`;
+        return `<RouteMatch url=${this.sanitizedURL()} route=${this.route} arguments=${JSON.stringify(this.arguments)}>`;
     }
 }
 
diff --git a/web/src/elements/tasks/ScheduleForm.ts b/web/src/elements/tasks/ScheduleForm.ts
index db0f883d48..24bc69b6c3 100644
--- a/web/src/elements/tasks/ScheduleForm.ts
+++ b/web/src/elements/tasks/ScheduleForm.ts
@@ -4,7 +4,7 @@ import "#elements/forms/FormGroup";
 import "#elements/forms/HorizontalFormElement";
 import "#elements/forms/ModalForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { ModelForm } from "#elements/forms/ModelForm";
 
@@ -18,7 +18,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-schedule-form")
 export class ScheduleForm extends ModelForm<Schedule, string> {
     async loadInstance(pk: string): Promise<Schedule> {
-        return new TasksApi(DEFAULT_CONFIG).tasksSchedulesRetrieve({
+        return aki(TasksApi).tasksSchedulesRetrieve({
             id: pk,
         });
     }
@@ -35,7 +35,7 @@ export class ScheduleForm extends ModelForm<Schedule, string> {
             return;
         }
 
-        return new TasksApi(DEFAULT_CONFIG).tasksSchedulesUpdate({
+        return aki(TasksApi).tasksSchedulesUpdate({
             id: this.instance.id,
             scheduleRequest: data,
         });
diff --git a/web/src/elements/tasks/ScheduleList.ts b/web/src/elements/tasks/ScheduleList.ts
index 0e9d0d7adc..21e00987a0 100644
--- a/web/src/elements/tasks/ScheduleList.ts
+++ b/web/src/elements/tasks/ScheduleList.ts
@@ -7,7 +7,7 @@ import "#elements/tasks/TaskList";
 import "#elements/tasks/TaskStatus";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { PaginatedResponse, Table, TableColumn, Timestamp } from "#elements/table/Table";
@@ -54,7 +54,7 @@ export class ScheduleList extends Table<Schedule> {
                 : this.showOnlyStandalone
                   ? true
                   : undefined;
-        return new TasksApi(DEFAULT_CONFIG).tasksSchedulesList({
+        return aki(TasksApi).tasksSchedulesList({
             ...(await this.defaultEndpointConfig()),
             relObjContentTypeAppLabel: this.relObjAppLabel,
             relObjContentTypeModel: this.relObjModel,
@@ -119,7 +119,7 @@ export class ScheduleList extends Table<Schedule> {
             html`<ak-action-button
                     class="pf-m-plain"
                     .apiRequest=${() => {
-                        return new TasksApi(DEFAULT_CONFIG)
+                        return aki(TasksApi)
                             .tasksSchedulesSendCreate({
                                 id: item.id,
                             })
diff --git a/web/src/elements/tasks/TaskList.ts b/web/src/elements/tasks/TaskList.ts
index 0298778b0d..217569c0a3 100644
--- a/web/src/elements/tasks/TaskList.ts
+++ b/web/src/elements/tasks/TaskList.ts
@@ -7,7 +7,7 @@ import "#elements/tasks/TaskStatus";
 import "#elements/tasks/TaskStatusSummary";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { PaginatedResponse, Table, TableColumn, Timestamp } from "#elements/table/Table";
@@ -86,9 +86,9 @@ export class TaskList extends Table<Task> {
               ]
             : undefined;
         if (this.includeOverview) {
-            this.status = await new TasksApi(DEFAULT_CONFIG).tasksTasksStatusRetrieve();
+            this.status = await aki(TasksApi).tasksTasksStatusRetrieve();
         }
-        return new TasksApi(DEFAULT_CONFIG).tasksTasksList({
+        return aki(TasksApi).tasksTasksList({
             ...(await this.defaultEndpointConfig()),
             relObjContentTypeAppLabel: this.relObjAppLabel,
             relObjContentTypeModel: this.relObjModel,
@@ -184,7 +184,7 @@ export class TaskList extends Table<Task> {
                 ? html`<ak-action-button
                       class="pf-m-plain"
                       .apiRequest=${() => {
-                          return new TasksApi(DEFAULT_CONFIG)
+                          return aki(TasksApi)
                               .tasksTasksRetryCreate({
                                   messageId: item.messageId ?? "",
                               })
diff --git a/web/src/elements/user/SessionList.ts b/web/src/elements/user/SessionList.ts
index 4339f9cc2a..41ce9f5cf1 100644
--- a/web/src/elements/user/SessionList.ts
+++ b/web/src/elements/user/SessionList.ts
@@ -1,6 +1,6 @@
 import "#elements/forms/DeleteBulkForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn, Timestamp } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -19,7 +19,7 @@ export class AuthenticatedSessionList extends Table<AuthenticatedSession> {
     targetUser!: string;
 
     async apiEndpoint(): Promise<PaginatedResponse<AuthenticatedSession>> {
-        return new CoreApi(DEFAULT_CONFIG).coreAuthenticatedSessionsList({
+        return aki(CoreApi).coreAuthenticatedSessionsList({
             ...(await this.defaultEndpointConfig()),
             userUsername: this.targetUser,
         });
@@ -51,12 +51,12 @@ export class AuthenticatedSessionList extends Table<AuthenticatedSession> {
                 ];
             }}
             .usedBy=${(item: AuthenticatedSession) => {
-                return new CoreApi(DEFAULT_CONFIG).coreAuthenticatedSessionsUsedByList({
+                return aki(CoreApi).coreAuthenticatedSessionsUsedByList({
                     uuid: item.uuid || "",
                 });
             }}
             .delete=${(item: AuthenticatedSession) => {
-                return new CoreApi(DEFAULT_CONFIG).coreAuthenticatedSessionsDestroy({
+                return aki(CoreApi).coreAuthenticatedSessionsDestroy({
                     uuid: item.uuid || "",
                 });
             }}
diff --git a/web/src/elements/user/UserConsentList.ts b/web/src/elements/user/UserConsentList.ts
index 8d05706ece..df8202c26d 100644
--- a/web/src/elements/user/UserConsentList.ts
+++ b/web/src/elements/user/UserConsentList.ts
@@ -2,7 +2,7 @@ import "#elements/chips/Chip";
 import "#elements/chips/ChipGroup";
 import "#elements/forms/DeleteBulkForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn, Timestamp } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -19,7 +19,7 @@ export class UserConsentList extends Table<UserConsent> {
     userId?: number;
 
     async apiEndpoint(): Promise<PaginatedResponse<UserConsent>> {
-        return new CoreApi(DEFAULT_CONFIG).coreUserConsentList({
+        return aki(CoreApi).coreUserConsentList({
             ...(await this.defaultEndpointConfig()),
             user: this.userId,
         });
@@ -55,12 +55,12 @@ export class UserConsentList extends Table<UserConsent> {
                 ];
             }}
             .usedBy=${(item: UserConsent) => {
-                return new CoreApi(DEFAULT_CONFIG).coreUserConsentUsedByList({
+                return aki(CoreApi).coreUserConsentUsedByList({
                     id: item.pk,
                 });
             }}
             .delete=${(item: UserConsent) => {
-                return new CoreApi(DEFAULT_CONFIG).coreUserConsentDestroy({
+                return aki(CoreApi).coreUserConsentDestroy({
                     id: item.pk,
                 });
             }}
diff --git a/web/src/elements/user/UserReputationList.ts b/web/src/elements/user/UserReputationList.ts
index 3f2d6e627d..9f20fdc771 100644
--- a/web/src/elements/user/UserReputationList.ts
+++ b/web/src/elements/user/UserReputationList.ts
@@ -1,6 +1,6 @@
 import "#elements/forms/DeleteBulkForm";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { PaginatedResponse, Table, TableColumn, Timestamp } from "#elements/table/Table";
 import { SlottedTemplateResult } from "#elements/types";
@@ -26,7 +26,7 @@ export class UserReputationList extends Table<Reputation> {
         if (this.targetEmail !== undefined) {
             identifiers.push(this.targetEmail);
         }
-        return new PoliciesApi(DEFAULT_CONFIG).policiesReputationScoresList({
+        return aki(PoliciesApi).policiesReputationScoresList({
             ...(await this.defaultEndpointConfig()),
             identifierIn: identifiers,
         });
@@ -53,12 +53,12 @@ export class UserReputationList extends Table<Reputation> {
             object-label=${msg("Reputation score(s)")}
             .objects=${this.selectedElements}
             .usedBy=${(item: Reputation) => {
-                return new PoliciesApi(DEFAULT_CONFIG).policiesReputationScoresUsedByList({
+                return aki(PoliciesApi).policiesReputationScoresUsedByList({
                     reputationUuid: item.pk || "",
                 });
             }}
             .delete=${(item: Reputation) => {
-                return new PoliciesApi(DEFAULT_CONFIG).policiesReputationScoresDestroy({
+                return aki(PoliciesApi).policiesReputationScoresDestroy({
                     reputationUuid: item.pk || "",
                 });
             }}
diff --git a/web/src/elements/user/sources/SourceSettings.ts b/web/src/elements/user/sources/SourceSettings.ts
index d6ad712daa..88ab287350 100644
--- a/web/src/elements/user/sources/SourceSettings.ts
+++ b/web/src/elements/user/sources/SourceSettings.ts
@@ -4,7 +4,7 @@ import "#elements/user/sources/SourceSettingsPlex";
 import "#elements/user/sources/SourceSettingsSAML";
 import "#elements/user/sources/SourceSettingsTelegram";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 
 import { AKElement } from "#elements/Base";
@@ -41,7 +41,7 @@ export class UserSourceSettingsPage extends AKElement {
         this.#abortController?.abort();
         this.#abortController = new AbortController();
 
-        const sourcesAPI = new SourcesApi(DEFAULT_CONFIG);
+        const sourcesAPI = aki(SourcesApi);
 
         const [sourceSettings, connections] = await Promise.all([
             sourcesAPI.sourcesAllUserSettingsList({
diff --git a/web/src/elements/user/sources/SourceSettingsOAuth.ts b/web/src/elements/user/sources/SourceSettingsOAuth.ts
index 6de4559f80..be5d088e41 100644
--- a/web/src/elements/user/sources/SourceSettingsOAuth.ts
+++ b/web/src/elements/user/sources/SourceSettingsOAuth.ts
@@ -1,6 +1,7 @@
 import "#elements/Spinner";
 
-import { AndNext, DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
+import { AndNext } from "#common/api/config";
 import { EVENT_REFRESH } from "#common/constants";
 import { parseAPIResponseError, pluckErrorDetail } from "#common/errors/network";
 import { MessageLevel } from "#common/messages";
@@ -18,7 +19,7 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-user-settings-source-oauth")
 export class SourceSettingsOAuth extends BaseUserSettings {
     protected disconnectSource(): Promise<void> {
-        return new SourcesApi(DEFAULT_CONFIG)
+        return aki(SourcesApi)
             .sourcesUserConnectionsOauthDestroy({
                 id: this.connectionPk,
             })
diff --git a/web/src/elements/user/sources/SourceSettingsPlex.ts b/web/src/elements/user/sources/SourceSettingsPlex.ts
index b35decf399..0664587d08 100644
--- a/web/src/elements/user/sources/SourceSettingsPlex.ts
+++ b/web/src/elements/user/sources/SourceSettingsPlex.ts
@@ -1,6 +1,6 @@
 import "#elements/Spinner";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 import { parseAPIResponseError, pluckErrorDetail } from "#common/errors/network";
 import { PlexAPIClient, popupCenterScreen } from "#common/helpers/plex";
@@ -19,7 +19,7 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-user-settings-source-plex")
 export class SourceSettingsPlex extends BaseUserSettings {
     protected disconnectSource(): Promise<void> {
-        return new SourcesApi(DEFAULT_CONFIG)
+        return aki(SourcesApi)
             .sourcesUserConnectionsPlexDestroy({
                 id: this.connectionPk,
             })
@@ -54,7 +54,7 @@ export class SourceSettingsPlex extends BaseUserSettings {
 
         PlexAPIClient.pinPoll(this.configureURL || "", authInfo.pin.id).then((token) => {
             authWindow?.close();
-            new SourcesApi(DEFAULT_CONFIG).sourcesPlexRedeemTokenAuthenticatedCreate({
+            aki(SourcesApi).sourcesPlexRedeemTokenAuthenticatedCreate({
                 plexTokenRedeemRequest: {
                     plexToken: token,
                 },
diff --git a/web/src/elements/user/sources/SourceSettingsSAML.ts b/web/src/elements/user/sources/SourceSettingsSAML.ts
index 7b247fb6c7..e2bbb3e135 100644
--- a/web/src/elements/user/sources/SourceSettingsSAML.ts
+++ b/web/src/elements/user/sources/SourceSettingsSAML.ts
@@ -1,6 +1,7 @@
 import "#elements/Spinner";
 
-import { AndNext, DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
+import { AndNext } from "#common/api/config";
 import { EVENT_REFRESH } from "#common/constants";
 import { parseAPIResponseError, pluckErrorDetail } from "#common/errors/network";
 import { MessageLevel } from "#common/messages";
@@ -17,7 +18,7 @@ import { customElement } from "lit/decorators.js";
 @customElement("ak-user-settings-source-saml")
 export class SourceSettingsSAML extends BaseUserSettings {
     protected disconnectSource(): Promise<void> {
-        return new SourcesApi(DEFAULT_CONFIG)
+        return aki(SourcesApi)
             .sourcesUserConnectionsSamlDestroy({
                 id: this.connectionPk,
             })
diff --git a/web/src/elements/user/sources/SourceSettingsTelegram.ts b/web/src/elements/user/sources/SourceSettingsTelegram.ts
index 267cf6f33c..b9aab2abdf 100644
--- a/web/src/elements/user/sources/SourceSettingsTelegram.ts
+++ b/web/src/elements/user/sources/SourceSettingsTelegram.ts
@@ -2,7 +2,7 @@ import "#elements/Spinner";
 
 import { loadTelegramWidget, TelegramUserResponse } from "../../../flow/sources/telegram/utils";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 import { parseAPIResponseError, pluckErrorDetail } from "#common/errors/network";
 import { MessageLevel } from "#common/messages";
@@ -23,7 +23,7 @@ export class SourceSettingsTelegram extends BaseUserSettings {
     connectBtnRef = createRef();
 
     protected disconnectSource(): Promise<void> {
-        return new SourcesApi(DEFAULT_CONFIG)
+        return aki(SourcesApi)
             .sourcesUserConnectionsTelegramDestroy({
                 id: this.connectionPk,
             })
@@ -74,7 +74,7 @@ export class SourceSettingsTelegram extends BaseUserSettings {
             botUsername,
             requestMessageAccess,
             (user: TelegramUserResponse) => {
-                new SourcesApi(DEFAULT_CONFIG)
+                aki(SourcesApi)
                     .sourcesTelegramConnectUserCreate({
                         slug: this.objectId,
                         telegramAuthRequest: {
diff --git a/web/src/flow/FlowExecutor.ts b/web/src/flow/FlowExecutor.ts
index b25e9bfbe2..c2c7af4fcf 100644
--- a/web/src/flow/FlowExecutor.ts
+++ b/web/src/flow/FlowExecutor.ts
@@ -10,7 +10,7 @@ import { FlowMultitabController } from "./controllers/FlowMultitabController";
 import { FlowWebsocketClientController } from "./controllers/FlowWebsocketClientController";
 import Styles from "./FlowExecutor.css" with { type: "bundled-text" };
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { APIError, parseAPIResponseError, pluckErrorDetail } from "#common/errors/network";
 import { globalAK } from "#common/global";
 import { configureSentry } from "#common/sentry/index";
@@ -159,7 +159,7 @@ export class FlowExecutor extends WithBrandConfig(Interface) implements StageHos
     constructor() {
         configureSentry();
         super();
-        this.#api = new FlowsApi(DEFAULT_CONFIG);
+        this.#api = aki(FlowsApi);
         this.addController(this.#flowIframeMessageController);
         this.addController(this.#flowMultitabController);
         this.addController(this.#flowWebsocketClientController);
diff --git a/web/src/flow/inspector/FlowInspector.ts b/web/src/flow/inspector/FlowInspector.ts
index 67c387c154..451ccc0a62 100644
--- a/web/src/flow/inspector/FlowInspector.ts
+++ b/web/src/flow/inspector/FlowInspector.ts
@@ -1,7 +1,7 @@
 import "#elements/EmptyState";
 import "#elements/Expand";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { APIError, parseAPIResponseError, pluckErrorDetail } from "#common/errors/network";
 
 import { AKElement } from "#elements/Base";
@@ -55,7 +55,7 @@ export class FlowInspector extends AKElement {
 
     @listen(AKFlowAdvanceEvent, { target: window })
     protected advanceHandler = (): void => {
-        new FlowsApi(DEFAULT_CONFIG)
+        aki(FlowsApi)
             .flowsInspectorGet({
                 flowSlug: this.flowSlug || "",
             })
diff --git a/web/src/flow/sources/plex/PlexLoginInit.ts b/web/src/flow/sources/plex/PlexLoginInit.ts
index 05a97eadf4..a0dcb720cc 100644
--- a/web/src/flow/sources/plex/PlexLoginInit.ts
+++ b/web/src/flow/sources/plex/PlexLoginInit.ts
@@ -1,7 +1,7 @@
 import "#elements/EmptyState";
 import "#flow/components/ak-flow-card";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { PlexAPIClient, popupCenterScreen } from "#common/helpers/plex";
 
 import { showAPIErrorMessage } from "#elements/messages/MessageContainer";
@@ -41,7 +41,7 @@ export class PlexLoginInit extends BaseStage<
         const authWindow = await popupCenterScreen(authInfo.authUrl, "plex auth", 550, 700);
         PlexAPIClient.pinPoll(this.challenge?.clientId || "", authInfo.pin.id).then((token) => {
             authWindow?.close();
-            new SourcesApi(DEFAULT_CONFIG)
+            aki(SourcesApi)
                 .sourcesPlexRedeemTokenCreate({
                     plexTokenRedeemRequest: {
                         plexToken: token,
diff --git a/web/src/flow/stages/authenticator_duo/AuthenticatorDuoStage.ts b/web/src/flow/stages/authenticator_duo/AuthenticatorDuoStage.ts
index 423d961e02..ad44d7d880 100644
--- a/web/src/flow/stages/authenticator_duo/AuthenticatorDuoStage.ts
+++ b/web/src/flow/stages/authenticator_duo/AuthenticatorDuoStage.ts
@@ -1,7 +1,7 @@
 import "#flow/FormStatic";
 import "#flow/components/ak-flow-card";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { SlottedTemplateResult } from "#elements/types";
 
@@ -48,9 +48,7 @@ export class AuthenticatorDuoStage extends BaseStage<
     }
 
     #checkEnrollStatus = async (): Promise<boolean> => {
-        const status = await new StagesApi(
-            DEFAULT_CONFIG,
-        ).stagesAuthenticatorDuoEnrollmentStatusCreate({
+        const status = await aki(StagesApi).stagesAuthenticatorDuoEnrollmentStatusCreate({
             stageUuid: this.challenge?.stageUuid || "",
         });
         console.debug(
diff --git a/web/src/flow/stages/authenticator_validate/AuthenticatorValidateStage.ts b/web/src/flow/stages/authenticator_validate/AuthenticatorValidateStage.ts
index 0eb253252a..d9372f6787 100644
--- a/web/src/flow/stages/authenticator_validate/AuthenticatorValidateStage.ts
+++ b/web/src/flow/stages/authenticator_validate/AuthenticatorValidateStage.ts
@@ -5,7 +5,7 @@ import "#flow/stages/authenticator_validate/AuthenticatorValidateStageWebAuthn";
 
 import Styles from "./AuthenticatorValidateStage.css";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { SlottedTemplateResult } from "#elements/types";
 import { StrictUnsafe } from "#elements/utils/unsafe";
@@ -117,7 +117,7 @@ export class AuthenticatorValidateStage
         Styles,
     ];
 
-    #api = new FlowsApi(DEFAULT_CONFIG);
+    #api = aki(FlowsApi);
 
     public flowSlug = "";
 
diff --git a/web/src/flow/stages/captcha/CaptchaStage.ts b/web/src/flow/stages/captcha/CaptchaStage.ts
index 1806123cbd..51859f2596 100644
--- a/web/src/flow/stages/captcha/CaptchaStage.ts
+++ b/web/src/flow/stages/captcha/CaptchaStage.ts
@@ -464,9 +464,7 @@ export class CaptchaStage
             rest.some((C) => C !== GReCaptchaController)
         ) {
             this.#logger.debug(
-                `Other CAPTCHA providers were also available: ${rest
-                    .map((C) => C?.globalName ?? "unknown")
-                    .join(", ")}`,
+                `Other CAPTCHA providers were also available: ${rest.map((C) => C?.globalName ?? "unknown").join(", ")}`,
             );
         }
 
diff --git a/web/src/rac/index.entrypoint.ts b/web/src/rac/index.entrypoint.ts
index 23641ebdc5..9c47ca5565 100644
--- a/web/src/rac/index.entrypoint.ts
+++ b/web/src/rac/index.entrypoint.ts
@@ -131,9 +131,7 @@ export class RacInterface extends WithBrandConfig(Interface) {
 
     async firstUpdated(): Promise<void> {
         this.updateTitle();
-        const wsUrl = `${window.location.protocol.replace("http", "ws")}//${
-            window.location.host
-        }/ws/rac/${this.token}/`;
+        const wsUrl = `${window.location.protocol.replace("http", "ws")}//${window.location.host}/ws/rac/${this.token}/`;
         this.tunnel = new Guacamole.WebSocketTunnel(wsUrl);
         this.tunnel.receiveTimeout = 10 * 1000; // 10 seconds
         this.tunnel.onerror = (status) => {
diff --git a/web/src/user/LibraryApplication/RACLaunchEndpointModal.ts b/web/src/user/LibraryApplication/RACLaunchEndpointModal.ts
index 5cab72da88..c3708e4076 100644
--- a/web/src/user/LibraryApplication/RACLaunchEndpointModal.ts
+++ b/web/src/user/LibraryApplication/RACLaunchEndpointModal.ts
@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 
 import { AKModal } from "#elements/dialogs/ak-modal";
 import { PaginatedResponse, Table, TableColumn } from "#elements/table/Table";
@@ -39,7 +39,7 @@ export class RACLaunchEndpointLaunch extends Table<Endpoint> {
     }
 
     protected override async apiEndpoint(): Promise<PaginatedResponse<Endpoint>> {
-        const endpoints = await new RacApi(DEFAULT_CONFIG).racEndpointsList({
+        const endpoints = await aki(RacApi).racEndpointsList({
             ...(await this.defaultEndpointConfig()),
             provider: this.app?.provider || 0,
         });
diff --git a/web/src/user/LibraryPage/ak-library.ts b/web/src/user/LibraryPage/ak-library.ts
index 7ad67004f5..72d2f74ad1 100644
--- a/web/src/user/LibraryPage/ak-library.ts
+++ b/web/src/user/LibraryPage/ak-library.ts
@@ -1,7 +1,7 @@
 import "#elements/EmptyState";
 import "./ak-library-impl.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { APIResult } from "#common/api/responses";
 import { parseAPIResponseError, pluckErrorDetail } from "#common/errors/network";
 
@@ -25,7 +25,7 @@ import { customElement, state } from "lit/decorators.js";
  *
  */
 
-const coreApi = () => new CoreApi(DEFAULT_CONFIG);
+const coreApi = () => aki(CoreApi);
 
 @customElement("ak-library")
 export class LibraryPage extends AKElement {
diff --git a/web/src/user/user-settings/UserSettingsPage.ts b/web/src/user/user-settings/UserSettingsPage.ts
index 732d915019..a65a0a2915 100644
--- a/web/src/user/user-settings/UserSettingsPage.ts
+++ b/web/src/user/user-settings/UserSettingsPage.ts
@@ -7,7 +7,7 @@ import "#user/user-settings/details/UserSettingsFlowExecutor";
 import "#user/user-settings/mfa/MFADevicesPage";
 import "#user/user-settings/tokens/UserTokenList";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { EVENT_REFRESH } from "#common/constants";
 import { startAccountLockdown } from "#common/users";
 
@@ -57,7 +57,7 @@ export class UserSettingsPage extends WithLicenseSummary(WithSession(AKElement))
         Styles,
     ];
 
-    protected stagesAPI = new StagesApi(DEFAULT_CONFIG);
+    protected stagesAPI = aki(StagesApi);
 
     @state()
     protected userSettings: UserSetting[] | null = null;
diff --git a/web/src/user/user-settings/details/UserSettingsFlowExecutor.ts b/web/src/user/user-settings/details/UserSettingsFlowExecutor.ts
index 40880604bc..bb4df3a0f2 100644
--- a/web/src/user/user-settings/details/UserSettingsFlowExecutor.ts
+++ b/web/src/user/user-settings/details/UserSettingsFlowExecutor.ts
@@ -1,6 +1,6 @@
 import "#user/user-settings/details/stages/prompt/PromptStage";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { APIError, parseAPIResponseError, pluckErrorDetail } from "#common/errors/network";
 import { globalAK } from "#common/global";
 import { MessageLevel } from "#common/messages";
@@ -66,7 +66,7 @@ export class UserSettingsFlowExecutor
         // @ts-expect-error Component is too generic for Typescript here.
         payload.component = this.challenge.component;
         this.loading = true;
-        return new FlowsApi(DEFAULT_CONFIG)
+        return aki(FlowsApi)
             .flowsExecutorSolve({
                 flowSlug: this.flowSlug || "",
                 query: window.location.search.substring(1),
@@ -106,7 +106,7 @@ export class UserSettingsFlowExecutor
     async nextChallenge(): Promise<void> {
         this.loading = true;
 
-        return new FlowsApi(DEFAULT_CONFIG)
+        return aki(FlowsApi)
             .flowsExecutorGet({
                 flowSlug: this.flowSlug || "",
                 query: window.location.search.substring(1),
diff --git a/web/src/user/user-settings/mfa/MFADeviceForm.ts b/web/src/user/user-settings/mfa/MFADeviceForm.ts
index 667e1b0b89..ce9f49e538 100644
--- a/web/src/user/user-settings/mfa/MFADeviceForm.ts
+++ b/web/src/user/user-settings/mfa/MFADeviceForm.ts
@@ -1,6 +1,6 @@
 import "#elements/forms/HorizontalFormElement";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { SentryIgnoredError } from "#common/sentry/index";
 
 import { ModelForm } from "#elements/forms/ModelForm";
@@ -18,7 +18,7 @@ export class MFADeviceForm extends ModelForm<Device, string> {
     deviceType!: string;
 
     async loadInstance(pk: string): Promise<Device> {
-        const devices = await new AuthenticatorsApi(DEFAULT_CONFIG).authenticatorsAllList();
+        const devices = await aki(AuthenticatorsApi).authenticatorsAllList();
         return devices.filter((device) => {
             return device.pk === pk && device.type === this.deviceType;
         })[0];
@@ -31,37 +31,37 @@ export class MFADeviceForm extends ModelForm<Device, string> {
     async send(device: Device): Promise<Device> {
         switch (this.instance?.type) {
             case "authentik_stages_authenticator_duo.DuoDevice":
-                await new AuthenticatorsApi(DEFAULT_CONFIG).authenticatorsDuoUpdate({
+                await aki(AuthenticatorsApi).authenticatorsDuoUpdate({
                     id: parseInt(this.instance?.pk, 10),
                     duoDeviceRequest: device,
                 });
                 break;
             case "authentik_stages_authenticator_email.EmailDevice":
-                await new AuthenticatorsApi(DEFAULT_CONFIG).authenticatorsEmailUpdate({
+                await aki(AuthenticatorsApi).authenticatorsEmailUpdate({
                     id: parseInt(this.instance?.pk, 10),
                     emailDeviceRequest: device,
                 });
                 break;
             case "authentik_stages_authenticator_sms.SMSDevice":
-                await new AuthenticatorsApi(DEFAULT_CONFIG).authenticatorsSmsUpdate({
+                await aki(AuthenticatorsApi).authenticatorsSmsUpdate({
                     id: parseInt(this.instance?.pk, 10),
                     sMSDeviceRequest: device,
                 });
                 break;
             case "authentik_stages_authenticator_totp.TOTPDevice":
-                await new AuthenticatorsApi(DEFAULT_CONFIG).authenticatorsTotpUpdate({
+                await aki(AuthenticatorsApi).authenticatorsTotpUpdate({
                     id: parseInt(this.instance?.pk, 10),
                     tOTPDeviceRequest: device,
                 });
                 break;
             case "authentik_stages_authenticator_static.StaticDevice":
-                await new AuthenticatorsApi(DEFAULT_CONFIG).authenticatorsStaticUpdate({
+                await aki(AuthenticatorsApi).authenticatorsStaticUpdate({
                     id: parseInt(this.instance?.pk, 10),
                     staticDeviceRequest: device,
                 });
                 break;
             case "authentik_stages_authenticator_webauthn.WebAuthnDevice":
-                await new AuthenticatorsApi(DEFAULT_CONFIG).authenticatorsWebauthnUpdate({
+                await aki(AuthenticatorsApi).authenticatorsWebauthnUpdate({
                     id: parseInt(this.instance?.pk, 10),
                     webAuthnDeviceRequest: device,
                 });
diff --git a/web/src/user/user-settings/mfa/MFADevicesPage.ts b/web/src/user/user-settings/mfa/MFADevicesPage.ts
index b5baff0828..e465e30059 100644
--- a/web/src/user/user-settings/mfa/MFADevicesPage.ts
+++ b/web/src/user/user-settings/mfa/MFADevicesPage.ts
@@ -6,7 +6,8 @@ import "#elements/forms/ModalForm";
 import "#user/user-settings/mfa/MFADeviceForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { AndNext, DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
+import { AndNext } from "#common/api/config";
 import { createPaginatedResponse } from "#common/api/responses";
 import { globalAK } from "#common/global";
 import { deviceTypeName } from "#common/labels";
@@ -38,7 +39,7 @@ export class MFADevicesPage extends Table<Device> {
     protected override emptyStateMessage = msg("No MFA devices enrolled.");
 
     async apiEndpoint(): Promise<PaginatedResponse<Device>> {
-        const devices = await new AuthenticatorsApi(DEFAULT_CONFIG).authenticatorsAllList();
+        const devices = await aki(AuthenticatorsApi).authenticatorsAllList();
         return createPaginatedResponse(devices);
     }
 
@@ -104,7 +105,7 @@ export class MFADevicesPage extends Table<Device> {
     }
 
     async deleteWrapper(device: Device) {
-        const api = new AuthenticatorsApi(DEFAULT_CONFIG);
+        const api = aki(AuthenticatorsApi);
         const id = { id: parseInt(device.pk, 10) };
         switch (device.type) {
             case "authentik_stages_authenticator_duo.DuoDevice":
diff --git a/web/src/user/user-settings/tokens/UserTokenForm.ts b/web/src/user/user-settings/tokens/UserTokenForm.ts
index 6a7db04daa..854b9fe4e2 100644
--- a/web/src/user/user-settings/tokens/UserTokenForm.ts
+++ b/web/src/user/user-settings/tokens/UserTokenForm.ts
@@ -1,7 +1,7 @@
 import "#elements/forms/HorizontalFormElement";
 import "#components/ak-text-input";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { dateTimeLocal } from "#common/temporal";
 
 import { ModelForm } from "#elements/forms/ModelForm";
@@ -21,7 +21,7 @@ export class UserTokenForm extends ModelForm<Token, string> {
     intent: IntentEnum = IntentEnum.Api;
 
     loadInstance(pk: string): Promise<Token> {
-        return new CoreApi(DEFAULT_CONFIG).coreTokensRetrieve({
+        return aki(CoreApi).coreTokensRetrieve({
             identifier: pk,
         });
     }
@@ -35,13 +35,13 @@ export class UserTokenForm extends ModelForm<Token, string> {
     async send(data: Token): Promise<Token> {
         if (this.instance) {
             data.intent = this.instance.intent;
-            return new CoreApi(DEFAULT_CONFIG).coreTokensUpdate({
+            return aki(CoreApi).coreTokensUpdate({
                 identifier: this.instance.identifier,
                 tokenRequest: data,
             });
         }
         data.intent = this.intent;
-        return new CoreApi(DEFAULT_CONFIG).coreTokensCreate({
+        return aki(CoreApi).coreTokensCreate({
             tokenRequest: data,
         });
     }
diff --git a/web/src/user/user-settings/tokens/UserTokenList.ts b/web/src/user/user-settings/tokens/UserTokenList.ts
index 11b2caa8e7..59c743304a 100644
--- a/web/src/user/user-settings/tokens/UserTokenList.ts
+++ b/web/src/user/user-settings/tokens/UserTokenList.ts
@@ -7,7 +7,7 @@ import "#elements/forms/ModalForm";
 import "#user/user-settings/tokens/UserTokenForm";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
-import { DEFAULT_CONFIG } from "#common/api/config";
+import { aki } from "#common/api/client";
 import { intentToLabel } from "#common/labels";
 import { formatElapsedTime } from "#common/temporal";
 
@@ -45,7 +45,7 @@ export class UserTokenList extends Table<Token> {
             currentUser = session ? session.user : null;
         }
 
-        return new CoreApi(DEFAULT_CONFIG).coreTokensList({
+        return aki(CoreApi).coreTokensList({
             ...(await this.defaultEndpointConfig()),
             managed: "",
             // The user might have access to other tokens that aren't for their user
@@ -146,7 +146,7 @@ export class UserTokenList extends Table<Token> {
             .objects=${this.selectedElements}
             .metadata=${(item: Token) => [{ key: msg("Identifier"), value: item.identifier }]}
             .delete=${(item: Token) =>
-                new CoreApi(DEFAULT_CONFIG).coreTokensDestroy({
+                aki(CoreApi).coreTokensDestroy({
                     identifier: item.identifier,
                 })}
         >

From f4ed90fcaf28c8149fb48af1b3d592622805b6c2 Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Tue, 9 Jun 2026 01:37:58 +0200
Subject: [PATCH 11/68] tests/e2e: bump selenium and ak-agent to fix endpoint
 tests (#22942)

---
 tests/e2e/compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/e2e/compose.yml b/tests/e2e/compose.yml
index 73c8677c5b..c48809c500 100644
--- a/tests/e2e/compose.yml
+++ b/tests/e2e/compose.yml
@@ -1,6 +1,6 @@
 services:
   chromium:
-    image: ghcr.io/goauthentik/selenium:148.0-ak-0.43.2
+    image: ghcr.io/goauthentik/selenium:148.0-ak-0.44.3
     shm_size: 2g
     network_mode: host
     restart: always

From d907426a86b3df9d5402954190a40dc5434897db Mon Sep 17 00:00:00 2001
From: frankvoelker <70319084+frankvoelker@users.noreply.github.com>
Date: Tue, 9 Jun 2026 07:38:12 +0200
Subject: [PATCH 12/68] website/integations: update wazuh SAML configuration
 (#22568)

* fixing wazuh integration Readme

Signed-off-by: frankvoelker <70319084+frankvoelker@users.noreply.github.com>

* Update index.mdx (minor fixes)

Signed-off-by: frankvoelker <70319084+frankvoelker@users.noreply.github.com>

* Add warning and update issuer and entity id

Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

* Update website/integrations/monitoring/wazuh/index.mdx

Signed-off-by: Dominic R <dominic@goauthentik.io>

* Update website/integrations/monitoring/wazuh/index.mdx

Signed-off-by: Dominic R <dominic@goauthentik.io>

---------

Signed-off-by: frankvoelker <70319084+frankvoelker@users.noreply.github.com>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dominic R <dominic@goauthentik.io>
---
 .../integrations/monitoring/wazuh/index.mdx   | 22 ++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/website/integrations/monitoring/wazuh/index.mdx b/website/integrations/monitoring/wazuh/index.mdx
index 672d73f5a3..df1555b334 100644
--- a/website/integrations/monitoring/wazuh/index.mdx
+++ b/website/integrations/monitoring/wazuh/index.mdx
@@ -52,6 +52,12 @@ To support the integration of Wazuh with authentik, you need to create a group,
 
 ### Create an application and provider in authentik
 
+:::warning SAML provider changes in authentik 2026.5
+authentik 2026.5 introduces changes to how the SAML provider behaves. Specifically, the provider now automatically sets the **Issuer** value to: `https://authentik.company/application/saml/<application_slug>/metadata/`
+
+Older versions of authentik set this value to `authentik` by default. If you're running an older version, please set **Issuer** to `https://authentik.company/application/saml/<application_slug>/metadata/`, where `<application_slug>` is the **slug** that you selected for the application.
+:::
+
 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **New Application** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
 
@@ -200,7 +206,7 @@ And the `metadata_file`, `kibana_url`, and `exchange_key` parameters in the `sam
 
     Click **Save role mapping**
 
-4. On the Wazuh Dashboard server, add these lines to the `/etc/wazuh-dashboard/opensearch_dashboards.yml` file:
+4. On the Wazuh Dashboard server, add these lines to the `/etc/wazuh-dashboard/opensearch_dashboards.yml` file. If the entry `opensearch_security.session.keepalive` already exists in your config, change it to `false`.
 
     ```yaml showLineNumbers
     opensearch_security.auth.type: "saml"
@@ -213,6 +219,20 @@ And the `metadata_file`, `kibana_url`, and `exchange_key` parameters in the `sam
     opensearch_security.session.keepalive: false
     ```
 
+    Use this config block if you want to use both authentication methods (username/password and SSO):
+
+    ```yaml showLineNumbers
+    opensearch_security.auth.type: ["basicauth", "saml"]
+    opensearch_security.auth.multiple_auth_enabled: true
+    server.xsrf.allowlist:
+        [
+            "/_opendistro/_security/saml/acs",
+            "/_opendistro/_security/saml/logout",
+            "/_opendistro/_security/saml/acs/idpinitiated",
+        ]
+    opensearch_security.session.keepalive: false
+    ```
+
 5. Restart the Wazuh dashboard service using the following command:
 
     ```bash

From ed69aa60243081db0165e07409da29ba1311421f Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Tue, 9 Jun 2026 11:19:55 +0200
Subject: [PATCH 13/68] endpoints/connectors/agent: fix exception with invalid
 auth type (#22943)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 .../endpoints/connectors/agent/api/connectors.py      | 11 ++++-------
 .../connectors/agent/tests/test_agent_api.py          |  8 ++++++++
 schema.yml                                            |  6 ------
 3 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/authentik/endpoints/connectors/agent/api/connectors.py b/authentik/endpoints/connectors/agent/api/connectors.py
index 9c62448cad..e787ae271b 100644
--- a/authentik/endpoints/connectors/agent/api/connectors.py
+++ b/authentik/endpoints/connectors/agent/api/connectors.py
@@ -7,7 +7,7 @@ from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_sche
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.fields import ChoiceField
-from rest_framework.permissions import AllowAny, IsAuthenticated
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -118,8 +118,7 @@ class AgentConnectorViewSet(
         methods=["POST"],
         detail=False,
         authentication_classes=[AgentEnrollmentAuth],
-        # Permissions are handled via AgentEnrollmentAuth
-        permission_classes=[AllowAny],
+        permission_classes=[IsAuthenticated],
     )
     def enroll(self, request: Request):
         token: EnrollmentToken = request.auth
@@ -154,8 +153,7 @@ class AgentConnectorViewSet(
         methods=["GET"],
         detail=False,
         authentication_classes=[AgentAuth],
-        # Permissions are handled via AgentAuth
-        permission_classes=[AllowAny],
+        permission_classes=[IsAuthenticated],
     )
     def agent_config(self, request: Request):
         token: DeviceToken = request.auth
@@ -174,8 +172,7 @@ class AgentConnectorViewSet(
         methods=["POST"],
         detail=False,
         authentication_classes=[AgentAuth],
-        # Permissions are handled via AgentAuth
-        permission_classes=[AllowAny],
+        permission_classes=[IsAuthenticated],
     )
     def check_in(self, request: Request):
         token: DeviceToken = request.auth
diff --git a/authentik/endpoints/connectors/agent/tests/test_agent_api.py b/authentik/endpoints/connectors/agent/tests/test_agent_api.py
index 17758729b8..d107283a1f 100644
--- a/authentik/endpoints/connectors/agent/tests/test_agent_api.py
+++ b/authentik/endpoints/connectors/agent/tests/test_agent_api.py
@@ -124,6 +124,14 @@ class TestAgentAPI(APITestCase):
         )
         self.assertEqual(response.status_code, 403)
 
+    @reconcile_app("authentik_crypto")
+    def test_config_none(self):
+        response = self.client.get(
+            reverse("authentik_api:agentconnector-agent-config"),
+            HTTP_AUTHORIZATION="Bearer foo",
+        )
+        self.assertEqual(response.status_code, 403)
+
     def test_check_in(self):
         response = self.client.post(
             reverse("authentik_api:agentconnector-check-in"),
diff --git a/schema.yml b/schema.yml
index 37e0cf251f..80ccf73303 100644
--- a/schema.yml
+++ b/schema.yml
@@ -5386,8 +5386,6 @@ paths:
         using this object
       tags:
       - endpoints
-      security:
-      - {}
       responses:
         '200':
           content:
@@ -5457,8 +5455,6 @@ paths:
           application/json:
             schema:
               $ref: '#/components/schemas/DeviceFactsRequest'
-      security:
-      - {}
       responses:
         '204':
           description: Successfully checked in
@@ -5479,8 +5475,6 @@ paths:
             schema:
               $ref: '#/components/schemas/EnrollRequest'
         required: true
-      security:
-      - {}
       responses:
         '200':
           content:

From 72cbd237f97a9720277f0aa20c16c045cb669d93 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 9 Jun 2026 14:16:23 +0200
Subject: [PATCH 14/68] ci: bump codecov/codecov-action from 6.0.1 to 7.0.0 in
 /.github/actions/test-results (#22949)

ci: bump codecov/codecov-action in /.github/actions/test-results

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 6.0.1 to 7.0.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/e79a6962e0d4c0c17b229090214935d2e33f8354...fb8b3582c8e4def4969c97caa2f19720cb33a72f)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/actions/test-results/action.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/actions/test-results/action.yml b/.github/actions/test-results/action.yml
index 017453bbee..7d5b037b95 100644
--- a/.github/actions/test-results/action.yml
+++ b/.github/actions/test-results/action.yml
@@ -10,12 +10,12 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v5
+    - uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v5
       with:
         files: ${{ inputs.files }}
         flags: ${{ inputs.flags }}
         use_oidc: true
-    - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v5
+    - uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v5
       with:
         files: ${{ inputs.files }}
         flags: ${{ inputs.flags }}

From 20bc560087efd429f589e181d666fccfac8f3e1e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 9 Jun 2026 14:16:32 +0200
Subject: [PATCH 15/68] ci: bump taiki-e/install-action from 2.81.2 to 2.81.7
 in /.github/actions/setup (#22948)

ci: bump taiki-e/install-action in /.github/actions/setup

Bumps [taiki-e/install-action](https://github.com/taiki-e/install-action) from 2.81.2 to 2.81.7.
- [Release notes](https://github.com/taiki-e/install-action/releases)
- [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/taiki-e/install-action/compare/6887963ccf37a9ddcd8c5fa4baeb3e1e5fd61fa1...56545b37b57562edd73171cb6c62cc509db4c34e)

---
updated-dependencies:
- dependency-name: taiki-e/install-action
  dependency-version: 2.81.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/actions/setup/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
index 074d6e1031..32951050d2 100644
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -64,7 +64,7 @@ runs:
         rustflags: ""
     - name: Setup rust dependencies
       if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@6887963ccf37a9ddcd8c5fa4baeb3e1e5fd61fa1 # v2
+      uses: taiki-e/install-action@56545b37b57562edd73171cb6c62cc509db4c34e # v2
       with:
         tool: cargo-deny cargo-machete cargo-llvm-cov nextest
     - name: Setup node (root, web)

From 29550745e0d23aba62e06699b87c81e91fb57e63 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 9 Jun 2026 14:16:41 +0200
Subject: [PATCH 16/68] ci: bump int128/docker-manifest-create-action from
 2.21.0 to 2.22.0 (#22946)

Bumps [int128/docker-manifest-create-action](https://github.com/int128/docker-manifest-create-action) from 2.21.0 to 2.22.0.
- [Release notes](https://github.com/int128/docker-manifest-create-action/releases)
- [Commits](https://github.com/int128/docker-manifest-create-action/compare/b9d644eaa3312dd895ffdafb19333a7b266e6ba9...126c2b2195800ebc112cffe9ad6c2e2cce16eff2)

---
updated-dependencies:
- dependency-name: int128/docker-manifest-create-action
  dependency-version: 2.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/_reusable-docker-build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/_reusable-docker-build.yml b/.github/workflows/_reusable-docker-build.yml
index f95c684289..676c3e22ca 100644
--- a/.github/workflows/_reusable-docker-build.yml
+++ b/.github/workflows/_reusable-docker-build.yml
@@ -90,7 +90,7 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@b9d644eaa3312dd895ffdafb19333a7b266e6ba9 # v2
+      - uses: int128/docker-manifest-create-action@126c2b2195800ebc112cffe9ad6c2e2cce16eff2 # v2
         id: build
         with:
           tags: ${{ matrix.tag }}

From acac105febc61a9248a0bd3124bcc5a96d5dac2f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 9 Jun 2026 14:17:19 +0200
Subject: [PATCH 17/68] web: bump the eslint group across 1 directory with 3
 updates (#22945)

Bumps the eslint group with 1 update in the /web directory: [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin).


Updates `@typescript-eslint/eslint-plugin` from 8.60.0 to 8.60.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.60.1/packages/eslint-plugin)

Updates `@typescript-eslint/parser` from 8.60.0 to 8.61.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.61.0/packages/parser)

Updates `@typescript-eslint/utils` from 8.60.0 to 8.60.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/utils/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.60.1/packages/utils)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-version: 8.60.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: eslint
- dependency-name: "@typescript-eslint/parser"
  dependency-version: 8.61.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: eslint
- dependency-name: "@typescript-eslint/utils"
  dependency-version: 8.60.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: eslint
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 web/package-lock.json | 250 +++++++++++++++++++++---------------------
 web/package.json      |   2 +-
 2 files changed, 126 insertions(+), 126 deletions(-)

diff --git a/web/package-lock.json b/web/package-lock.json
index 6ef9240c53..32c0d7c6eb 100644
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -55,7 +55,7 @@
                 "@types/node": "^25.7.0",
                 "@types/react": "^19.2.14",
                 "@types/react-dom": "^19.2.3",
-                "@typescript-eslint/eslint-plugin": "^8.60.0",
+                "@typescript-eslint/eslint-plugin": "^8.60.1",
                 "@typescript-eslint/parser": "^8.60.0",
                 "@typescript-eslint/utils": "^8.60.0",
                 "@typescript/native-preview": "^7.0.0-dev.20260510.1",
@@ -5604,16 +5604,16 @@
             "license": "MIT"
         },
         "node_modules/@typescript-eslint/eslint-plugin": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.60.0.tgz",
-            "integrity": "sha512-QYb/sa74/s7OKMbACMjrYnGspj9Hs5YI5aaffSL65UfeBUzVzBJfVo3oWSpbzPurvm7yaCCo2Lk7lVj610HqKw==",
+            "version": "8.60.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.60.1.tgz",
+            "integrity": "sha512-JQ4S5GB0tfjO8BuJ4fcX+HodkzJjYBV+7OJ+wLygaX7OGQ7FudyHL4NSCA6ob+w3Yn+5MkKIozOwQhXeM7opVg==",
             "license": "MIT",
             "dependencies": {
                 "@eslint-community/regexpp": "^4.12.2",
-                "@typescript-eslint/scope-manager": "8.60.0",
-                "@typescript-eslint/type-utils": "8.60.0",
-                "@typescript-eslint/utils": "^8.60.0",
-                "@typescript-eslint/visitor-keys": "8.60.0",
+                "@typescript-eslint/scope-manager": "8.60.1",
+                "@typescript-eslint/type-utils": "8.60.1",
+                "@typescript-eslint/utils": "8.60.1",
+                "@typescript-eslint/visitor-keys": "8.60.1",
                 "ignore": "^7.0.5",
                 "natural-compare": "^1.4.0",
                 "ts-api-utils": "^2.5.0"
@@ -5626,19 +5626,19 @@
                 "url": "https://opencollective.com/typescript-eslint"
             },
             "peerDependencies": {
-                "@typescript-eslint/parser": "^8.60.0",
+                "@typescript-eslint/parser": "^8.60.1",
                 "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
                 "typescript": ">=4.8.4 <6.1.0"
             }
         },
         "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/scope-manager": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.60.0.tgz",
-            "integrity": "sha512-pFzqhllJMs+jghLQWzV00ds39xLzuyqPSev5pd8f4Ir0rtKR3ZLUB4/4dhjOFighWb9larvtfJvqL+4yKDI3Xw==",
+            "version": "8.60.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.60.1.tgz",
+            "integrity": "sha512-gvI5OQoptnxQnchOirukCuQ55svJSTuD/4k5+pC267xyBtYry748R9/c3tYUzb/iE6RZfllRz2lVulLCHkTm4w==",
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.60.0",
-                "@typescript-eslint/visitor-keys": "8.60.0"
+                "@typescript-eslint/types": "8.60.1",
+                "@typescript-eslint/visitor-keys": "8.60.1"
             },
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -5649,9 +5649,9 @@
             }
         },
         "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/types": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.60.0.tgz",
-            "integrity": "sha512-AsE7x2XaAK+CVbeih0Fvbn+r1qHxtpLDJ3XUuFcIinT318T90yHMJC+Zgv+jUuDjQQd06HKwxnDu6sz1IcTilA==",
+            "version": "8.60.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.60.1.tgz",
+            "integrity": "sha512-4h0tY8ppCkdCzcrl2YM5M3my0xsE1Tf8om3owEu5oPWmXwkKRmk0j0LGDzYBGUcAlesEbxBhazqu/K4cu3Ug7w==",
             "license": "MIT",
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -5662,12 +5662,12 @@
             }
         },
         "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/visitor-keys": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.60.0.tgz",
-            "integrity": "sha512-9WI52t8ZGLVGrPMBet25yAftqY/n95+zmoUUtJBBQTKDSKUu7OsPTroT2op7U9JatkoRccL0YkWDNMFfC4Sjxg==",
+            "version": "8.60.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.60.1.tgz",
+            "integrity": "sha512-EbGRQg4FhrmwLodl+t3JNAnXHWVr9Vp+Zl1QBZVPY4ByfkzIT8cX3K6QWODHtkIZqqJVEWvhHSx3v5PDHsaQag==",
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.60.0",
+                "@typescript-eslint/types": "8.60.1",
                 "eslint-visitor-keys": "^5.0.0"
             },
             "engines": {
@@ -5700,15 +5700,15 @@
             }
         },
         "node_modules/@typescript-eslint/parser": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.60.0.tgz",
-            "integrity": "sha512-fcqpj/MyK4sxDPcbe7STNPbpQL4RLZOPWuaTmwZYuc+hJKzRf58yRxfhqGpc6PIq9ZyfSBpfHgmUHmHs0KwHwg==",
+            "version": "8.61.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.61.0.tgz",
+            "integrity": "sha512-5B7PfA2e1NQGCnDHd/0lW7W3gvp3d59Ryw54FYO8Uswxo9f6ikw3AZV+Xj/TvpImmpsiYyUqAfhC6kJID1jF6w==",
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/scope-manager": "8.60.0",
-                "@typescript-eslint/types": "8.60.0",
-                "@typescript-eslint/typescript-estree": "8.60.0",
-                "@typescript-eslint/visitor-keys": "8.60.0",
+                "@typescript-eslint/scope-manager": "8.61.0",
+                "@typescript-eslint/types": "8.61.0",
+                "@typescript-eslint/typescript-estree": "8.61.0",
+                "@typescript-eslint/visitor-keys": "8.61.0",
                 "debug": "^4.4.3"
             },
             "engines": {
@@ -5724,13 +5724,13 @@
             }
         },
         "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/project-service": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.60.0.tgz",
-            "integrity": "sha512-aZu74NNKJeUWqCjDddzdiKaS82dgYgV/vmf+Ui3ZdZejmgfXR/q+pRumgobnQ2cCJTgGTWp4ypiwsuofFubavg==",
+            "version": "8.61.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.61.0.tgz",
+            "integrity": "sha512-DV42F7MLJO6Rax7SK1yg43tcnEfGUrurSpSxKuVX+a3RCTzBlH3fuxprrOJXKCJGAaw82xXocikJ0uQaqwXgGA==",
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/tsconfig-utils": "^8.60.0",
-                "@typescript-eslint/types": "^8.60.0",
+                "@typescript-eslint/tsconfig-utils": "^8.61.0",
+                "@typescript-eslint/types": "^8.61.0",
                 "debug": "^4.4.3"
             },
             "engines": {
@@ -5745,13 +5745,13 @@
             }
         },
         "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/scope-manager": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.60.0.tgz",
-            "integrity": "sha512-pFzqhllJMs+jghLQWzV00ds39xLzuyqPSev5pd8f4Ir0rtKR3ZLUB4/4dhjOFighWb9larvtfJvqL+4yKDI3Xw==",
+            "version": "8.61.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.61.0.tgz",
+            "integrity": "sha512-IWdXFHFSb6mlC3HPc7QsLDm5zYEbUla6trDEHf32D3/dnuUyXd87plScSNXSbm0/RxMvObpI17sv/EDTGrGZkA==",
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.60.0",
-                "@typescript-eslint/visitor-keys": "8.60.0"
+                "@typescript-eslint/types": "8.61.0",
+                "@typescript-eslint/visitor-keys": "8.61.0"
             },
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -5762,9 +5762,9 @@
             }
         },
         "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/tsconfig-utils": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.60.0.tgz",
-            "integrity": "sha512-BZPR3RGYlAXnly6ymAxfkVn5rCbZzQNou0rxv3GfWZ8cTQp+hhVd73khbGLAd8k1TlAPLISH337M+tAgAnaJDQ==",
+            "version": "8.61.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.61.0.tgz",
+            "integrity": "sha512-O5Amvdv9ztMpxpf+vmFULGG78IE6Qwdr3bCGvqwG4nwc9H2qXkOYJJnRbRHyMkQTjv1d03olqwwwzHLMqpFePQ==",
             "license": "MIT",
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -5778,9 +5778,9 @@
             }
         },
         "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/types": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.60.0.tgz",
-            "integrity": "sha512-AsE7x2XaAK+CVbeih0Fvbn+r1qHxtpLDJ3XUuFcIinT318T90yHMJC+Zgv+jUuDjQQd06HKwxnDu6sz1IcTilA==",
+            "version": "8.61.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.61.0.tgz",
+            "integrity": "sha512-9QTQpZ5Iin4CdIodfbDQFSeiSJKidgYJYug1P9CC2xWgUTvlmixViqDZNciMjwLBZyJnG4tGmPl97rVAFb1AJg==",
             "license": "MIT",
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -5791,15 +5791,15 @@
             }
         },
         "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/typescript-estree": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.60.0.tgz",
-            "integrity": "sha512-3AcZNBGMClm6CXDyo8kYvVGT/sx29sS0oBsIb9oZI2gunA4Vm2M3YHzRLPvsUBBsl+yB5FPtltq7gGH0iTlp9g==",
+            "version": "8.61.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.61.0.tgz",
+            "integrity": "sha512-42zatd5qSvvcV1JdDBCLxYRznvP4eIHpPoZXdkPFnAmanA4FuZ5dibSnCBggY8hQnqajPpoGjXFdZ7fIJKQnlA==",
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/project-service": "8.60.0",
-                "@typescript-eslint/tsconfig-utils": "8.60.0",
-                "@typescript-eslint/types": "8.60.0",
-                "@typescript-eslint/visitor-keys": "8.60.0",
+                "@typescript-eslint/project-service": "8.61.0",
+                "@typescript-eslint/tsconfig-utils": "8.61.0",
+                "@typescript-eslint/types": "8.61.0",
+                "@typescript-eslint/visitor-keys": "8.61.0",
                 "debug": "^4.4.3",
                 "minimatch": "^10.2.2",
                 "semver": "^7.7.3",
@@ -5818,12 +5818,12 @@
             }
         },
         "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/visitor-keys": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.60.0.tgz",
-            "integrity": "sha512-9WI52t8ZGLVGrPMBet25yAftqY/n95+zmoUUtJBBQTKDSKUu7OsPTroT2op7U9JatkoRccL0YkWDNMFfC4Sjxg==",
+            "version": "8.61.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.61.0.tgz",
+            "integrity": "sha512-QVLZu3ZPQEE+HICQyAMZ2yLQhxf0meY/wx6Hx14YcTNj13JB3qHlX3lJ02L3fLGHgERRH71kvYDwiXIguT3AjQ==",
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.60.0",
+                "@typescript-eslint/types": "8.61.0",
                 "eslint-visitor-keys": "^5.0.0"
             },
             "engines": {
@@ -5883,9 +5883,9 @@
             }
         },
         "node_modules/@typescript-eslint/parser/node_modules/semver": {
-            "version": "7.8.1",
-            "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.1.tgz",
-            "integrity": "sha512-rkVq3IXh+4FDGch+KwzX3aV9W3kO54GyEgpvBzSyctDA6Xtd7RJQV1xmXbeQp5v7+VzLOfVqiutSE6GICgPFvg==",
+            "version": "7.8.3",
+            "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.3.tgz",
+            "integrity": "sha512-wnilbGyMxzbY7dNOl7jpKbLSjcfeweJWU5j4+u5qW+6/wuGD9KzIGOyZnQVSBM9E7DtWaaH3CyHkppYrKYoxwg==",
             "license": "ISC",
             "bin": {
                 "semver": "bin/semver.js"
@@ -5949,14 +5949,14 @@
             }
         },
         "node_modules/@typescript-eslint/type-utils": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.60.0.tgz",
-            "integrity": "sha512-SX46wEUtitCpq7AN38HkUU/+zvUpdKf7ephtWAFgckH8O7PQIyL5gvrhQgBLuEYgLfuKWOVvWVskMbuFHAz5xg==",
+            "version": "8.60.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.60.1.tgz",
+            "integrity": "sha512-sdwTrpjosW7ANQYJ39ZBF1ZyEMEGVB2UsikrserVM/30a/F1dTLnu9bGxEdosugyu5caigjLrR2qiD11asjI1A==",
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.60.0",
-                "@typescript-eslint/typescript-estree": "8.60.0",
-                "@typescript-eslint/utils": "^8.60.0",
+                "@typescript-eslint/types": "8.60.1",
+                "@typescript-eslint/typescript-estree": "8.60.1",
+                "@typescript-eslint/utils": "8.60.1",
                 "debug": "^4.4.3",
                 "ts-api-utils": "^2.5.0"
             },
@@ -5973,13 +5973,13 @@
             }
         },
         "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/project-service": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.60.0.tgz",
-            "integrity": "sha512-aZu74NNKJeUWqCjDddzdiKaS82dgYgV/vmf+Ui3ZdZejmgfXR/q+pRumgobnQ2cCJTgGTWp4ypiwsuofFubavg==",
+            "version": "8.60.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.60.1.tgz",
+            "integrity": "sha512-eXkTH2bxmXlqD1RnOPmLZ9ZM9D3VwSx04JOwBnP9RQ+yUA5a2Mu7SfW8uaV2Aon53NJzZlZYuX7tn91Izf+xaw==",
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/tsconfig-utils": "^8.60.0",
-                "@typescript-eslint/types": "^8.60.0",
+                "@typescript-eslint/tsconfig-utils": "^8.60.1",
+                "@typescript-eslint/types": "^8.60.1",
                 "debug": "^4.4.3"
             },
             "engines": {
@@ -5994,9 +5994,9 @@
             }
         },
         "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/tsconfig-utils": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.60.0.tgz",
-            "integrity": "sha512-BZPR3RGYlAXnly6ymAxfkVn5rCbZzQNou0rxv3GfWZ8cTQp+hhVd73khbGLAd8k1TlAPLISH337M+tAgAnaJDQ==",
+            "version": "8.60.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.60.1.tgz",
+            "integrity": "sha512-nh8w4qAteiKuZu3pSSzG/yGKpw0OlkrKnzFmbVRenKaD4qc+7i1GrmZaLVkr8rk4uipiPGMOW4YsM6WmKZ5CvA==",
             "license": "MIT",
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -6010,9 +6010,9 @@
             }
         },
         "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/types": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.60.0.tgz",
-            "integrity": "sha512-AsE7x2XaAK+CVbeih0Fvbn+r1qHxtpLDJ3XUuFcIinT318T90yHMJC+Zgv+jUuDjQQd06HKwxnDu6sz1IcTilA==",
+            "version": "8.60.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.60.1.tgz",
+            "integrity": "sha512-4h0tY8ppCkdCzcrl2YM5M3my0xsE1Tf8om3owEu5oPWmXwkKRmk0j0LGDzYBGUcAlesEbxBhazqu/K4cu3Ug7w==",
             "license": "MIT",
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -6023,15 +6023,15 @@
             }
         },
         "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/typescript-estree": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.60.0.tgz",
-            "integrity": "sha512-3AcZNBGMClm6CXDyo8kYvVGT/sx29sS0oBsIb9oZI2gunA4Vm2M3YHzRLPvsUBBsl+yB5FPtltq7gGH0iTlp9g==",
+            "version": "8.60.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.60.1.tgz",
+            "integrity": "sha512-alpRkfG8hlVE5kdJW2GkfgDgXxold3e8e4l6EnmhRmRLbekgAPCCGDVD++sABy9FcgPFroq+uFcCSM1vR57Cew==",
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/project-service": "8.60.0",
-                "@typescript-eslint/tsconfig-utils": "8.60.0",
-                "@typescript-eslint/types": "8.60.0",
-                "@typescript-eslint/visitor-keys": "8.60.0",
+                "@typescript-eslint/project-service": "8.60.1",
+                "@typescript-eslint/tsconfig-utils": "8.60.1",
+                "@typescript-eslint/types": "8.60.1",
+                "@typescript-eslint/visitor-keys": "8.60.1",
                 "debug": "^4.4.3",
                 "minimatch": "^10.2.2",
                 "semver": "^7.7.3",
@@ -6050,12 +6050,12 @@
             }
         },
         "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/visitor-keys": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.60.0.tgz",
-            "integrity": "sha512-9WI52t8ZGLVGrPMBet25yAftqY/n95+zmoUUtJBBQTKDSKUu7OsPTroT2op7U9JatkoRccL0YkWDNMFfC4Sjxg==",
+            "version": "8.60.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.60.1.tgz",
+            "integrity": "sha512-EbGRQg4FhrmwLodl+t3JNAnXHWVr9Vp+Zl1QBZVPY4ByfkzIT8cX3K6QWODHtkIZqqJVEWvhHSx3v5PDHsaQag==",
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.60.0",
+                "@typescript-eslint/types": "8.60.1",
                 "eslint-visitor-keys": "^5.0.0"
             },
             "engines": {
@@ -6115,9 +6115,9 @@
             }
         },
         "node_modules/@typescript-eslint/type-utils/node_modules/semver": {
-            "version": "7.8.1",
-            "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.1.tgz",
-            "integrity": "sha512-rkVq3IXh+4FDGch+KwzX3aV9W3kO54GyEgpvBzSyctDA6Xtd7RJQV1xmXbeQp5v7+VzLOfVqiutSE6GICgPFvg==",
+            "version": "7.8.3",
+            "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.3.tgz",
+            "integrity": "sha512-wnilbGyMxzbY7dNOl7jpKbLSjcfeweJWU5j4+u5qW+6/wuGD9KzIGOyZnQVSBM9E7DtWaaH3CyHkppYrKYoxwg==",
             "license": "ISC",
             "bin": {
                 "semver": "bin/semver.js"
@@ -6215,15 +6215,15 @@
             }
         },
         "node_modules/@typescript-eslint/utils": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.60.0.tgz",
-            "integrity": "sha512-HtXuPfrHTyBDkameWpl+vJb1Uevu2tznAyahM1Oc4AENidCLTPiZDWIo4GfcxNdC/RcfGcadzzkqbRG87dUrQA==",
+            "version": "8.60.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.60.1.tgz",
+            "integrity": "sha512-h2MPBLoNtjc3qZWfY3Tl51yPorQ2McHn8pJfcMNTcIvrrZrr90Ykffit0yjrPFWQcRcUxzH20+6OcVdW4yHtUg==",
             "license": "MIT",
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.9.1",
-                "@typescript-eslint/scope-manager": "8.60.0",
-                "@typescript-eslint/types": "8.60.0",
-                "@typescript-eslint/typescript-estree": "8.60.0"
+                "@typescript-eslint/scope-manager": "8.60.1",
+                "@typescript-eslint/types": "8.60.1",
+                "@typescript-eslint/typescript-estree": "8.60.1"
             },
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -6238,13 +6238,13 @@
             }
         },
         "node_modules/@typescript-eslint/utils/node_modules/@typescript-eslint/project-service": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.60.0.tgz",
-            "integrity": "sha512-aZu74NNKJeUWqCjDddzdiKaS82dgYgV/vmf+Ui3ZdZejmgfXR/q+pRumgobnQ2cCJTgGTWp4ypiwsuofFubavg==",
+            "version": "8.60.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.60.1.tgz",
+            "integrity": "sha512-eXkTH2bxmXlqD1RnOPmLZ9ZM9D3VwSx04JOwBnP9RQ+yUA5a2Mu7SfW8uaV2Aon53NJzZlZYuX7tn91Izf+xaw==",
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/tsconfig-utils": "^8.60.0",
-                "@typescript-eslint/types": "^8.60.0",
+                "@typescript-eslint/tsconfig-utils": "^8.60.1",
+                "@typescript-eslint/types": "^8.60.1",
                 "debug": "^4.4.3"
             },
             "engines": {
@@ -6259,13 +6259,13 @@
             }
         },
         "node_modules/@typescript-eslint/utils/node_modules/@typescript-eslint/scope-manager": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.60.0.tgz",
-            "integrity": "sha512-pFzqhllJMs+jghLQWzV00ds39xLzuyqPSev5pd8f4Ir0rtKR3ZLUB4/4dhjOFighWb9larvtfJvqL+4yKDI3Xw==",
+            "version": "8.60.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.60.1.tgz",
+            "integrity": "sha512-gvI5OQoptnxQnchOirukCuQ55svJSTuD/4k5+pC267xyBtYry748R9/c3tYUzb/iE6RZfllRz2lVulLCHkTm4w==",
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.60.0",
-                "@typescript-eslint/visitor-keys": "8.60.0"
+                "@typescript-eslint/types": "8.60.1",
+                "@typescript-eslint/visitor-keys": "8.60.1"
             },
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -6276,9 +6276,9 @@
             }
         },
         "node_modules/@typescript-eslint/utils/node_modules/@typescript-eslint/tsconfig-utils": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.60.0.tgz",
-            "integrity": "sha512-BZPR3RGYlAXnly6ymAxfkVn5rCbZzQNou0rxv3GfWZ8cTQp+hhVd73khbGLAd8k1TlAPLISH337M+tAgAnaJDQ==",
+            "version": "8.60.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.60.1.tgz",
+            "integrity": "sha512-nh8w4qAteiKuZu3pSSzG/yGKpw0OlkrKnzFmbVRenKaD4qc+7i1GrmZaLVkr8rk4uipiPGMOW4YsM6WmKZ5CvA==",
             "license": "MIT",
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -6292,9 +6292,9 @@
             }
         },
         "node_modules/@typescript-eslint/utils/node_modules/@typescript-eslint/types": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.60.0.tgz",
-            "integrity": "sha512-AsE7x2XaAK+CVbeih0Fvbn+r1qHxtpLDJ3XUuFcIinT318T90yHMJC+Zgv+jUuDjQQd06HKwxnDu6sz1IcTilA==",
+            "version": "8.60.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.60.1.tgz",
+            "integrity": "sha512-4h0tY8ppCkdCzcrl2YM5M3my0xsE1Tf8om3owEu5oPWmXwkKRmk0j0LGDzYBGUcAlesEbxBhazqu/K4cu3Ug7w==",
             "license": "MIT",
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -6305,15 +6305,15 @@
             }
         },
         "node_modules/@typescript-eslint/utils/node_modules/@typescript-eslint/typescript-estree": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.60.0.tgz",
-            "integrity": "sha512-3AcZNBGMClm6CXDyo8kYvVGT/sx29sS0oBsIb9oZI2gunA4Vm2M3YHzRLPvsUBBsl+yB5FPtltq7gGH0iTlp9g==",
+            "version": "8.60.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.60.1.tgz",
+            "integrity": "sha512-alpRkfG8hlVE5kdJW2GkfgDgXxold3e8e4l6EnmhRmRLbekgAPCCGDVD++sABy9FcgPFroq+uFcCSM1vR57Cew==",
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/project-service": "8.60.0",
-                "@typescript-eslint/tsconfig-utils": "8.60.0",
-                "@typescript-eslint/types": "8.60.0",
-                "@typescript-eslint/visitor-keys": "8.60.0",
+                "@typescript-eslint/project-service": "8.60.1",
+                "@typescript-eslint/tsconfig-utils": "8.60.1",
+                "@typescript-eslint/types": "8.60.1",
+                "@typescript-eslint/visitor-keys": "8.60.1",
                 "debug": "^4.4.3",
                 "minimatch": "^10.2.2",
                 "semver": "^7.7.3",
@@ -6332,12 +6332,12 @@
             }
         },
         "node_modules/@typescript-eslint/utils/node_modules/@typescript-eslint/visitor-keys": {
-            "version": "8.60.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.60.0.tgz",
-            "integrity": "sha512-9WI52t8ZGLVGrPMBet25yAftqY/n95+zmoUUtJBBQTKDSKUu7OsPTroT2op7U9JatkoRccL0YkWDNMFfC4Sjxg==",
+            "version": "8.60.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.60.1.tgz",
+            "integrity": "sha512-EbGRQg4FhrmwLodl+t3JNAnXHWVr9Vp+Zl1QBZVPY4ByfkzIT8cX3K6QWODHtkIZqqJVEWvhHSx3v5PDHsaQag==",
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.60.0",
+                "@typescript-eslint/types": "8.60.1",
                 "eslint-visitor-keys": "^5.0.0"
             },
             "engines": {
@@ -6397,9 +6397,9 @@
             }
         },
         "node_modules/@typescript-eslint/utils/node_modules/semver": {
-            "version": "7.8.1",
-            "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.1.tgz",
-            "integrity": "sha512-rkVq3IXh+4FDGch+KwzX3aV9W3kO54GyEgpvBzSyctDA6Xtd7RJQV1xmXbeQp5v7+VzLOfVqiutSE6GICgPFvg==",
+            "version": "7.8.3",
+            "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.3.tgz",
+            "integrity": "sha512-wnilbGyMxzbY7dNOl7jpKbLSjcfeweJWU5j4+u5qW+6/wuGD9KzIGOyZnQVSBM9E7DtWaaH3CyHkppYrKYoxwg==",
             "license": "ISC",
             "bin": {
                 "semver": "bin/semver.js"
diff --git a/web/package.json b/web/package.json
index 2159a0b8f0..27a7b53e32 100644
--- a/web/package.json
+++ b/web/package.json
@@ -130,7 +130,7 @@
         "@types/node": "^25.7.0",
         "@types/react": "^19.2.14",
         "@types/react-dom": "^19.2.3",
-        "@typescript-eslint/eslint-plugin": "^8.60.0",
+        "@typescript-eslint/eslint-plugin": "^8.60.1",
         "@typescript-eslint/parser": "^8.60.0",
         "@typescript-eslint/utils": "^8.60.0",
         "@typescript/native-preview": "^7.0.0-dev.20260510.1",

From f09b848b672203d54650c6faa4ac0da1eb920a66 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 9 Jun 2026 14:54:09 +0200
Subject: [PATCH 18/68] web: bump the storybook group across 1 directory with 5
 updates (#22919)

Bumps the storybook group with 4 updates in the /web directory: [@storybook/addon-docs](https://github.com/storybookjs/storybook/tree/HEAD/code/addons/docs), [@storybook/addon-links](https://github.com/storybookjs/storybook/tree/HEAD/code/addons/links), [@storybook/web-components](https://github.com/storybookjs/storybook/tree/HEAD/code/renderers/web-components) and [@storybook/web-components-vite](https://github.com/storybookjs/storybook/tree/HEAD/code/frameworks/web-components-vite).


Updates `@storybook/addon-docs` from 10.4.1 to 10.4.2
- [Release notes](https://github.com/storybookjs/storybook/releases)
- [Changelog](https://github.com/storybookjs/storybook/blob/next/CHANGELOG.md)
- [Commits](https://github.com/storybookjs/storybook/commits/v10.4.2/code/addons/docs)

Updates `@storybook/addon-links` from 10.4.1 to 10.4.2
- [Release notes](https://github.com/storybookjs/storybook/releases)
- [Changelog](https://github.com/storybookjs/storybook/blob/next/CHANGELOG.md)
- [Commits](https://github.com/storybookjs/storybook/commits/v10.4.2/code/addons/links)

Updates `@storybook/web-components` from 10.4.1 to 10.4.2
- [Release notes](https://github.com/storybookjs/storybook/releases)
- [Changelog](https://github.com/storybookjs/storybook/blob/next/CHANGELOG.md)
- [Commits](https://github.com/storybookjs/storybook/commits/v10.4.2/code/renderers/web-components)

Updates `@storybook/web-components-vite` from 10.4.1 to 10.4.2
- [Release notes](https://github.com/storybookjs/storybook/releases)
- [Changelog](https://github.com/storybookjs/storybook/blob/next/CHANGELOG.md)
- [Commits](https://github.com/storybookjs/storybook/commits/v10.4.2/code/frameworks/web-components-vite)

Updates `storybook` from 10.4.1 to 10.4.2
- [Release notes](https://github.com/storybookjs/storybook/releases)
- [Changelog](https://github.com/storybookjs/storybook/blob/next/CHANGELOG.md)
- [Commits](https://github.com/storybookjs/storybook/commits/v10.4.2/code/core)

---
updated-dependencies:
- dependency-name: "@storybook/addon-docs"
  dependency-version: 10.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: storybook
- dependency-name: "@storybook/addon-links"
  dependency-version: 10.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: storybook
- dependency-name: "@storybook/web-components"
  dependency-version: 10.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: storybook
- dependency-name: "@storybook/web-components-vite"
  dependency-version: 10.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: storybook
- dependency-name: storybook
  dependency-version: 10.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: storybook
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 web/package-lock.json | 80 +++++++++++++++++++++----------------------
 web/package.json      |  8 ++---
 2 files changed, 44 insertions(+), 44 deletions(-)

diff --git a/web/package-lock.json b/web/package-lock.json
index 32c0d7c6eb..677a016272 100644
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -45,10 +45,10 @@
                 "@patternfly/patternfly": "^4.224.2",
                 "@playwright/test": "^1.60.0",
                 "@sentry/browser": "^10.55.0",
-                "@storybook/addon-docs": "^10.4.1",
-                "@storybook/addon-links": "^10.4.1",
-                "@storybook/web-components": "^10.4.1",
-                "@storybook/web-components-vite": "^10.4.1",
+                "@storybook/addon-docs": "^10.4.2",
+                "@storybook/addon-links": "^10.4.2",
+                "@storybook/web-components": "^10.4.2",
+                "@storybook/web-components-vite": "^10.4.2",
                 "@types/codemirror": "^5.60.17",
                 "@types/grecaptcha": "^3.0.9",
                 "@types/guacamole-common-js": "^1.5.5",
@@ -3943,15 +3943,15 @@
             "license": "MIT"
         },
         "node_modules/@storybook/addon-docs": {
-            "version": "10.4.1",
-            "resolved": "https://registry.npmjs.org/@storybook/addon-docs/-/addon-docs-10.4.1.tgz",
-            "integrity": "sha512-IYqUdjoZe4VO2LFZlKL/gwy7DsQSWCq6hX+zc1MBmZo04yycDASk1tte57n9pdlW3ajw9yYMF/+lVBi+xQjyvw==",
+            "version": "10.4.2",
+            "resolved": "https://registry.npmjs.org/@storybook/addon-docs/-/addon-docs-10.4.2.tgz",
+            "integrity": "sha512-CtW1O4xSKZPNtpWgpfp4yB/x4pj/of+3MvlEDfErSlr3Hp3QmEa2pCLaecR08H5LJqJFlt1PtG0UrIynTvgW9w==",
             "license": "MIT",
             "dependencies": {
                 "@mdx-js/react": "^3.0.0",
-                "@storybook/csf-plugin": "10.4.1",
+                "@storybook/csf-plugin": "10.4.2",
                 "@storybook/icons": "^2.0.2",
-                "@storybook/react-dom-shim": "10.4.1",
+                "@storybook/react-dom-shim": "10.4.2",
                 "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0",
                 "react-dom": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0",
                 "ts-dedent": "^2.0.0"
@@ -3962,7 +3962,7 @@
             },
             "peerDependencies": {
                 "@types/react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0",
-                "storybook": "^10.4.1"
+                "storybook": "^10.4.2"
             },
             "peerDependenciesMeta": {
                 "@types/react": {
@@ -3971,9 +3971,9 @@
             }
         },
         "node_modules/@storybook/addon-links": {
-            "version": "10.4.1",
-            "resolved": "https://registry.npmjs.org/@storybook/addon-links/-/addon-links-10.4.1.tgz",
-            "integrity": "sha512-h/5D23GwMuHA55sB7XDyhByF9psF7UFmaQOn72pjNAarew5eOpue5A+jXk3AKEYokHbvgQaoz+FrvWo9GEfSKQ==",
+            "version": "10.4.2",
+            "resolved": "https://registry.npmjs.org/@storybook/addon-links/-/addon-links-10.4.2.tgz",
+            "integrity": "sha512-cU8h4/m+oAr8UUwF4teZG2N1ilV+vU+98Ii/Ma+IIx9M/V7i5544UxfAz84dV5Rx2Oho6x8XH3gIvmevSyPi/Q==",
             "license": "MIT",
             "dependencies": {
                 "@storybook/global": "^5.0.0"
@@ -3985,7 +3985,7 @@
             "peerDependencies": {
                 "@types/react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0",
                 "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0",
-                "storybook": "^10.4.1"
+                "storybook": "^10.4.2"
             },
             "peerDependenciesMeta": {
                 "@types/react": {
@@ -3997,12 +3997,12 @@
             }
         },
         "node_modules/@storybook/builder-vite": {
-            "version": "10.4.1",
-            "resolved": "https://registry.npmjs.org/@storybook/builder-vite/-/builder-vite-10.4.1.tgz",
-            "integrity": "sha512-/oyQrXoNOqN8SW5hNnYP+I1uvgFxKxWXj/EP6NXYzc5SQwImofgru+D2+6gDhL0+Q//+Hx05DJoQO2omvUJ8bQ==",
+            "version": "10.4.2",
+            "resolved": "https://registry.npmjs.org/@storybook/builder-vite/-/builder-vite-10.4.2.tgz",
+            "integrity": "sha512-d3+i9vbbUfV6hvT90qabmy1WmC4bEJ7iAYDm0217doeA+S6awF25GF0qOy9gN9waU4NMntHoVpdB1YQO2wUj/w==",
             "license": "MIT",
             "dependencies": {
-                "@storybook/csf-plugin": "10.4.1",
+                "@storybook/csf-plugin": "10.4.2",
                 "ts-dedent": "^2.0.0"
             },
             "funding": {
@@ -4010,14 +4010,14 @@
                 "url": "https://opencollective.com/storybook"
             },
             "peerDependencies": {
-                "storybook": "^10.4.1",
+                "storybook": "^10.4.2",
                 "vite": "^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0"
             }
         },
         "node_modules/@storybook/csf-plugin": {
-            "version": "10.4.1",
-            "resolved": "https://registry.npmjs.org/@storybook/csf-plugin/-/csf-plugin-10.4.1.tgz",
-            "integrity": "sha512-WdPepGBxDGOUDjYd8KxMtcf+us/2PAcnBczl77XtrnxxHNs0jWesxKkiJ9yiuGrge4BPhDeAj6rxjbBoaHxLBA==",
+            "version": "10.4.2",
+            "resolved": "https://registry.npmjs.org/@storybook/csf-plugin/-/csf-plugin-10.4.2.tgz",
+            "integrity": "sha512-GqX/2DeF3/jKs5D7gpDiuT9gd0c/f2TKcnQ5av4/s3YqeN+0nhm7btkCrDfgF16uzE1Zj3OrkxvB3AOkfxWgDg==",
             "license": "MIT",
             "dependencies": {
                 "unplugin": "^2.3.5"
@@ -4029,7 +4029,7 @@
             "peerDependencies": {
                 "esbuild": "*",
                 "rollup": "*",
-                "storybook": "^10.4.1",
+                "storybook": "^10.4.2",
                 "vite": "*",
                 "webpack": "*"
             },
@@ -4065,9 +4065,9 @@
             }
         },
         "node_modules/@storybook/react-dom-shim": {
-            "version": "10.4.1",
-            "resolved": "https://registry.npmjs.org/@storybook/react-dom-shim/-/react-dom-shim-10.4.1.tgz",
-            "integrity": "sha512-6QFqfDNH4DMrt7yHKRfpqRopsVUc/Az+sXIdJ39IetYnHUxL3nW4NVaPc6uy/8Qi8urzUyEXL/nn7cpSIP2aPQ==",
+            "version": "10.4.2",
+            "resolved": "https://registry.npmjs.org/@storybook/react-dom-shim/-/react-dom-shim-10.4.2.tgz",
+            "integrity": "sha512-Eng3Yt2NCjPX94QcfyLeUFhrMj0hec2yU9J/qafBVbfj9XrFI8o+0ZwYJ7uXb9ECbvPN4y06dgt/2W/LiR417w==",
             "license": "MIT",
             "funding": {
                 "type": "opencollective",
@@ -4078,7 +4078,7 @@
                 "@types/react-dom": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0",
                 "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0",
                 "react-dom": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0",
-                "storybook": "^10.4.1"
+                "storybook": "^10.4.2"
             },
             "peerDependenciesMeta": {
                 "@types/react": {
@@ -4090,9 +4090,9 @@
             }
         },
         "node_modules/@storybook/web-components": {
-            "version": "10.4.1",
-            "resolved": "https://registry.npmjs.org/@storybook/web-components/-/web-components-10.4.1.tgz",
-            "integrity": "sha512-bvvIQZK7vdxoVrBmQtbvtNU5ugFF8dETc0l2j58nPUerDHUook8dFNXUiKfK1KmnLsBZ/7KEjPPmk7sEHygvlQ==",
+            "version": "10.4.2",
+            "resolved": "https://registry.npmjs.org/@storybook/web-components/-/web-components-10.4.2.tgz",
+            "integrity": "sha512-dzZhJ1G/kQ3+19ureRsV1s3Sy5krcyf5mGdUa3vdt9SFP1KiAbzUnD8ur/jiUmOKcdn6lrEKMs4NY4rSzU4mPA==",
             "license": "MIT",
             "dependencies": {
                 "@storybook/global": "^5.0.0",
@@ -4105,24 +4105,24 @@
             },
             "peerDependencies": {
                 "lit": "^2.0.0 || ^3.0.0",
-                "storybook": "^10.4.1"
+                "storybook": "^10.4.2"
             }
         },
         "node_modules/@storybook/web-components-vite": {
-            "version": "10.4.1",
-            "resolved": "https://registry.npmjs.org/@storybook/web-components-vite/-/web-components-vite-10.4.1.tgz",
-            "integrity": "sha512-i66ublYmQNK9zvSgiT7w9zSHCcXh+g7lHWFoxO+QX7riRLMmtk5uOlWna9P7Ny41fkoQ7POKWJAuZ9PLBPl/Ug==",
+            "version": "10.4.2",
+            "resolved": "https://registry.npmjs.org/@storybook/web-components-vite/-/web-components-vite-10.4.2.tgz",
+            "integrity": "sha512-XD0vUnfJVu0aeUlwhiU3mzhdAnWSLPuljcxvWJOk/AvYQ3kKIeiM1OFFbCMUBjs6DTyomyW+t4HrSe20QoHNJg==",
             "license": "MIT",
             "dependencies": {
-                "@storybook/builder-vite": "10.4.1",
-                "@storybook/web-components": "10.4.1"
+                "@storybook/builder-vite": "10.4.2",
+                "@storybook/web-components": "10.4.2"
             },
             "funding": {
                 "type": "opencollective",
                 "url": "https://opencollective.com/storybook"
             },
             "peerDependencies": {
-                "storybook": "^10.4.1",
+                "storybook": "^10.4.2",
                 "vite": "^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0"
             }
         },
@@ -17576,9 +17576,9 @@
             }
         },
         "node_modules/storybook": {
-            "version": "10.4.1",
-            "resolved": "https://registry.npmjs.org/storybook/-/storybook-10.4.1.tgz",
-            "integrity": "sha512-V1Zd2e+gBFufqAQVZ1JR8KLqALsEZ3JYSBnWwQbKa6zCfWWanR6AFMyuOkLt2gZOgGp3h2Riuz88pGNVTQSG0A==",
+            "version": "10.4.2",
+            "resolved": "https://registry.npmjs.org/storybook/-/storybook-10.4.2.tgz",
+            "integrity": "sha512-5Ax5vbHxFgMBGGhQDm75Rrumm/HZC4ICFhMcJaM0UlqnC/4FKj/IaZtImZFupknyiiyUEcWHPQFA2kX3/VSv1A==",
             "license": "MIT",
             "dependencies": {
                 "@storybook/global": "^5.0.0",
diff --git a/web/package.json b/web/package.json
index 27a7b53e32..170f5f21ed 100644
--- a/web/package.json
+++ b/web/package.json
@@ -120,10 +120,10 @@
         "@patternfly/patternfly": "^4.224.2",
         "@playwright/test": "^1.60.0",
         "@sentry/browser": "^10.55.0",
-        "@storybook/addon-docs": "^10.4.1",
-        "@storybook/addon-links": "^10.4.1",
-        "@storybook/web-components": "^10.4.1",
-        "@storybook/web-components-vite": "^10.4.1",
+        "@storybook/addon-docs": "^10.4.2",
+        "@storybook/addon-links": "^10.4.2",
+        "@storybook/web-components": "^10.4.2",
+        "@storybook/web-components-vite": "^10.4.2",
         "@types/codemirror": "^5.60.17",
         "@types/grecaptcha": "^3.0.9",
         "@types/guacamole-common-js": "^1.5.5",

From 2f6d01d62aa847480c95fb358c087801b68cf69d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 9 Jun 2026 14:54:25 +0200
Subject: [PATCH 19/68] core: bump daphne from 4.2.1 to 4.2.2 (#22920)

Bumps [daphne](https://github.com/django/daphne) from 4.2.1 to 4.2.2.
- [Changelog](https://github.com/django/daphne/blob/main/CHANGELOG.txt)
- [Commits](https://github.com/django/daphne/compare/4.2.1...4.2.2)

---
updated-dependencies:
- dependency-name: daphne
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pyproject.toml | 2 +-
 uv.lock        | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 955a7dfc78..9c1234e356 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -83,7 +83,7 @@ dev = [
   "colorama==0.4.6",
   "constructs==10.6.0",
   "coverage[toml]==7.14.1",
-  "daphne==4.2.1",
+  "daphne==4.2.2",
   "debugpy==1.8.21",
   "django-stubs[compatible-mypy]==6.0.5",
   "djangorestframework-stubs[compatible-mypy]==3.17.0",
diff --git a/uv.lock b/uv.lock
index b6bb5b2cfc..fab25b75fe 100644
--- a/uv.lock
+++ b/uv.lock
@@ -439,7 +439,7 @@ dev = [
     { name = "colorama", specifier = "==0.4.6" },
     { name = "constructs", specifier = "==10.6.0" },
     { name = "coverage", extras = ["toml"], specifier = "==7.14.1" },
-    { name = "daphne", specifier = "==4.2.1" },
+    { name = "daphne", specifier = "==4.2.2" },
     { name = "debugpy", specifier = "==1.8.21" },
     { name = "django-stubs", extras = ["compatible-mypy"], specifier = "==6.0.5" },
     { name = "djangorestframework-stubs", extras = ["compatible-mypy"], specifier = "==3.17.0" },
@@ -1068,16 +1068,16 @@ wheels = [
 
 [[package]]
 name = "daphne"
-version = "4.2.1"
+version = "4.2.2"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "asgiref" },
     { name = "autobahn" },
     { name = "twisted", extra = ["tls"] },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/cd/9d/322b605fdc03b963cf2d33943321c8f4405e8d82e698bf49d1eed1ca40c4/daphne-4.2.1.tar.gz", hash = "sha256:5f898e700a1fda7addf1541d7c328606415e96a7bd768405f0463c312fcb31b3", size = 45600, upload-time = "2025-07-02T12:57:04.935Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/64/d3/65ff32c01cc64d44441b038dbb7cfb0c6a5507a1c937b3d41bd99af7bdc4/daphne-4.2.2.tar.gz", hash = "sha256:6c3527d4ce32630ae054dfb0ef5578e9a35d2f39f0ebcd02ef4f9129a121ce8d", size = 47601, upload-time = "2026-06-03T10:53:13.31Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/01/34/6171ab34715ed210bcd6c2b38839cc792993cff4fe2493f50bc92b0086a0/daphne-4.2.1-py3-none-any.whl", hash = "sha256:881e96b387b95b35ad85acd855f229d7f5b79073d6649089c8a33f661885e055", size = 29015, upload-time = "2025-07-02T12:57:03.793Z" },
+    { url = "https://files.pythonhosted.org/packages/78/ab/85534d9cbca09f3c10f58fc2093659062280ed5703707c0b41dbca8ec297/daphne-4.2.2-py3-none-any.whl", hash = "sha256:466ba8a7c31c5b758953095b451dbad9dc23e5783c68a3716e5fc7aa5f26d168", size = 29466, upload-time = "2026-06-03T10:53:11.841Z" },
 ]
 
 [[package]]

From 91b8f857888aca3368d907df62d2b63bed994ebd Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 9 Jun 2026 14:55:44 +0200
Subject: [PATCH 20/68] ci: bump actions/checkout from 6.0.2 to 6.0.3 (#22877)

Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/de0fac2e4500dabe0009e67214ff5f5447ce83dd...df4cb1c069e1874edd31b4311f1884172cec0e10)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .../_reusable-docker-build-single.yml         |  2 +-
 .github/workflows/_reusable-docker-build.yml  |  4 ++--
 .github/workflows/ci-api-docs.yml             |  6 +++---
 .github/workflows/ci-aws-cfn.yml              |  2 +-
 .github/workflows/ci-docs-source.yml          |  2 +-
 .github/workflows/ci-docs.yml                 |  8 ++++----
 .github/workflows/ci-main-daily.yml           |  2 +-
 .github/workflows/ci-main.yml                 | 20 +++++++++----------
 .github/workflows/ci-outpost.yml              |  8 ++++----
 .github/workflows/ci-web.yml                  |  6 +++---
 .github/workflows/gen-image-compress.yml      |  2 +-
 .github/workflows/gen-update-webauthn-mds.yml |  2 +-
 .github/workflows/gh-cherry-pick.yml          |  2 +-
 .github/workflows/gh-gha-cache-cleanup.yml    |  2 +-
 .github/workflows/packages-npm-publish.yml    |  2 +-
 .github/workflows/qa-codeql.yml               |  2 +-
 .github/workflows/qa-dependency-review.yml    |  2 +-
 .github/workflows/qa-semgrep.yml              |  2 +-
 .github/workflows/release-branch-off.yml      |  4 ++--
 .github/workflows/release-next-branch.yml     |  2 +-
 .github/workflows/release-publish.yml         | 12 +++++------
 .github/workflows/release-tag.yml             |  8 ++++----
 .../workflows/translation-extract-compile.yml |  4 ++--
 23 files changed, 53 insertions(+), 53 deletions(-)

diff --git a/.github/workflows/_reusable-docker-build-single.yml b/.github/workflows/_reusable-docker-build-single.yml
index 959c76f298..8b216961e7 100644
--- a/.github/workflows/_reusable-docker-build-single.yml
+++ b/.github/workflows/_reusable-docker-build-single.yml
@@ -42,7 +42,7 @@ jobs:
       # Needed for checkout
       contents: read
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
       - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
       - name: prepare variables
diff --git a/.github/workflows/_reusable-docker-build.yml b/.github/workflows/_reusable-docker-build.yml
index 676c3e22ca..43ef25fae4 100644
--- a/.github/workflows/_reusable-docker-build.yml
+++ b/.github/workflows/_reusable-docker-build.yml
@@ -49,7 +49,7 @@ jobs:
       tags: ${{ steps.ev.outputs.imageTagsJSON }}
       shouldPush: ${{ steps.ev.outputs.shouldPush }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -69,7 +69,7 @@ jobs:
       matrix:
         tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
diff --git a/.github/workflows/ci-api-docs.yml b/.github/workflows/ci-api-docs.yml
index 949ef023e5..e3aa493cef 100644
--- a/.github/workflows/ci-api-docs.yml
+++ b/.github/workflows/ci-api-docs.yml
@@ -21,7 +21,7 @@ jobs:
         command:
           - prettier-check
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - uses: ./.github/actions/setup-node
         with:
           working-directory: website
@@ -31,7 +31,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - uses: ./.github/actions/setup-node
         with:
           working-directory: website
@@ -60,7 +60,7 @@ jobs:
       - lint
       - build
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v5
         with:
           name: api-docs
diff --git a/.github/workflows/ci-aws-cfn.yml b/.github/workflows/ci-aws-cfn.yml
index 8696655d73..263fea8700 100644
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@@ -21,7 +21,7 @@ jobs:
   check-changes-applied:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - uses: ./.github/actions/setup-node
diff --git a/.github/workflows/ci-docs-source.yml b/.github/workflows/ci-docs-source.yml
index 42fb0fb46d..c3bc20374b 100644
--- a/.github/workflows/ci-docs-source.yml
+++ b/.github/workflows/ci-docs-source.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 120
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: generate docs
diff --git a/.github/workflows/ci-docs.yml b/.github/workflows/ci-docs.yml
index e057e6a719..f690e6484b 100644
--- a/.github/workflows/ci-docs.yml
+++ b/.github/workflows/ci-docs.yml
@@ -23,7 +23,7 @@ jobs:
         command:
           - prettier-check
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - uses: ./.github/actions/setup-node
         with:
           working-directory: website
@@ -34,7 +34,7 @@ jobs:
     env:
       NODE_ENV: production
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - uses: ./.github/actions/setup-node
         name: Setup Node.js
         with:
@@ -46,7 +46,7 @@ jobs:
     env:
       NODE_ENV: production
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - uses: ./.github/actions/setup-node
         with:
           working-directory: website
@@ -61,7 +61,7 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
diff --git a/.github/workflows/ci-main-daily.yml b/.github/workflows/ci-main-daily.yml
index 025c82afe3..7958dd6c14 100644
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@@ -22,7 +22,7 @@ jobs:
           - version-2026-2
           - version-2026-5
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - run: |
           set -euo pipefail
           current="$(pwd)"
diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml
index 60ea365cc8..9a3977f1a8 100644
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -51,7 +51,7 @@ jobs:
             deps: rust-nightly
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
@@ -61,7 +61,7 @@ jobs:
   test-gen:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Setup authentik env
@@ -77,7 +77,7 @@ jobs:
   test-migrations:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: run migrations
@@ -103,7 +103,7 @@ jobs:
           - 18-alpine
         run_id: [1, 2, 3, 4, 5]
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         with:
           fetch-depth: 0
       - name: checkout stable
@@ -179,7 +179,7 @@ jobs:
           - 18-alpine
         run_id: [1, 2, 3, 4, 5]
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
@@ -199,7 +199,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
@@ -252,7 +252,7 @@ jobs:
             glob: tests/e2e/test_endpoints_*
             profiles: selenium
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Setup e2e env
@@ -306,7 +306,7 @@ jobs:
           - name: ssf_transmitter
             glob: tests/openid_conformance/test_ssf_transmitter.py
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Setup e2e env (chrome, etc)
@@ -348,7 +348,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
@@ -407,7 +407,7 @@ jobs:
       pull-requests: write
     timeout-minutes: 120
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: prepare variables
diff --git a/.github/workflows/ci-outpost.yml b/.github/workflows/ci-outpost.yml
index 5a22f214f8..563099e71a 100644
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@@ -21,7 +21,7 @@ jobs:
   lint-golint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: "go.mod"
@@ -40,7 +40,7 @@ jobs:
   test-unittest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: "go.mod"
@@ -82,7 +82,7 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
@@ -139,7 +139,7 @@ jobs:
         goos: [linux]
         goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
diff --git a/.github/workflows/ci-web.yml b/.github/workflows/ci-web.yml
index 6d111fce63..64d1f658e3 100644
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - uses: ./.github/actions/setup-node
         with:
           working-directory: web
@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - uses: ./.github/actions/setup-node
         with:
           working-directory: web
@@ -59,7 +59,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - uses: ./.github/actions/setup-node
         with:
           working-directory: web
diff --git a/.github/workflows/gen-image-compress.yml b/.github/workflows/gen-image-compress.yml
index 1edaeb7705..2b9c288b70 100644
--- a/.github/workflows/gen-image-compress.yml
+++ b/.github/workflows/gen-image-compress.yml
@@ -33,7 +33,7 @@ jobs:
         with:
           client-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Compress images
diff --git a/.github/workflows/gen-update-webauthn-mds.yml b/.github/workflows/gen-update-webauthn-mds.yml
index dac6e9e3ab..1702e404d0 100644
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@@ -20,7 +20,7 @@ jobs:
         with:
           client-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Setup authentik env
diff --git a/.github/workflows/gh-cherry-pick.yml b/.github/workflows/gh-cherry-pick.yml
index bc068081b7..75b31c56ea 100644
--- a/.github/workflows/gh-cherry-pick.yml
+++ b/.github/workflows/gh-cherry-pick.yml
@@ -17,7 +17,7 @@ jobs:
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
         env:
           GH_APP_ID: ${{ secrets.GH_APP_ID }}
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         if: ${{ steps.app-token.outcome != 'skipped' }}
         with:
           fetch-depth: 0
diff --git a/.github/workflows/gh-gha-cache-cleanup.yml b/.github/workflows/gh-gha-cache-cleanup.yml
index c32944572d..d80bf1a72c 100644
--- a/.github/workflows/gh-gha-cache-cleanup.yml
+++ b/.github/workflows/gh-gha-cache-cleanup.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
 
       - name: Cleanup
         run: |
diff --git a/.github/workflows/packages-npm-publish.yml b/.github/workflows/packages-npm-publish.yml
index 5f97c5b465..8489b0d504 100644
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@@ -32,7 +32,7 @@ jobs:
           - packages/logger-js
           - packages/esbuild-plugin-live-reload
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         with:
           fetch-depth: 2
       - uses: ./.github/actions/setup-node
diff --git a/.github/workflows/qa-codeql.yml b/.github/workflows/qa-codeql.yml
index 8edacbf92f..b5a8d3b45e 100644
--- a/.github/workflows/qa-codeql.yml
+++ b/.github/workflows/qa-codeql.yml
@@ -24,7 +24,7 @@ jobs:
         language: ["go", "javascript", "python"]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Initialize CodeQL
diff --git a/.github/workflows/qa-dependency-review.yml b/.github/workflows/qa-dependency-review.yml
index c02653bd08..5a7669e25d 100644
--- a/.github/workflows/qa-dependency-review.yml
+++ b/.github/workflows/qa-dependency-review.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
         with:
           # Block PRs that introduce a *new* dependency with a known
diff --git a/.github/workflows/qa-semgrep.yml b/.github/workflows/qa-semgrep.yml
index 39c89e8c2f..fdb170e4d5 100644
--- a/.github/workflows/qa-semgrep.yml
+++ b/.github/workflows/qa-semgrep.yml
@@ -26,5 +26,5 @@ jobs:
       image: semgrep/semgrep
     if: (github.actor != 'dependabot[bot]')
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - run: semgrep ci
diff --git a/.github/workflows/release-branch-off.yml b/.github/workflows/release-branch-off.yml
index 4063d41460..54927527bd 100644
--- a/.github/workflows/release-branch-off.yml
+++ b/.github/workflows/release-branch-off.yml
@@ -34,7 +34,7 @@ jobs:
           client-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - name: Checkout main
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         with:
           ref: main
           token: "${{ steps.app-token.outputs.token }}"
@@ -62,7 +62,7 @@ jobs:
           client-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - name: Checkout main
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         with:
           ref: main
           token: ${{ steps.generate_token.outputs.token }}
diff --git a/.github/workflows/release-next-branch.yml b/.github/workflows/release-next-branch.yml
index aae7862faa..ae9ac84636 100644
--- a/.github/workflows/release-next-branch.yml
+++ b/.github/workflows/release-next-branch.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     environment: internal-production
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         with:
           ref: main
       - run: |
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
index 58914cc19c..ea8ab0ee0c 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -31,7 +31,7 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - name: Set up QEMU
         uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
       - name: Set up Docker Buildx
@@ -83,7 +83,7 @@ jobs:
           - radius
           - rac
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: "go.mod"
@@ -145,7 +145,7 @@ jobs:
         goos: [linux, darwin]
         goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: "go.mod"
@@ -182,7 +182,7 @@ jobs:
       AWS_REGION: eu-central-1
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0
         with:
           role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
@@ -198,7 +198,7 @@ jobs:
       - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - name: Run test suite in final docker images
         run: |
           echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> lifecycle/container/.env
@@ -214,7 +214,7 @@ jobs:
       - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
index ef1e583bdc..6c004ab589 100644
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -52,7 +52,7 @@ jobs:
     needs:
       - check-inputs
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         with:
           ref: "version-${{ needs.check-inputs.outputs.major_version }}"
       - name: Setup authentik env
@@ -76,7 +76,7 @@ jobs:
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         with:
           ref: "version-${{ needs.check-inputs.outputs.major_version }}"
           token: "${{ steps.app-token.outputs.token }}"
@@ -129,7 +129,7 @@ jobs:
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         with:
           repository: "${{ github.repository_owner }}/helm"
           token: "${{ steps.app-token.outputs.token }}"
@@ -171,7 +171,7 @@ jobs:
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         with:
           repository: "${{ github.repository_owner }}/version"
           token: "${{ steps.app-token.outputs.token }}"
diff --git a/.github/workflows/translation-extract-compile.yml b/.github/workflows/translation-extract-compile.yml
index 4791ff674e..e290d81719 100644
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@@ -25,11 +25,11 @@ jobs:
         with:
           client-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         if: ${{ github.event_name != 'pull_request' }}
         with:
           token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5
         if: ${{ github.event_name == 'pull_request' }}
       - name: Setup authentik env
         uses: ./.github/actions/setup

From 1163d6a0105e8ec6f3c5f9500fa951421e8d9397 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 9 Jun 2026 14:56:00 +0200
Subject: [PATCH 21/68] core: bump sentry-sdk from 2.61.0 to 2.61.1 (#22916)

Bumps [sentry-sdk](https://github.com/getsentry/sentry-python) from 2.61.0 to 2.61.1.
- [Release notes](https://github.com/getsentry/sentry-python/releases)
- [Changelog](https://github.com/getsentry/sentry-python/blob/master/CHANGELOG.md)
- [Commits](https://github.com/getsentry/sentry-python/compare/2.61.0...2.61.1)

---
updated-dependencies:
- dependency-name: sentry-sdk
  dependency-version: 2.61.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pyproject.toml | 2 +-
 uv.lock        | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 9c1234e356..1c3bf48d15 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -57,7 +57,7 @@ dependencies = [
   "pyyaml==6.0.3",
   "requests-oauthlib==2.0.0",
   "scim2-filter-parser==0.7.0",
-  "sentry-sdk==2.61.0",
+  "sentry-sdk==2.61.1",
   "service-identity==24.2.0",
   "setproctitle==1.3.7",
   "structlog==25.5.0",
diff --git a/uv.lock b/uv.lock
index fab25b75fe..cbf45e56e1 100644
--- a/uv.lock
+++ b/uv.lock
@@ -413,7 +413,7 @@ requires-dist = [
     { name = "pyyaml", specifier = "==6.0.3" },
     { name = "requests-oauthlib", specifier = "==2.0.0" },
     { name = "scim2-filter-parser", specifier = "==0.7.0" },
-    { name = "sentry-sdk", specifier = "==2.61.0" },
+    { name = "sentry-sdk", specifier = "==2.61.1" },
     { name = "service-identity", specifier = "==24.2.0" },
     { name = "setproctitle", specifier = "==1.3.7" },
     { name = "structlog", specifier = "==25.5.0" },
@@ -3380,15 +3380,15 @@ wheels = [
 
 [[package]]
 name = "sentry-sdk"
-version = "2.61.0"
+version = "2.61.1"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "certifi" },
     { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/52/4d/3c66e6045bd2071256b6b6fdcb0cc02b86ce54b2acc2ceac79af8e0efbb5/sentry_sdk-2.61.0.tar.gz", hash = "sha256:1ca9b4bb777eb5be67004edab7eb894f21c6301f1d05ed64966719ad5d1764ce", size = 458510, upload-time = "2026-05-28T09:40:28.917Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/63/3b/4bc6b348bbd331daa14d4babe9f2b99bc854f4da41560eefb9488d78481d/sentry_sdk-2.61.1.tar.gz", hash = "sha256:9c6adccb3feefa9ba032c8d295ca477575c2f11896046a2b0ad686c47c4af555", size = 459429, upload-time = "2026-06-01T07:24:18.875Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/21/5a/9794736d5802689c1a48862e6afe6b7f3e86cc37c15d4a84bc0143877dc1/sentry_sdk-2.61.0-py3-none-any.whl", hash = "sha256:ec4d30273909cb1d198e03208b16ee70e2bc5d90a16fd9f1fb2fc6a72e1f03dc", size = 483111, upload-time = "2026-05-28T09:40:27.027Z" },
+    { url = "https://files.pythonhosted.org/packages/df/54/c9218db183846e08efaf68534889ef42e499dde432778881104a42f7071b/sentry_sdk-2.61.1-py3-none-any.whl", hash = "sha256:fa36eaf4b8ad708f718500d4bdcc1532637526a22beb874d88cbc0a46458b5ae", size = 483735, upload-time = "2026-06-01T07:24:17.027Z" },
 ]
 
 [[package]]

From c0d1d177768d03ac03e664761aca984667b6fe10 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 9 Jun 2026 14:56:30 +0200
Subject: [PATCH 22/68] core: bump github.com/go-openapi/runtime from 0.32.2 to
 0.32.3 (#22914)

Bumps [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) from 0.32.2 to 0.32.3.
- [Release notes](https://github.com/go-openapi/runtime/releases)
- [Commits](https://github.com/go-openapi/runtime/compare/v0.32.2...v0.32.3)

---
updated-dependencies:
- dependency-name: github.com/go-openapi/runtime
  dependency-version: 0.32.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 22 +++++++++++-----------
 go.sum | 48 ++++++++++++++++++++++++------------------------
 2 files changed, 35 insertions(+), 35 deletions(-)

diff --git a/go.mod b/go.mod
index 23232b6286..d67faa054c 100644
--- a/go.mod
+++ b/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/getsentry/sentry-go v0.46.2
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.13
-	github.com/go-openapi/runtime v0.32.2
+	github.com/go-openapi/runtime v0.32.3
 	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/handlers v1.5.2
@@ -51,14 +51,14 @@ require (
 	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/analysis v0.25.0 // indirect
+	github.com/go-openapi/analysis v0.25.2 // indirect
 	github.com/go-openapi/errors v0.22.7 // indirect
 	github.com/go-openapi/jsonpointer v0.23.1 // indirect
-	github.com/go-openapi/jsonreference v0.21.5 // indirect
+	github.com/go-openapi/jsonreference v0.21.6 // indirect
 	github.com/go-openapi/loads v0.23.3 // indirect
 	github.com/go-openapi/runtime/server-middleware v0.30.0 // indirect
-	github.com/go-openapi/spec v0.22.4 // indirect
-	github.com/go-openapi/strfmt v0.26.2 // indirect
+	github.com/go-openapi/spec v0.22.5 // indirect
+	github.com/go-openapi/strfmt v0.26.3 // indirect
 	github.com/go-openapi/swag/conv v0.26.0 // indirect
 	github.com/go-openapi/swag/fileutils v0.26.0 // indirect
 	github.com/go-openapi/swag/jsonname v0.26.0 // indirect
@@ -68,7 +68,7 @@ require (
 	github.com/go-openapi/swag/stringutils v0.26.0 // indirect
 	github.com/go-openapi/swag/typeutils v0.26.0 // indirect
 	github.com/go-openapi/swag/yamlutils v0.26.0 // indirect
-	github.com/go-openapi/validate v0.25.2 // indirect
+	github.com/go-openapi/validate v0.25.3 // indirect
 	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
 	github.com/grafana/pyroscope-go/godeltaprof v0.1.11 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -86,14 +86,14 @@ require (
 	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/otel v1.43.0 // indirect
-	go.opentelemetry.io/otel/metric v1.43.0 // indirect
-	go.opentelemetry.io/otel/trace v1.43.0 // indirect
+	go.opentelemetry.io/otel v1.44.0 // indirect
+	go.opentelemetry.io/otel/metric v1.44.0 // indirect
+	go.opentelemetry.io/otel/trace v1.44.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/crypto v0.51.0 // indirect
-	golang.org/x/net v0.54.0 // indirect
-	golang.org/x/sys v0.44.0 // indirect
+	golang.org/x/net v0.55.0 // indirect
+	golang.org/x/sys v0.45.0 // indirect
 	golang.org/x/text v0.37.0 // indirect
 	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
diff --git a/go.sum b/go.sum
index 18f422fc63..a09f0ff659 100644
--- a/go.sum
+++ b/go.sum
@@ -41,24 +41,24 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-openapi/analysis v0.25.0 h1:EnjAq1yO8wEO9HbPmY8vLPEIkdZuuFhCAKBPvCB7bCs=
-github.com/go-openapi/analysis v0.25.0/go.mod h1:5WFTRE43WLkPG9r9OtlMfqkkvUTYLVVCIxLlEpyF8kE=
+github.com/go-openapi/analysis v0.25.2 h1:I0vy4n3alz+DHTiN1PRhCb7QZxkK6g5YmswZKv2TKuw=
+github.com/go-openapi/analysis v0.25.2/go.mod h1:Uhs1t/2XR10EnwONYILGEzw8gcfGIG5Xk5K2AxnhqDo=
 github.com/go-openapi/errors v0.22.7 h1:JLFBGC0Apwdzw3484MmBqspjPbwa2SHvpDm0u5aGhUA=
 github.com/go-openapi/errors v0.22.7/go.mod h1://QW6SD9OsWtH6gHllUCddOXDL0tk0ZGNYHwsw4sW3w=
 github.com/go-openapi/jsonpointer v0.23.1 h1:1HBACs7XIwR2RcmItfdSFlALhGbe6S92p0ry4d1GWg4=
 github.com/go-openapi/jsonpointer v0.23.1/go.mod h1:iWRmZTrGn7XwYhtPt/fvdSFj1OfNBngqRT2UG3BxSqY=
-github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe+pJyVWRdiE=
-github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw=
+github.com/go-openapi/jsonreference v0.21.6 h1:NZ5nGfnaM1n4I43Xjm1e5/M2GjOwQwndQz22uhxwD+Y=
+github.com/go-openapi/jsonreference v0.21.6/go.mod h1:xzbgtQ3ZbWxvET3AxdzCJlJt6vkovbf+IfSPJjD0tUY=
 github.com/go-openapi/loads v0.23.3 h1:g5Xap1JfwKkUnZdn+S0L3SzBDpcTIYzZ5Qaag0YDkKQ=
 github.com/go-openapi/loads v0.23.3/go.mod h1:NOH07zLajXo8y55hom0omlHWDVVvCwBM/S+csCK8LqA=
-github.com/go-openapi/runtime v0.32.2 h1:X9mZz716lFwYZ6bFV1BBnthNdHTy46zKM5Em4D1UISI=
-github.com/go-openapi/runtime v0.32.2/go.mod h1:IfM3cpgencPuwBp5Uo16i2IQaE74odL7Q4DCGovIQac=
+github.com/go-openapi/runtime v0.32.3 h1:J7Ycy5DJmhhP1By3NifhRUjnkXTrk21qbeqSULjwX8U=
+github.com/go-openapi/runtime v0.32.3/go.mod h1:/WTQi0fa5DiGnnCXQKsTkSm15OzJp8Uz3H2t+67TBr4=
 github.com/go-openapi/runtime/server-middleware v0.30.0 h1:8rPoJ/xv7JL8BsovaqboKETlpWBArVh8n+0L/GyePog=
 github.com/go-openapi/runtime/server-middleware v0.30.0/go.mod h1:OYNT/TxNvB/VK5oe4htM2jDTwlEXuejVJmu0DVZfAMs=
-github.com/go-openapi/spec v0.22.4 h1:4pxGjipMKu0FzFiu/DPwN3CTBRlVM2yLf/YTWorYfDQ=
-github.com/go-openapi/spec v0.22.4/go.mod h1:WQ6Ai0VPWMZgMT4XySjlRIE6GP1bGQOtEThn3gcWLtQ=
-github.com/go-openapi/strfmt v0.26.2 h1:ysjheCh4i1rmFEo2LanhELDNucNzfWTZhUDKgWWPaFM=
-github.com/go-openapi/strfmt v0.26.2/go.mod h1:fXh1e449cyUn2NYuz+wb3wARBUdMl7qPEZwX00nqivY=
+github.com/go-openapi/spec v0.22.5 h1:KhO7RBlKQfonUWX2WzQCoLIXVA6AcNqDGZ3a1Dutdlo=
+github.com/go-openapi/spec v0.22.5/go.mod h1:vxpOtMya5TXtENXKE5bKqv5NjocVhyhxHrlZfvKnZ74=
+github.com/go-openapi/strfmt v0.26.3 h1:rzmslHarJgBbf2qfGge+X3htclQfmXqBZMm0Too0HhU=
+github.com/go-openapi/strfmt v0.26.3/go.mod h1:a5nsUw0oRpQzZeOwx8bi6cKbzFZslpbCKt1LEot+KnQ=
 github.com/go-openapi/swag/conv v0.26.0 h1:5yGGsPYI1ZCva93U0AoKi/iZrNhaJEjr324YVsiD89I=
 github.com/go-openapi/swag/conv v0.26.0/go.mod h1:tpAmIL7X58VPnHHiSO4uE3jBeRamGsFsfdDeDtb5ECE=
 github.com/go-openapi/swag/fileutils v0.26.0 h1:WJoPRvsA7QRiiWluowkLJa9jaYR7FCuxmDvnCgaRRxU=
@@ -83,8 +83,8 @@ github.com/go-openapi/testify/enable/yaml/v2 v2.5.1 h1:q9NtHwK4qHF7yZziBPvZyv7zW
 github.com/go-openapi/testify/enable/yaml/v2 v2.5.1/go.mod h1:JW0MXIotCYps/XsgJnG3a8Q7rE5xAiBwoOD5OfaIQBk=
 github.com/go-openapi/testify/v2 v2.5.1 h1:TMdhCaw8fUNraVSf3Omoob1dO/AzBfhtFAPW0an6sBo=
 github.com/go-openapi/testify/v2 v2.5.1/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw=
-github.com/go-openapi/validate v0.25.2 h1:12NsfLAwGegqbGWr2CnvT65X/Q2USJipmJ9b7xDJZz0=
-github.com/go-openapi/validate v0.25.2/go.mod h1:Pgl1LpPPGFnZ+ys4/hTlDiRYQdI1ocKypgE+8Q8BLfY=
+github.com/go-openapi/validate v0.25.3 h1:4nzAIavcJ7WveHK2+V1UAkZK3kWcjzxZCzjfZAfavKs=
+github.com/go-openapi/validate v0.25.3/go.mod h1:GemfuGMyYpIaBoKpX3z8sLywrmxpzWVOoJ7R0VeAVuk=
 github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
 github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
@@ -201,14 +201,14 @@ github.com/wwt/guac v1.3.2/go.mod h1:eKm+NrnK7A88l4UBEcYNpZQGMpZRryYKoz4D/0/n1C0
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
-go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
-go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
-go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
-go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
-go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
-go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
-go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
+go.opentelemetry.io/otel v1.44.0 h1:JjwHmHpA4iZ3wBxluu2fbbE7j4kqlE8jXyAyPXH7HqU=
+go.opentelemetry.io/otel v1.44.0/go.mod h1:BMgjTHL9WPRlRjL2oZCBTL4whCGtXch2H4BhOPIAyYc=
+go.opentelemetry.io/otel/metric v1.44.0 h1:1w0gILTcHdr3YI+ixLyjemwrVnsMURbTZFrSYCdDdmc=
+go.opentelemetry.io/otel/metric v1.44.0/go.mod h1:8O7hanEPBNgEMmybD3s2VBKcgWOCsA6tzHBPODAiquo=
+go.opentelemetry.io/otel/sdk v1.44.0 h1:nHYwb9lK+fJPU/dnT6s7W7Z8itMWyqrnVfbheVYrZ58=
+go.opentelemetry.io/otel/sdk v1.44.0/go.mod h1:Osuydd3Se74nqjAKxid74N5eC+jfEqfTegHRnq58oK0=
+go.opentelemetry.io/otel/trace v1.44.0 h1:jxF5CsGYCe74MCRx2X4g7WsY/VBKRqqpNvXlX/6gtIk=
+go.opentelemetry.io/otel/trace v1.44.0/go.mod h1:oLl1jrMQAVo6v3GAggN+1VH9VIz9iUSvW53sW1Q8PIE=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
@@ -229,8 +229,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
-golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -247,8 +247,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
-golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=

From 8ce9ecaec4e43baa655a4485195e8d4bbfb40d94 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 9 Jun 2026 14:56:51 +0200
Subject: [PATCH 23/68] ci: bump astral-sh/setup-uv from 8.1.0 to 8.2.0 in
 /.github/actions/setup (#22923)

ci: bump astral-sh/setup-uv in /.github/actions/setup

Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 8.1.0 to 8.2.0.
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](https://github.com/astral-sh/setup-uv/compare/08807647e7069bb48b6ef5acd8ec9567f424441b...fac544c07dec837d0ccb6301d7b5580bf5edae39)

---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
  dependency-version: 8.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/actions/setup/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
index 32951050d2..6f49b82019 100644
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -37,7 +37,7 @@ runs:
         sudo rsync -a --delete /tmp/empty/ /usr/local/lib/android/
     - name: Install uv
       if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v5
+      uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v5
       with:
         enable-cache: true
     - name: Setup python

From b55a1b26b7f2859573abff100cb0811c0b8ebe59 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 9 Jun 2026 14:57:16 +0200
Subject: [PATCH 24/68] core: bump goauthentik/fips-python from `b332680` to
 `dc515b7` in /lifecycle/container (#22874)

core: bump goauthentik/fips-python in /lifecycle/container

Bumps goauthentik/fips-python from `b332680` to `dc515b7`.

---
updated-dependencies:
- dependency-name: goauthentik/fips-python
  dependency-version: 3.14.5-slim-trixie-fips
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 lifecycle/container/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lifecycle/container/Dockerfile b/lifecycle/container/Dockerfile
index b57a11b3ba..188f1c47c1 100644
--- a/lifecycle/container/Dockerfile
+++ b/lifecycle/container/Dockerfile
@@ -118,7 +118,7 @@ RUN cat /root/.rustup/settings.toml
 # Stage: Download uv
 FROM ghcr.io/astral-sh/uv:0.11.19@sha256:b46b03ddfcfbf8f547af7e9eaefdf8a39c8cebcba7c98858d3162bd28cf536f6 AS uv
 # Stage: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.14.5-slim-trixie-fips@sha256:b332680f098882472bc13d5452b7b348bf8e7ef4400588d85aca41acde77c1f4 AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.14.5-slim-trixie-fips@sha256:dc515b79d2c76d12adae52116c655f6cf3f8a217f88afa103278cf036bda8597 AS python-base
 
 ENV VENV_PATH="/ak-root/.venv" \
     PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \

From e9cd445958531b13d462e768c2fe79591bebe882 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 9 Jun 2026 15:28:31 +0200
Subject: [PATCH 25/68] website: bump the build group across 1 directory with 3
 updates (#22833)

* website: bump the build group across 1 directory with 3 updates

Bumps the build group with 3 updates in the /website directory: [@rspack/binding-darwin-arm64](https://github.com/web-infra-dev/rspack/tree/HEAD/packages/rspack), [@rspack/binding-linux-arm64-gnu](https://github.com/web-infra-dev/rspack/tree/HEAD/packages/rspack) and [@rspack/binding-linux-x64-gnu](https://github.com/web-infra-dev/rspack/tree/HEAD/packages/rspack).


Updates `@rspack/binding-darwin-arm64` from 2.0.4 to 2.0.6
- [Release notes](https://github.com/web-infra-dev/rspack/releases)
- [Commits](https://github.com/web-infra-dev/rspack/commits/v2.0.6/packages/rspack)

Updates `@rspack/binding-linux-arm64-gnu` from 2.0.4 to 2.0.6
- [Release notes](https://github.com/web-infra-dev/rspack/releases)
- [Commits](https://github.com/web-infra-dev/rspack/commits/v2.0.6/packages/rspack)

Updates `@rspack/binding-linux-x64-gnu` from 2.0.4 to 2.0.6
- [Release notes](https://github.com/web-infra-dev/rspack/releases)
- [Commits](https://github.com/web-infra-dev/rspack/commits/v2.0.6/packages/rspack)

---
updated-dependencies:
- dependency-name: "@rspack/binding-darwin-arm64"
  dependency-version: 2.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: build
- dependency-name: "@rspack/binding-linux-arm64-gnu"
  dependency-version: 2.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: build
- dependency-name: "@rspack/binding-linux-x64-gnu"
  dependency-version: 2.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: build
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
---
 website/api/package.json  |  6 +++---
 website/package-lock.json | 30 +++++++++++++++---------------
 website/package.json      |  6 +++---
 3 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/website/api/package.json b/website/api/package.json
index 027e19b221..c416ba9206 100644
--- a/website/api/package.json
+++ b/website/api/package.json
@@ -48,9 +48,9 @@
         "typescript": "^6.0.3"
     },
     "optionalDependencies": {
-        "@rspack/binding-darwin-arm64": "2.0.4",
-        "@rspack/binding-linux-arm64-gnu": "2.0.4",
-        "@rspack/binding-linux-x64-gnu": "2.0.4",
+        "@rspack/binding-darwin-arm64": "2.0.6",
+        "@rspack/binding-linux-arm64-gnu": "2.0.6",
+        "@rspack/binding-linux-x64-gnu": "2.0.6",
         "@swc/core-darwin-arm64": "1.15.40",
         "@swc/core-linux-arm64-gnu": "1.15.40",
         "@swc/core-linux-x64-gnu": "1.15.40",
diff --git a/website/package-lock.json b/website/package-lock.json
index e3d5eedd60..48df8c8298 100644
--- a/website/package-lock.json
+++ b/website/package-lock.json
@@ -38,9 +38,9 @@
                 "npm": ">=11.14.1"
             },
             "optionalDependencies": {
-                "@rspack/binding-darwin-arm64": "2.0.4",
-                "@rspack/binding-linux-arm64-gnu": "2.0.4",
-                "@rspack/binding-linux-x64-gnu": "2.0.4",
+                "@rspack/binding-darwin-arm64": "2.0.6",
+                "@rspack/binding-linux-arm64-gnu": "2.0.6",
+                "@rspack/binding-linux-x64-gnu": "2.0.6",
                 "@swc/core-darwin-arm64": "1.15.40",
                 "@swc/core-linux-arm64-gnu": "1.15.40",
                 "@swc/core-linux-x64-gnu": "1.15.40",
@@ -213,9 +213,9 @@
                 "typescript": "^6.0.3"
             },
             "optionalDependencies": {
-                "@rspack/binding-darwin-arm64": "2.0.4",
-                "@rspack/binding-linux-arm64-gnu": "2.0.4",
-                "@rspack/binding-linux-x64-gnu": "2.0.4",
+                "@rspack/binding-darwin-arm64": "2.0.6",
+                "@rspack/binding-linux-arm64-gnu": "2.0.6",
+                "@rspack/binding-linux-x64-gnu": "2.0.6",
                 "@swc/core-darwin-arm64": "1.15.40",
                 "@swc/core-linux-arm64-gnu": "1.15.40",
                 "@swc/core-linux-x64-gnu": "1.15.40",
@@ -6298,9 +6298,9 @@
             }
         },
         "node_modules/@rspack/binding-darwin-arm64": {
-            "version": "2.0.4",
-            "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.4.tgz",
-            "integrity": "sha512-0Q1QXFEsZfDc4opiDnb8q50KlBbC2VovViDaYlMJZBzvjAo325mh3itXPfz7YZ31M+TxRE7TUiJXH3ltiV1Hdg==",
+            "version": "2.0.6",
+            "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.6.tgz",
+            "integrity": "sha512-0giCKiWlBfcM4i2scv1j2k9HlSecO9Ybhaa5wsMUyvcFeKr9HbNHh7C2eDFlC6zaI85IUdY71TXF/g/Tcxr9MA==",
             "cpu": [
                 "arm64"
             ],
@@ -6324,9 +6324,9 @@
             ]
         },
         "node_modules/@rspack/binding-linux-arm64-gnu": {
-            "version": "2.0.4",
-            "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.4.tgz",
-            "integrity": "sha512-BEk6mIYBK4BihW9qXXITJORrVXecTlkRjrqhgefili4xjXtLdcUnxAm9sN/2oJ8m378n2h33qDh4gr2orPBFWQ==",
+            "version": "2.0.6",
+            "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.6.tgz",
+            "integrity": "sha512-H6ACzeM1KBxYDEF8YAim3501Jb1aCsSG79Gjm1M4pwJ5OJPK2ydiJEa438ugXmh0962eKYMHI2yZY0sQq8txaw==",
             "cpu": [
                 "arm64"
             ],
@@ -6356,9 +6356,9 @@
             ]
         },
         "node_modules/@rspack/binding-linux-x64-gnu": {
-            "version": "2.0.4",
-            "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.4.tgz",
-            "integrity": "sha512-xHorBPBZAg0Pn9Q0k9dWZ9euowieDxcSOzQ9JhTCmhDY6wZH5M/kCBFlCs/OQeW5/NUArW3x3MwEdO/0QJHMxg==",
+            "version": "2.0.6",
+            "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.6.tgz",
+            "integrity": "sha512-rerCAz022zf0ewxI+7n3SrqLEaxCL+MXRxKjK5FLUGFa8UkIrivq+VUP/1OB6JLh2Bucebc7Y9WoWHvtk22mLA==",
             "cpu": [
                 "x64"
             ],
diff --git a/website/package.json b/website/package.json
index b874c75b17..1c52cc7d3e 100644
--- a/website/package.json
+++ b/website/package.json
@@ -36,9 +36,9 @@
         "typescript-eslint": "^8.59.3"
     },
     "optionalDependencies": {
-        "@rspack/binding-darwin-arm64": "2.0.4",
-        "@rspack/binding-linux-arm64-gnu": "2.0.4",
-        "@rspack/binding-linux-x64-gnu": "2.0.4",
+        "@rspack/binding-darwin-arm64": "2.0.6",
+        "@rspack/binding-linux-arm64-gnu": "2.0.6",
+        "@rspack/binding-linux-x64-gnu": "2.0.6",
         "@swc/core-darwin-arm64": "1.15.40",
         "@swc/core-linux-arm64-gnu": "1.15.40",
         "@swc/core-linux-x64-gnu": "1.15.40",

From 5acb5a268567a6a5cfdff77e375eb149d2fdab1e Mon Sep 17 00:00:00 2001
From: Dominic R <dominic@goauthentik.io>
Date: Tue, 9 Jun 2026 09:33:02 -0400
Subject: [PATCH 26/68] website/integrations: FortiMail: cleanup (#22696)

Agent-thread: https://sdko.org/internal/threads/019e6b1f-4069-74a0-8c51-fb731643e2f1

Co-authored-by: Agent <agent@svc.sdko.net>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
---
 .../integrations/security/fortimail/index.mdx | 170 +++++++++++-------
 1 file changed, 109 insertions(+), 61 deletions(-)

diff --git a/website/integrations/security/fortimail/index.mdx b/website/integrations/security/fortimail/index.mdx
index 4efe22e7ec..5f12a910f8 100644
--- a/website/integrations/security/fortimail/index.mdx
+++ b/website/integrations/security/fortimail/index.mdx
@@ -19,22 +19,26 @@ import TabItem from "@theme/TabItem";
 The following placeholders are used in this guide:
 
 - `authentik.company` is the FQDN of the authentik installation.
-- `fortimailadmin.company` is the FQDN (or IP) of your FortiMail admin interface.
-- `fortimailuser.company` is the WAN-facing FQDN of your FortiMail user/webmail portal.
+- `fortimailadmin.company` is the FQDN or IP address of your FortiMail admin interface.
+- `fortimailuser.company` is the FQDN or IP address of your FortiMail user/webmail portal.
 
 :::info
-This documentation lists only the settings that you need to change from their default values. Changing settings not mentioned in this guide can prevent single sign-on from working correctly.
+This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-:::info
-FortiMail 7.6.4 and later allows you to configure separate service providers for the admin and user/webmail portals. If you plan to use the user/webmail portal, avoid importing FortiMail’s auto-generated metadata directly, as you will need to edit the ACS URL in that XML to replace the host with your user-facing FQDN.
+:::info FortiMail Cloud
+FortiMail Cloud supports SSO for webmail users. The Admin Portal SSO steps apply to FortiMail Appliance and VM.
+:::
+
+:::info Webmail limitations
+When SSO is enabled for FortiMail webmail users, CalDAV and WebDAV authentication do not use SSO and continue to require local password authentication. If your FortiMail system is deployed in server mode, configure an LDAP profile for the domain users before enabling webmail SSO.
 :::
 
 ## authentik configuration
 
-To support the integration of the FortiMail with authentik, you need to create an application/provider pair in authentik.
+To support the integration of FortiMail with authentik, you need to create an application/provider pair in authentik.
 
-You can configure either Admin Portal SSO or User Portal SSO (or both), depending on the intended user and the desired scope of authentication.
+You can configure either Admin Portal SSO or User Portal SSO, or both, depending on the intended users and the desired scope of authentication.
 
 <Tabs
   defaultValue="admin"
@@ -49,107 +53,151 @@ You can configure either Admin Portal SSO or User Portal SSO (or both), dependin
 <SAMLProvider20265Warning />
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Applications** > **Applications** and click **New Application** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
-    - **Application**: provide a descriptive name (e.g. `FortiMail Admin`), an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
+2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
+    - **Application**: provide a descriptive name (for example, `FortiMail Admin`), an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** value because it will be required later.
     - **Choose a Provider type**: select **SAML Provider** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
-        - Set the **ACS URL** to `https://fortimailadmin.company/sso/SAML2/POST`.
-        - Set the **Audience** to `https://fortimailadmin.company/sp`.
-        - Under **Advanced protocol settings**:
-            - Select any available certificate as the **Signing Certificate** and enable **Sign Assertions**.
-            - Ensure that `authentik default SAML Mapping: Username` is selected as a **Selected User Property Mappings**; other mappings are optional and can be removed if not needed.
-    - **Configure Bindings** _(optional)_: create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to control which administrators see the FortiMail Admin application on the **Application Dashboard** page.
-
-3. Click **Submit** to save the application and provider.
+        - Temporarily set the **ACS URL** to `https://temp.temp`.
+        - Temporarily set the **Audience** to `https://temp.temp`.
+        - Under **Advanced protocol settings**, select any available certificate as the **Signing Certificate**.
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
+3. Click **Create Application** to save the new application and provider.
 
 ### Download metadata file
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Applications** > **Providers** and click on the name of the provider that you created in the previous section (e.g. `Provider for FortiMail Admin`).
-3. Under **Related objects** > **Metadata**, click on **Download**. This downloaded file is your metadata file and it will be required in the next section.
+2. Navigate to **Applications** > **Providers** and click the name of the provider that you created in the previous section (for example, `Provider for FortiMail Admin`).
+3. Under **Related objects** > **Metadata**, click **Download**. This file is required in the next section.
 
 ## FortiMail configuration
 
 1. Sign in to the FortiMail admin interface.
-2. Navigate to **System** > **Single Sign On** and select the **Setting** tab.
-3. Enable **Single sign-on** and note the values that FortiMail displays (the ACS field is read-only):
+2. Navigate to **System** > **Single Sign On** and open the **Profile** tab.
+3. Create a new SSO profile and configure the following settings:
+    - **Profile name**: enter a descriptive name (for example, `authentik-admin`).
+    - **Metadata**: upload the authentik metadata file that you downloaded in the previous section.
+    - **Attribute used to identify email address**: `http://schemas.goauthentik.io/2021/02/saml/username`
+4. Click **Create** or **OK** to save the SSO profile.
+5. Open the **Setting** tab and enable **Single sign-on**.
+6. If FortiMail displays **Use different service provider for admin and webmail access**, select **Admin** as the service provider metadata target.
+7. In the **Service Provider Metadata** section, configure the following values:
     - **Entity ID**: `https://fortimailadmin.company/sp`
-    - **Assertion consumer service (ACS) URL**: `https://fortimailadmin.company/sso/SAML2/POST`
+    - **Host name**: `fortimailadmin.company`
+8. Click **Apply**.
+9. Copy the following FortiMail service provider values:
+    - **Entity ID**
+    - **ACS URL**
 
-Ensure that these values match those configured in authentik. If not, update the values in authentik and re-download the [authentik metadata file](#download-metadata-file).
+### Reconfigure the authentik provider
 
-4. Upload the authentik SAML metadata file that you downloaded in the previous step.
-5. Switch to the **Profile** tab and configure the attribute mapping:
-    - Set **Attribute used to identify email address** to `http://schemas.goauthentik.io/2021/02/saml/username`.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Providers** and click the provider that you created for FortiMail Admin.
+3. Click **Edit**.
+4. Under **Protocol settings**, set the following values:
+    - **ACS URL**: paste the **ACS URL** value from FortiMail.
+    - **Audience**: paste the **Entity ID** value from FortiMail.
+5. Click **Update**.
 
-:::info User Provisioning
-FortiMail does not auto-provision administrator accounts via SSO.
+### Configure administrator accounts
 
-You must manually create admin users and, for each account, configure the **Authentication type** as `Single Sign On` to enable authentication through the SAML provider.
-:::
+FortiMail does not automatically provision administrator accounts through SSO. Create or edit each administrator that should use SSO:
+
+1. In the FortiMail admin interface, navigate to **System** > **Administrator** > **Administrator**.
+2. For each SSO-enabled administrator, set **Authentication type** to **Single Sign On** and set **Single sign on profile** to the SSO profile that you created for authentik.
 
 ### Enforce SSO-only access (optional)
 
-To require SSO for FortiMail Admin Portal logins:
+To show only SSO on the administrator login page, run the following commands in the FortiMail CLI:
 
-1. Sign in to the FortiMail admin interface.
-2. Navigate to **System** > **Customization** > **Appearance** > **Webmail Portal** and set **Login page** to `Single Sign On only`.
+```shell
+config system appearance
+set admin-sso-login-option sso-only
+end
+```
+
+:::warning Administrator recovery
+When administrator SSO-only login is enabled, the built-in `admin` account cannot sign in to the GUI. Keep SSH or local console access available before enabling this option.
+:::
 
   </TabItem>
   <TabItem value="user">
 
-## authentik configuration
-
-To support the integration of the FortiMail User Portal with authentik, you need to create an application/provider pair in authentik.
-
 ### Create an application and provider in authentik
 
 <SAMLProvider20265Warning />
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Applications** > **Applications** and click **New Application** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
-    - **Application**: provide a descriptive name (e.g. `FortiMail User Portal`), an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
+2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
+    - **Application**: provide a descriptive name (for example, `FortiMail User Portal`), an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** value because it will be required later.
     - **Choose a Provider type**: select **SAML Provider** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
-        - Set the **ACS URL** to `https://fortimailuser.company/sp2/sso/SAML2/POST`.
-        - Set the **Audience** to `https://fortimailuser.company/sp`.
-        - Under **Advanced protocol settings**, choose any available certificate as the **Signing Certificate** and enable **Sign Assertions**. Ensure `authentik default SAML Mapping: Email` is selected as a **Selected User Property Mapping**; other mappings are optional and can be removed if not needed.
-    - **Configure Bindings** _(optional)_: create a [binding](/docs/add-secure-apps/bindings-overview/) to control which end users see the FortiMail webmail application on the **Application Dashboard** page.
-
-3. Click **Submit** to save the application and provider.
+        - Temporarily set the **ACS URL** to `https://temp.temp`.
+        - Temporarily set the **Audience** to `https://temp.temp`.
+        - Under **Advanced protocol settings**, select any available certificate as the **Signing Certificate**.
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
+3. Click **Create Application** to save the new application and provider.
 
 ### Download metadata file
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Applications** > **Providers** and click on the name of the provider that you created in the previous section (e.g. `Provider for FortiMail User Portal`).
-3. Under **Related objects** > **Metadata**, click on **Download**. This downloaded file is your metadata file and it will be required in the next section.
+2. Navigate to **Applications** > **Providers** and click the name of the provider that you created in the previous section (for example, `Provider for FortiMail User Portal`).
+3. Under **Related objects** > **Metadata**, click **Download**. This file is required in the next section.
 
 ## FortiMail configuration
 
 1. Sign in to the FortiMail admin interface.
-2. Navigate to **System** > **Single Sign On** and select the **Setting** tab.
-3. Enable **Use different service provider for admin and webmail access**, and select the **Webmail** service provider.
-4. For the user/webmail service provider, note the values that FortiMail displays (the ACS field is read-only):
-    - **Entity ID**: `https://fortimailuser.company/sp`
-    - **Assertion consumer service (ACS) URL**: replace the host portion with `fortimailuser.company` (for example, `https://fortimailuser.company/sp2/sso/SAML2/POST`)
+2. Navigate to **System** > **Single Sign On** and open the **Profile** tab.
+3. Create a new SSO profile and configure the following settings:
+    - **Profile name**: enter a descriptive name (for example, `authentik-webmail`).
+    - **Metadata**: upload the authentik metadata file that you downloaded in the previous section.
+    - **Attribute used to identify email address**: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
+4. Click **Create** or **OK** to save the SSO profile.
+5. Open the **Setting** tab and enable **Single sign-on**.
+6. Enable **Use different service provider for admin and webmail access**, and then select **Webmail** as the service provider metadata target.
+7. In the **Service Provider Metadata** section, configure the following values:
+    - **Entity ID**: `https://fortimailuser.company/sp2`
+    - **Host name**: `fortimailuser.company`
+8. Click **Apply**.
+9. Copy the following FortiMail service provider values:
+    - **Entity ID**
+    - **ACS URL**
 
-Ensure that these values match those configured in authentik. If not, update the values in authentik and re-download the [authentik metadata file](#download-metadata-file).
+### Reconfigure the authentik provider
 
-5. Upload the authentik SAML metadata file you downloaded in the previous step.
-6. On the **Profile** tab for the user/webmail provider, set **Attribute used to identify email address** to `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Providers** and click the provider that you created for the FortiMail User Portal.
+3. Click **Edit**.
+4. Under **Protocol settings**, set the following values:
+    - **ACS URL**: paste the **ACS URL** value from FortiMail.
+    - **Audience**: paste the **Entity ID** value from FortiMail.
+5. Click **Update**.
+
+### Configure webmail access
+
+1. In the FortiMail admin interface, navigate to **Domain & Users** > **Domain** and edit the domain that should use SSO.
+2. Open **Advanced Setting** > **Other** and set **Webmail single sign on** to the SSO profile that you created for authentik.
 
 ### Enforce SSO-only access (optional)
 
-To require SSO for FortiMail User Portal logins:
+To show only SSO on the webmail login page, run the following commands in the FortiMail CLI:
 
-1. Sign in to the FortiMail admin interface.
-2. Navigate to **Domain & Users** > **Domain**, edit the domain entry, then open **Advanced Setting** > **Other** and set **Webmail single sign on** to the SSO profile you created for end users.
+```shell
+config system appearance
+set webmail-sso-login-option sso-only
+end
+```
 
   </TabItem>
 </Tabs>
 
 ## Configuration verification
 
-1. Open a new browser session (or private window) and navigate to the relevant FortiMail portal (admin or user).
-2. Initiate the SSO login flow (this happens automatically if you enabled the SSO-only options) and confirm that you are redirected to authentik for authentication. Sign in with an account permitted to use that portal.
-3. After successful authentication, verify that you return to the FortiMail portal without being prompted for additional credentials.
+To confirm that authentik is properly configured with FortiMail, open the FortiMail portal that you configured and start the SSO login flow. After authenticating with authentik, verify that you return to FortiMail without being prompted for additional credentials.
+
+## Resources
+
+- [Fortinet - FortiMail](https://www.fortinet.com/products/email-security)
+- [Fortinet Docs - Configuring single sign-on (SSO)](https://docs.fortinet.com/document/fortimail/8.0.0/administration-guide/73231/configuring-single-sign-on-sso)
+- [Fortinet Docs - FortiMail Cloud Configuring single sign-on (SSO)](https://docs.fortinet.com/document/fortimail-cloud/1.0.0/fortimail-cloud-administration-guide/73231/configuring-single-sign-on-sso)
+- [Fortinet Docs - system saml](https://docs.fortinet.com/document/fortimail/8.0.0/cli-reference/856423/system-saml)
+- [Fortinet Docs - system appearance](https://docs.fortinet.com/document/fortimail/7.4.3/cli-reference/523895/system-appearance)

From 9e1f1f05b669f4a1b9d575037060a603e05d63df Mon Sep 17 00:00:00 2001
From: Dominic R <dominic@goauthentik.io>
Date: Tue, 9 Jun 2026 09:34:26 -0400
Subject: [PATCH 27/68] website/integrations: add IIS integration (#22935)

* website/integrations: add IIS integration

Add a community IIS integration guide covering proxy provider setup and IIS deployment layouts.

Closes: #19947

Agent-thread: https://sdko.org/internal/thr/ak/019ea7ea-23b6-7400-840f-93af6d11780a

A7k-product: product

A7k-product-repo: 4

Co-authored-by: Agent <agent@svc.sdko.net>

* website/integrations: fix IIS warning syntax

Use the integration guide admonition title format for the IIS ARR warning.

Agent-thread: https://sdko.org/internal/thr/ak/019ea7ea-23b6-7400-840f-93af6d11780a

A7k-product: product

A7k-product-repo: 4

Co-authored-by: Agent <agent@svc.sdko.net>

---------

Co-authored-by: Agent <agent@svc.sdko.net>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
---
 .../integrations/infrastructure/iis/index.md  | 132 ++++++++++++++++++
 1 file changed, 132 insertions(+)
 create mode 100644 website/integrations/infrastructure/iis/index.md

diff --git a/website/integrations/infrastructure/iis/index.md b/website/integrations/infrastructure/iis/index.md
new file mode 100644
index 0000000000..8a01c76fd5
--- /dev/null
+++ b/website/integrations/infrastructure/iis/index.md
@@ -0,0 +1,132 @@
+---
+title: Integrate with IIS
+sidebar_label: IIS
+support_level: community
+---
+
+import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
+
+## What is IIS?
+
+> Internet Information Services (IIS) for Windows Server is a flexible, secure and manageable Web server for hosting anything on the Web.
+>
+> -- https://www.iis.net
+
+This guide uses authentik's proxy provider to protect an IIS-hosted site.
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `iis.company` is the FQDN of the IIS site that users access.
+- `authentik.company` is the FQDN of the authentik installation.
+
+:::info
+This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
+:::
+
+## authentik configuration
+
+To support the integration of IIS with authentik, you need to create an application/provider pair in authentik and assign it to a proxy outpost.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+    - **Choose a Provider type**: select **Proxy Provider** as the provider type.
+    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+        - Set **Mode** to **Proxy**.
+        - Set **External host** to `https://iis.company`.
+        - Set **Internal host** to the URL of the IIS backend site as reached by the authentik proxy outpost, such as `http://localhost:8080`.
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
+
+3. Click **Submit** to save the new application and provider.
+
+### Configure proxy outpost
+
+The proxy provider requires an authentik proxy outpost. If you do not already have a proxy outpost, follow the [outpost documentation](/docs/add-secure-apps/outposts/) to create and deploy one.
+
+Add the IIS application to a proxy outpost that will serve it:
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Outposts**.
+3. Click the edit icon for the proxy outpost.
+4. Under **Available Applications**, select the IIS application and move it to **Selected Applications**.
+5. Click **Update** to save your changes.
+
+## IIS configuration
+
+<Tabs
+defaultValue="outpost"
+values={[
+{ label: "Proxy outpost", value: "outpost" },
+{ label: "IIS reverse proxy", value: "iis" },
+]}>
+<TabItem value="outpost">
+
+Use this option when the authentik proxy outpost should receive requests for `https://iis.company`.
+
+1. Configure DNS or your reverse proxy so that `iis.company` routes to the authentik proxy outpost.
+2. Configure the IIS backend site so that it is reachable from the authentik proxy outpost at the **Internal host** URL.
+3. If the IIS backend site runs on the same Windows server, use a separate binding or port for the backend site, such as `http://localhost:8080`.
+
+No SSO configuration is required in IIS for this option. The authentik proxy outpost authenticates the user before forwarding allowed requests to IIS.
+
+</TabItem>
+
+<TabItem value="iis">
+
+Use this option when IIS should receive requests for `https://iis.company` and forward them to the authentik proxy outpost. The authentik proxy outpost then forwards authenticated requests to the IIS backend site.
+
+:::warning ARR host header setting
+`preserveHostHeader` is a server-level ARR setting. Review other IIS reverse proxy sites before changing it on a shared IIS server.
+:::
+
+1. Install the IIS **URL Rewrite** module and **Application Request Routing**.
+2. In IIS Manager, select the server node, open **Application Request Routing Cache**, click **Server Proxy Settings**, enable **Enable proxy**, and apply the change.
+3. From an elevated Command Prompt, configure ARR to preserve the original host header and avoid rewriting response `Location` headers:
+
+    ```cmd title="Administrator Command Prompt"
+    %windir%\System32\inetsrv\appcmd.exe set config -section:system.webServer/proxy /preserveHostHeader:"True" /reverseRewriteHostInResponseHeaders:"False" /commit:apphost
+    ```
+
+4. Configure the public IIS site for `iis.company` to proxy requests to the authentik proxy outpost.
+
+    If the site already has a `web.config` file, merge the `rewrite` section into the existing `system.webServer` section.
+
+    ```xml title="web.config"
+    <?xml version="1.0" encoding="UTF-8"?>
+    <configuration>
+        <system.webServer>
+            <rewrite>
+                <rules>
+                    <rule name="authentik proxy outpost" stopProcessing="true">
+                        <match url="(.*)" />
+                        <action type="Rewrite" url="http://authentik.company:9000/{R:1}" />
+                    </rule>
+                </rules>
+            </rewrite>
+        </system.webServer>
+    </configuration>
+    ```
+
+    This example uses the outpost HTTP port. If the outpost uses HTTPS, use `https://authentik.company:9443/{R:1}`.
+
+5. Configure the IIS backend site so that it is reachable from the authentik proxy outpost at the **Internal host** URL. The backend site must use a different binding, hostname, or port than the public IIS reverse proxy site to avoid routing requests back to itself.
+
+</TabItem>
+</Tabs>
+
+## Configuration verification
+
+To confirm that authentik is properly configured with IIS, open the IIS site. You should be redirected to authentik before the IIS site is shown.
+
+## Resources
+
+- [Microsoft IIS - Overview](https://www.iis.net/overview)
+- [Microsoft Learn - IIS Web Server Overview](https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-web-server-overview)
+- [Microsoft Learn - Install Application Request Routing Version 2](https://learn.microsoft.com/en-us/iis/extensions/installing-application-request-routing-arr/install-application-request-routing-version-2)
+- [Microsoft Learn - Reverse Proxy with URL Rewrite v2 and Application Request Routing](https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing)
+- [Microsoft Learn - ARR as generic proxy in Hotmail and SkyDrive](https://learn.microsoft.com/en-us/iis/extensions/configuring-application-request-routing-arr/arr-as-generic-proxy-in-hotmail-and-skydrive)

From f600a622ae1b18f2086da12ea73f3f1af695edfb Mon Sep 17 00:00:00 2001
From: Dominic R <dominic@goauthentik.io>
Date: Tue, 9 Jun 2026 09:34:47 -0400
Subject: [PATCH 28/68] website/integrations: add Dozzle (#22939)

* website/integrations: Dozzle: cleanup

Closes: #16052

Agent-thread: https://sdko.org/internal/thr/ak/019ea8d4-853c-7282-a700-968e5a50b888
A7k-product: product
A7k-product-repo: 2
Co-authored-by: Agent <agent@svc.sdko.net>

* Update website/integrations/monitoring/dozzle/index.md

Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

---------

Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Agent <agent@svc.sdko.net>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
---
 locale/en/dictionaries/integrations.txt       |  1 +
 .../integrations/monitoring/dozzle/index.md   | 81 +++++++++++++++++++
 2 files changed, 82 insertions(+)
 create mode 100644 website/integrations/monitoring/dozzle/index.md

diff --git a/locale/en/dictionaries/integrations.txt b/locale/en/dictionaries/integrations.txt
index 43e40ac016..07dc651786 100644
--- a/locale/en/dictionaries/integrations.txt
+++ b/locale/en/dictionaries/integrations.txt
@@ -9,6 +9,7 @@ Budibase
 Doki
 Doku
 dokuwiki
+Dozzle
 Engomo
 Espo
 espocrm
diff --git a/website/integrations/monitoring/dozzle/index.md b/website/integrations/monitoring/dozzle/index.md
new file mode 100644
index 0000000000..97103068ce
--- /dev/null
+++ b/website/integrations/monitoring/dozzle/index.md
@@ -0,0 +1,81 @@
+---
+title: Integrate with Dozzle
+sidebar_label: Dozzle
+support_level: community
+---
+
+## What is Dozzle?
+
+> Dozzle is a lightweight, web-based log viewer designed to simplify monitoring and debugging containerized applications across Docker, Docker Swarm, and Kubernetes environments.
+>
+> -- https://dozzle.dev/guide/what-is-dozzle
+
+Dozzle supports forward-proxy authentication. Use authentik as a forward auth proxy in front of Dozzle, and configure Dozzle to read the authenticated user details from the proxy headers set by authentik.
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `dozzle.company` is the FQDN of the Dozzle installation.
+- `authentik.company` is the FQDN of the authentik installation.
+
+:::info
+This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
+:::
+
+:::warning Protect Docker access
+Dozzle can access the Docker API through the mounted Docker socket. Only expose Dozzle behind authentication, and keep Dozzle actions and shell access disabled unless you need them.
+:::
+
+## authentik configuration
+
+To support the integration of Dozzle with authentik, you need to create an application/provider pair in authentik. This guide assumes that Dozzle is already deployed behind a reverse proxy that supports authentik forward auth.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+    - **Choose a Provider type**: select **Proxy Provider** as the provider type.
+    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+        - Set **Mode** to **Forward auth (single application)**.
+        - Set **External host** to `https://dozzle.company`.
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
+
+3. Click **Submit** to save the new application and provider.
+
+### Configure proxy outpost
+
+The proxy provider requires an authentik proxy outpost. If you do not already have a proxy outpost, follow the [outpost documentation](/docs/add-secure-apps/outposts/) to create and deploy one.
+
+Add the Dozzle application to a proxy outpost that will serve it:
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Outposts**.
+3. Click the edit icon for the proxy outpost. This can be the built-in **authentik Embedded Outpost** or another proxy outpost.
+4. Under **Available Applications**, select the Dozzle application and move it to **Selected Applications**.
+5. Click **Update** to save your changes.
+
+## Dozzle configuration
+
+Configure Dozzle to use the `forward-proxy` authentication provider. Add the following environment variables to your Dozzle configuration:
+
+```env title=".env"
+DOZZLE_AUTH_PROVIDER=forward-proxy
+DOZZLE_AUTH_HEADER_USER=X-Authentik-Username
+DOZZLE_AUTH_HEADER_EMAIL=X-Authentik-Email
+DOZZLE_AUTH_HEADER_NAME=X-Authentik-Name
+DOZZLE_AUTH_LOGOUT_URL=https://dozzle.company/outpost.goauthentik.io/sign_out
+```
+
+Configure your reverse proxy to use the authentik outpost as the forward auth endpoint for `https://dozzle.company`. Requests to `/outpost.goauthentik.io` must be routed to the authentik outpost, and all other requests must be routed to Dozzle.
+
+After making these changes, restart Dozzle and reload your reverse proxy.
+
+## Configuration verification
+
+To verify the login flow, open Dozzle. You should be redirected to authentik before the Dozzle web interface is shown.
+
+## Resources
+
+- [Dozzle - What is Dozzle?](https://dozzle.dev/guide/what-is-dozzle)

From 540c2810b402b83192342242d77592b11d3372e1 Mon Sep 17 00:00:00 2001
From: sreelim <sreelimyrike@gmail.com>
Date: Tue, 9 Jun 2026 06:40:51 -0700
Subject: [PATCH 29/68] website/docs: document SCIM source trust model and
 security implications (#22535)

docs: document SCIM source trust model and security implications

Describe tenant-wide user/group correlation, unscoped membership,
destructive DELETE behavior, and default bootstrap group exposure so
operators understand the SCIM Bearer token trust boundary.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .../sources/protocols/scim/index.md           | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/website/docs/users-sources/sources/protocols/scim/index.md b/website/docs/users-sources/sources/protocols/scim/index.md
index d2cb08c2d2..f9aa53d593 100644
--- a/website/docs/users-sources/sources/protocols/scim/index.md
+++ b/website/docs/users-sources/sources/protocols/scim/index.md
@@ -24,6 +24,39 @@ Endpoint to list, create, update and delete groups.
 
 There are also `/v2/ServiceProviderConfig` and `/v2/ResourceTypes`, which are used by SCIM-enabled applications to find out which features authentik supports.
 
+## Trust model and security
+
+The SCIM source Bearer token is a **high-trust provisioning credential**. Anyone who can use the token can manage users and groups through the SCIM endpoints for that source. Treat it like a secret with roughly the same sensitivity as an administrative provisioning integration, not like a narrowly scoped API key.
+
+By default, authentik applies the following behavior for inbound SCIM requests:
+
+### User and group correlation
+
+On create and update, authentik may **correlate** SCIM resources to **existing** directory objects in the same tenant:
+
+- **Users** are matched by `userName` across the entire tenant, not only users already linked to this SCIM source.
+- **Groups** are matched by `displayName` (mapped to the group `name`) across the entire tenant, not only groups already linked to this SCIM source.
+
+If a matching object exists, the SCIM source adopts and updates that object.
+
+### Group membership
+
+Group `members` operations accept **any user UUID in the tenant**. authentik does not require that member users were originally created by, or are exclusively managed by, the same SCIM source.
+
+### Deprovisioning (DELETE)
+
+SCIM **DELETE** on a user or group removes the **underlying authentik `User` or `Group` object**, not only the SCIM source link. This applies to correlated objects as well as objects created through SCIM.
+
+### Default bootstrap layout
+
+Fresh installs create a superuser group named **`authentik Admins`** (`is_superuser=true`) and an initial admin user. Because group correlation is tenant-wide, a SCIM token holder can interact with that group if they use the same `displayName`, including changing membership or deleting the group after correlating to it.
+
+### Recommendations
+
+- Restrict network access to SCIM endpoints where possible.
+- Rotate and revoke SCIM tokens when an IdP integration is decommissioned.
+- Do not share SCIM tokens across untrusted systems.
+
 ## SCIM source property mappings
 
 See the [overview](../../property-mappings/index.md) for information on how property mappings work.

From eea639c822fa1211d7a2c60b5d80ac0fb7fefaba Mon Sep 17 00:00:00 2001
From: Dominic R <dominic@goauthentik.io>
Date: Tue, 9 Jun 2026 10:04:46 -0400
Subject: [PATCH 30/68] website/integrations: add HubSpot (#22933)

Add a HubSpot SAML SSO integration guide covering authentik and HubSpot setup.

Closes: #22910

Agent-thread: https://sdko.org/internal/thr/ak/019ea7e9-4bf5-78b1-b364-20b68c06a8ce
A7k-product: product
A7k-product-repo: 2

Co-authored-by: Agent <agent@svc.sdko.net>
---
 .../integrations/platforms/hubspot/index.md   | 100 ++++++++++++++++++
 1 file changed, 100 insertions(+)
 create mode 100644 website/integrations/platforms/hubspot/index.md

diff --git a/website/integrations/platforms/hubspot/index.md b/website/integrations/platforms/hubspot/index.md
new file mode 100644
index 0000000000..aacc7943ec
--- /dev/null
+++ b/website/integrations/platforms/hubspot/index.md
@@ -0,0 +1,100 @@
+---
+title: Integrate with HubSpot
+sidebar_label: HubSpot
+support_level: community
+---
+
+import SAMLProvider20265Warning from "../../\_saml-provider-2026-5-warning.mdx";
+
+## What is HubSpot?
+
+> HubSpot is a customer platform with tools for CRM, marketing, sales, customer service, content management, operations, and commerce.
+>
+> -- https://www.hubspot.com/
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `authentik.company` is the FQDN of the authentik installation.
+
+:::info HubSpot requirements
+This guide covers SAML Single Sign-On (SSO) for HubSpot. HubSpot SSO requires a HubSpot Professional or Enterprise account, or an active Professional or Enterprise trial, and a HubSpot user with **Super Admin** permissions. HubSpot identifies SSO users by email address, so the NameID sent by authentik must match the user's email address in HubSpot.
+:::
+
+:::info
+This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
+:::
+
+## authentik configuration
+
+To support the integration of HubSpot with authentik, you need to create an application/provider pair in authentik.
+
+### Create an application and provider in authentik
+
+<SAMLProvider20265Warning />
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
+    - **Application**: set **Application Name**, **Slug**, an optional group, the policy engine mode, and optional UI settings. Take note of the **Slug** as it will be required later.
+    - **Choose a Provider**: select **SAML Provider** on the **Choose a Provider Type** page.
+    - **Configure SAML Provider**: provide a name (or accept the auto-provided name), select the authorization flow to use for this provider, and set the following values.
+        - Set **ACS URL** to `https://temp.temp`.
+        - Set **Audience** to `https://temp.temp`.
+        - Under **Advanced protocol settings**:
+            - Select an available **Signing Certificate**.
+            - Set **NameID Property Mapping** to `authentik default SAML Mapping: Email`.
+            - Set **Service Provider Binding** to **Post**.
+            - Set **Default NameID Policy** to **Email address**.
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
+
+3. Click **Create Application** to save the new application and provider.
+
+### Copy the SAML values from authentik
+
+1. In the authentik Admin interface, navigate to **Applications** > **Providers** and click the SAML provider that you created for HubSpot.
+2. Copy the **SAML Endpoint** value. This value is required in HubSpot.
+3. Under **Related objects** > **Download signing certificate**, click **Download**.
+4. Open the downloaded certificate file and copy the full PEM certificate.
+
+## HubSpot configuration
+
+1. Log in to HubSpot as a Super Admin.
+2. In the top navigation bar, click the **settings** icon.
+3. In the left sidebar, navigate to **Security**.
+4. On the **Login** tab, do one of the following:
+    - If portal login settings have not been configured yet, click **Setup Portal Login Settings**.
+    - If portal login settings have already been configured, click **Set up** in the **Configure single sign-on (SSO)** section.
+5. In the right panel, select the **All Other Identity Providers** tab.
+6. Set the following values:
+    - **Identity Provider Identifier or Issuer URL**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **Identity Provider Single Sign-On URL**: the **SAML Endpoint** value from authentik.
+    - **X.509 Certificate**: the full PEM certificate that you downloaded from authentik.
+7. Copy the following values from HubSpot. You will use them to finish the SAML provider configuration in authentik.
+    - **Audience URI**
+    - **ACS URL**
+8. Keep the SSO setup panel open.
+
+## Configure the remaining information in authentik
+
+1. In the authentik Admin interface, navigate to **Applications** > **Providers** and click the SAML provider that you created for HubSpot.
+2. Click **Edit**.
+3. Under **Protocol settings**, set the following values:
+    - **ACS URL**: the **ACS URL** value from HubSpot.
+    - **Audience**: the **Audience URI** value from HubSpot.
+4. Click **Save Changes**.
+
+## Verify HubSpot configuration
+
+1. Return to the HubSpot SSO setup panel.
+2. Click **Verify** and complete the authentik login flow.
+
+## Configuration verification
+
+To confirm that authentik is properly configured with HubSpot, open HubSpot in a private browser window, click **Log in with SSO**, and enter the email address of a HubSpot user whose email address matches an authentik user.
+
+## Resources
+
+- [HubSpot Knowledge Base - Set up single sign-on (SSO)](https://knowledge.hubspot.com/account-security/set-up-single-sign-on-sso)
+- [HubSpot - Single Sign-on in HubSpot](https://www.hubspot.com/products/single-sign-on)
+- [Cisco Duo - Duo Single Sign-On for HubSpot](https://duo.com/docs/sso-hubspot)

From 284896176e3b3df635f78fcbfab20f0c5a3b4ba5 Mon Sep 17 00:00:00 2001
From: Dominic R <dominic@goauthentik.io>
Date: Tue, 9 Jun 2026 12:20:15 -0400
Subject: [PATCH 31/68] website/integrations: add Dropbox Sign integration
 (#22934)

Add a Dropbox Sign SAML integration guide based on Dropbox's setup documentation.

Closes: #22909

Agent-thread: https://sdko.org/internal/thr/ak/019ea7e9-b2de-7103-893f-2547731ef9cb

A7k-product: product

A7k-product-repo: 3

Co-authored-by: Agent <agent@svc.sdko.net>
---
 .../documentation/dropbox-sign/index.mdx      | 107 ++++++++++++++++++
 1 file changed, 107 insertions(+)
 create mode 100644 website/integrations/documentation/dropbox-sign/index.mdx

diff --git a/website/integrations/documentation/dropbox-sign/index.mdx b/website/integrations/documentation/dropbox-sign/index.mdx
new file mode 100644
index 0000000000..3577b1de44
--- /dev/null
+++ b/website/integrations/documentation/dropbox-sign/index.mdx
@@ -0,0 +1,107 @@
+---
+title: Integrate with Dropbox Sign
+sidebar_label: Dropbox Sign
+support_level: community
+---
+
+import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx";
+
+## What is Dropbox Sign?
+
+> Dropbox Sign is an electronic signature platform for preparing, sending, signing, and tracking documents and agreements.
+>
+> -- https://sign.dropbox.com/
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `authentik.company` is the FQDN of the authentik installation.
+
+:::info
+This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
+:::
+
+:::info Dropbox Sign requirements
+SAML SSO requires a Dropbox Sign Premium plan.
+:::
+
+## authentik configuration
+
+To support the integration of Dropbox Sign with authentik, you need to create property mappings and an application/provider pair in authentik.
+
+### Create property mappings
+
+Dropbox Sign expects the SAML assertion to include `FirstName` and `LastName` attributes. Because authentik stores a user's full name as a single string, create SAML provider property mappings that split the full name into first and last names.
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Customization** > **Property Mappings** and click **Create**.
+3. Select **SAML Provider Property Mapping** as the property mapping type and click **Next**.
+4. Create a property mapping with the following values:
+    - **Name**: `Dropbox Sign FirstName`
+    - **SAML Attribute Name**: `FirstName`
+    - **Expression**:
+
+        ```python
+        name = request.user.name or request.user.username
+        return name.split(" ", 1)[0]
+        ```
+
+5. Click **Finish** to save the property mapping.
+6. Repeat steps 2-5 to create the following additional SAML provider property mapping:
+    - **Name**: `Dropbox Sign LastName`
+    - **SAML Attribute Name**: `LastName`
+    - **Expression**:
+
+        ```python
+        name = request.user.name or request.user.username
+        return name.rsplit(" ", 1)[-1] if " " in name else ""
+        ```
+
+### Create an application and provider in authentik
+
+<SAMLProvider20265Warning />
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** value because it will be required later.
+    - **Choose a Provider type**: select **SAML Provider** as the provider type.
+    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+        - Set **ACS URL** to `https://app.hellosign.com/account/ssoLogIn`.
+        - Set **Audience** to `https://app.hellosign.com`.
+        - Under **Advanced protocol settings**:
+            - Set **Signing Certificate** to any available certificate.
+            - Set **NameID Property Mapping** to `authentik default SAML Mapping: Email`.
+            - Set **Default NameID Policy** to `Email address`.
+            - Add the `Dropbox Sign FirstName` and `Dropbox Sign LastName` property mappings that you created in the previous section.
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
+3. Click **Submit** to save the new application and provider.
+
+### Download and prepare the signing certificate
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Providers** and click the name of the newly created Dropbox Sign provider.
+3. Under **Related objects** > **Download signing certificate**, click **Download**.
+4. Open the downloaded certificate file in plain text, remove the first and last lines (`-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`), then remove all line breaks from the remaining certificate text. This certificate text will be required in the next section.
+
+## Dropbox Sign configuration
+
+1. Log in to Dropbox Sign as an administrator.
+2. Hover over your email address in the top-right corner, then select **Admin console**.
+3. In the left sidebar, click **Security**, then locate **SSO**.
+4. Configure the following required settings:
+    - **Identity Provider Single Sign-On URL**: `https://authentik.company/application/saml/<application_slug>/`
+    - **Identity Provider Issuer**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **X.509 Certificate**: paste the certificate text that you prepared from the authentik signing certificate.
+5. Keep **Allow standard logins for admins** enabled while testing the SAML configuration.
+6. Click **Save**.
+
+## Configuration verification
+
+To confirm that authentik is properly configured with Dropbox Sign, open the Dropbox Sign application from the authentik Application Dashboard. You should be redirected to Dropbox Sign and signed in as the matching Dropbox Sign user.
+
+After you verify that SAML SSO works, decide whether to disable **Allow standard logins for admins** in Dropbox Sign.
+
+## Resources
+
+- [Dropbox Help - Dropbox Sign SAML SSO configuration](https://help.dropbox.com/security/dropbox-sign-saml-sso-configuration)

From f6d7edd4d86849b56bc19031260412b275c766a0 Mon Sep 17 00:00:00 2001
From: Connor Peshek <connor@connorpeshek.me>
Date: Tue, 9 Jun 2026 11:36:01 -0500
Subject: [PATCH 32/68] providers/oauth: skip post logout redirect matching if
 none are saved on the provider (#22718)

skip post logout redirect matching if none are saved on the provider
---
 authentik/providers/oauth2/views/end_session.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/authentik/providers/oauth2/views/end_session.py b/authentik/providers/oauth2/views/end_session.py
index 8eb55a44dd..a0f8d23ca2 100644
--- a/authentik/providers/oauth2/views/end_session.py
+++ b/authentik/providers/oauth2/views/end_session.py
@@ -84,8 +84,7 @@ class EndSessionView(PolicyAccessView):
                     "id_token_hint_decode_failed"
                 ) from None
 
-        # Validate post_logout_redirect_uri against registered URIs
-        if request_redirect_uri:
+        if request_redirect_uri and self.provider.post_logout_redirect_uris:
             # OIDC Certification: id_token_hint required with post_logout_redirect_uri
             if not id_token_hint:
                 raise TokenError("invalid_request").with_cause("id_token_hint_missing")

From c897e40bb4e85dac459f381d4a2c1c248bd12b48 Mon Sep 17 00:00:00 2001
From: Connor Peshek <connor@connorpeshek.me>
Date: Tue, 9 Jun 2026 11:36:44 -0500
Subject: [PATCH 33/68] website/integrations: add opencloud integration
 (#22497)

* website/integrations: add opencloud integration

* add steps for all clients

* improve wording and style

* Update website/integrations/chat-communication-collaboration/opencloud/index.mdx

Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Connor Peshek <connor@connorpeshek.me>

* Update website/integrations/chat-communication-collaboration/opencloud/index.mdx

Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Connor Peshek <connor@connorpeshek.me>

* Update website/integrations/chat-communication-collaboration/opencloud/index.mdx

Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Connor Peshek <connor@connorpeshek.me>

* Update website/integrations/chat-communication-collaboration/opencloud/index.mdx

Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Connor Peshek <connor@connorpeshek.me>

* add feedback

* Update website/integrations/chat-communication-collaboration/opencloud/index.mdx

Co-authored-by: Dominic R <dominic@goauthentik.io>
Signed-off-by: Connor Peshek <connor@connorpeshek.me>

* move table location

* update advanced proto settings location

* lint

* Apply suggestions from code review

Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Connor Peshek <connor@connorpeshek.me>

* lint

* Update index.mdx

Signed-off-by: Connor Peshek <connor@connorpeshek.me>

---------

Signed-off-by: Connor Peshek <connor@connorpeshek.me>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dominic R <dominic@goauthentik.io>
---
 .../opencloud/index.mdx                       | 186 ++++++++++++++++++
 1 file changed, 186 insertions(+)
 create mode 100644 website/integrations/chat-communication-collaboration/opencloud/index.mdx

diff --git a/website/integrations/chat-communication-collaboration/opencloud/index.mdx b/website/integrations/chat-communication-collaboration/opencloud/index.mdx
new file mode 100644
index 0000000000..9fcfc14a12
--- /dev/null
+++ b/website/integrations/chat-communication-collaboration/opencloud/index.mdx
@@ -0,0 +1,186 @@
+---
+title: Integrate with OpenCloud
+sidebar_label: OpenCloud
+support_level: community
+---
+
+import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
+
+## What is OpenCloud?
+
+> OpenCloud is an open-source content collaboration platform for storing, syncing, and sharing files, built on the Infinite Scale (oCIS) architecture.
+>
+> -- https://opencloud.eu
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `opencloud.company` is the FQDN of the OpenCloud installation.
+- `authentik.company` is the FQDN of the authentik installation.
+
+This guide covers integrating authentik with the [`opencloud-compose`](https://github.com/opencloud-eu/opencloud-compose) Docker deployment. OpenCloud only supports authentication via OpenID Connect (OIDC).
+
+Choose your setup below. The **Web only** tab logs in through the browser. The **Web, desktop & mobile** tab also enables the native sync clients, which each use a distinct client ID and require some extra issuer configuration.
+
+<Tabs
+  defaultValue="web"
+  values={[
+    { label: "Web only", value: "web" },
+    { label: "Web, desktop & mobile", value: "all" },
+  ]}
+>
+  <TabItem value="web">
+
+## authentik configuration
+
+1. Log in to authentik as an administrator and open the Admin interface.
+2. Navigate to **Applications** > **Applications** and click **New Application**.
+    - **Application**: provide a name and note the **slug**.
+    - **Choose a Provider type**: select **OAuth2/OpenID Connect**.
+    - **Configure the Provider**:
+        - **Client type**: `Public`
+        - **Client ID**: `web`
+        - **Redirect URIs**:
+            - Strict: `https://opencloud.company/oidc-callback.html`
+            - Strict: `https://opencloud.company/oidc-silent-redirect.html`
+            - Strict: `https://opencloud.company/`
+        - **Signing Key**: select any available key.
+        - **Scopes**: `openid`, `profile`, `email`.
+3. Click **Submit**.
+
+## OpenCloud configuration
+
+In the `opencloud-compose` project, enable the external IdP overlay in `COMPOSE_FILE`. This replaces OpenCloud's built-in IdP, so login goes through authentik only.
+
+```bash
+COMPOSE_FILE=docker-compose.yml:idm/external-idp.yml:custom/authentik-roles.yml
+```
+
+Set the OIDC values in `.env`:
+
+```bash
+OC_DOMAIN=opencloud.company
+IDP_DOMAIN=authentik.company
+IDP_ISSUER_URL=https://authentik.company/application/o/<application_slug>/
+OC_OIDC_CLIENT_ID=web
+OC_OIDC_CLIENT_SCOPES=openid profile email
+WEBFINGER_WEB_OIDC_CLIENT_ID=web
+WEBFINGER_WEB_OIDC_CLIENT_SCOPES=openid profile email
+```
+
+Create `custom/authentik-roles.yml` to assign every user the default role:
+
+```yaml
+---
+services:
+    opencloud:
+        environment:
+            PROXY_ROLE_ASSIGNMENT_DRIVER: "default"
+            GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true"
+```
+
+Then reboot your Docker containers.
+
+## Configuration verification
+
+Open `https://opencloud.company` in a new browser window. You are redirected to authentik to log in, and after authenticating you are returned to OpenCloud.
+
+  </TabItem>
+  <TabItem value="all">
+
+OpenCloud's web, desktop, Android, and iOS clients each use a distinct client ID, but must validate tokens against one issuer. authentik gives every application its own issuer by default, so this setup uses **GLOBAL issuer mode** (all providers share `https://authentik.company/`) plus a reverse proxy that serves OIDC discovery at that shared issuer.
+
+## Reverse proxy configuration
+
+With GLOBAL issuer mode enabled, tokens use an issuer of `iss = https://authentik.company/`, but authentik only exposes OpenID Connect discovery at `https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration`. To reconcile this, place a reverse proxy in front of authentik that maps the root discovery URL to a specific provider’s discovery endpoint. Any reverse proxy can handle this; for example, with Caddy:
+
+```caddy
+# Forward authentik.company to this; it in turn forwards to authentik.
+:8081 {
+	@discovery path /.well-known/openid-configuration
+	rewrite @discovery /application/o/<application_slug>/.well-known/openid-configuration
+	reverse_proxy authentik-upstream:9000 {
+		# keep authentik building https URLs if it is behind TLS termination
+		header_up X-Forwarded-Proto https
+	}
+}
+```
+
+## authentik configuration
+
+Repeat these steps for **each** of the four clients (Web, Desktop, Android, and iOS), using the per-client values from the table below.
+
+| Client  | Client ID          | Redirect URIs                                                                               |
+| ------- | ------------------ | ------------------------------------------------------------------------------------------- |
+| Web     | `web`              | Strict: `https://opencloud.company/oidc-callback.html`, `…/oidc-silent-redirect.html`, `…/` |
+| Desktop | `OpenCloudDesktop` | Regex: `http://127.0.0.1(:[0-9]+)?(/.*)?` and `http://localhost(:[0-9]+)?(/.*)?`            |
+| Android | `OpenCloudAndroid` | Strict: `oc://android.opencloud.eu`                                                         |
+| iOS     | `OpenCloudIOS`     | Strict: `oc://ios.opencloud.eu`                                                             |
+
+1. Log in to authentik as an administrator and open the Admin interface.
+2. Navigate to **Applications** > **Applications** and click **New Application**.
+    - **Application**: provide a name and note the **slug**.
+    - **Choose a Provider type**: select **OAuth2/OpenID Connect**.
+    - **Configure the Provider**:
+        - **Client type**: `Public`
+        - **Client ID**: the client's value from the table above.
+        - **Redirect URIs**: the client's value from the table above.
+        - **Signing Key**: select the **same** key for all four providers (the shared issuer exposes a single `jwks_uri`, so all clients' tokens must be signed by one key).
+        - Under **Advanced protocol settings**, add `offline_access` to **Selected scopes**.
+    - **Under advanced protocol settings**:
+        - **Issuer mode**: `Same identifier is used for all providers`.
+3. Click **Submit**.
+
+## OpenCloud configuration
+
+In the `opencloud-compose` project, enable the external IdP overlay in `COMPOSE_FILE`. This replaces OpenCloud's built-in IdP, so login goes through authentik only.
+
+```bash
+COMPOSE_FILE=docker-compose.yml:idm/external-idp.yml:custom/authentik-roles.yml
+```
+
+Set the OIDC values in `.env`. `OC_OIDC_ISSUER` points at the shared (root) issuer, and each client uses its own WebFinger client ID:
+
+```bash
+OC_DOMAIN=opencloud.company
+IDP_DOMAIN=authentik.company
+IDP_ISSUER_URL=https://authentik.company/
+OC_OIDC_CLIENT_ID=web
+OC_OIDC_CLIENT_SCOPES=openid profile email
+
+WEBFINGER_WEB_OIDC_CLIENT_ID=web
+WEBFINGER_WEB_OIDC_CLIENT_SCOPES=openid profile email
+WEBFINGER_DESKTOP_OIDC_CLIENT_ID=OpenCloudDesktop
+WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES=openid profile email offline_access
+WEBFINGER_IOS_OIDC_CLIENT_ID=OpenCloudIOS
+WEBFINGER_IOS_OIDC_CLIENT_SCOPES=openid profile email offline_access
+WEBFINGER_ANDROID_OIDC_CLIENT_ID=OpenCloudAndroid
+WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES=openid profile email offline_access
+```
+
+Create `custom/authentik-roles.yml` to assign every user the default role:
+
+```yaml
+---
+services:
+    opencloud:
+        environment:
+            PROXY_ROLE_ASSIGNMENT_DRIVER: "default"
+            GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true"
+```
+
+Then reboot your Docker containers.
+
+## Configuration verification
+
+Open `https://opencloud.company` in a browser, and add the account in the Desktop, iOS, and Android apps using the same server URL. Each client is redirected to authentik to log in and returned to the client afterwards.
+
+  </TabItem>
+</Tabs>
+
+## Resources
+
+- [OpenCloud docs — Integrating external OpenID Connect Identity Providers](https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/external-idp)
+- [opencloud-compose](https://github.com/opencloud-eu/opencloud-compose)

From 6e8176cdf77a2933ac2e68c1e7b21a93a8d43330 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcelo=20Elizeche=20Land=C3=B3?= <marcelo@goauthentik.io>
Date: Tue, 9 Jun 2026 14:39:59 -0300
Subject: [PATCH 34/68] core: bump django from 5.2.14 to v5.2.15 (#22956)

bump django from 5.2.14 to v5.2.15
---
 pyproject.toml | 2 +-
 uv.lock        | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 1c3bf48d15..dff9bf08c9 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -25,7 +25,7 @@ dependencies = [
   "django-prometheus==2.5.0",
   "django-storages[s3]==1.14.6",
   "django-tenants==3.10.1",
-  "django==5.2.14",
+  "django==5.2.15",
   "djangoql==0.19.1",
   "djangorestframework==3.17.1",
   "docker==7.1.0",
diff --git a/uv.lock b/uv.lock
index cbf45e56e1..d0c175584f 100644
--- a/uv.lock
+++ b/uv.lock
@@ -369,7 +369,7 @@ requires-dist = [
     { name = "dacite", specifier = "==1.9.2" },
     { name = "deepmerge", specifier = "==2.0" },
     { name = "defusedxml", specifier = "==0.7.1" },
-    { name = "django", specifier = "==5.2.14" },
+    { name = "django", specifier = "==5.2.15" },
     { name = "django-channels-postgres", editable = "packages/django-channels-postgres" },
     { name = "django-countries", specifier = "==8.2.0" },
     { name = "django-dramatiq-postgres", editable = "packages/django-dramatiq-postgres" },
@@ -1122,16 +1122,16 @@ wheels = [
 
 [[package]]
 name = "django"
-version = "5.2.14"
+version = "5.2.15"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "asgiref" },
     { name = "sqlparse" },
     { name = "tzdata", marker = "sys_platform == 'win32'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/65/95/95f7faa0950867afaa0bef2460c6263afd6a2c78cc9434046ed28160b015/django-5.2.14.tar.gz", hash = "sha256:58a63ba841662e5c686b57ba1fec52ddd68c0b93bd96ac3029d55728f00bf8a2", size = 10895118, upload-time = "2026-05-05T13:57:31.104Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/2b/e3/31722f7284c9f43333daff9aee9184678e4487adcb5506af0db8cea09ce1/django-5.2.15.tar.gz", hash = "sha256:5154a9bf84ac01dde011e367f355c07dbb329532e06810dcf3ef2af269e236e7", size = 10873669, upload-time = "2026-06-03T13:03:35.892Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/14/44/f172870cf87aa25afef48fb72adba89ee8b77fcab6f3b23d240b923f1528/django-5.2.14-py3-none-any.whl", hash = "sha256:6f712143bd3064310d1f50fac859c3e9a274bdcfc9595339853be7779297fc76", size = 8311320, upload-time = "2026-05-05T13:57:25.795Z" },
+    { url = "https://files.pythonhosted.org/packages/92/b5/38140b1643c00d5c46ce69c78e6980fd285aee223100319631bedee4f5e7/django-5.2.15-py3-none-any.whl", hash = "sha256:0eb4a9bb1853a35b0286dbc6d916bd352c8c2687195a7f2d6f80cefd840e4970", size = 8311957, upload-time = "2026-06-03T13:03:31.329Z" },
 ]
 
 [[package]]

From b456e4a9f67e613730dce24edc2880e45482c474 Mon Sep 17 00:00:00 2001
From: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Date: Tue, 9 Jun 2026 20:33:06 +0200
Subject: [PATCH 35/68] web/polyfill: polyfill customElements.getName for
 Safari < 17.4 (#22940)

* web/polyfill: polyfill customElements.getName for Safari < 17.4

The flow renderer started calling window.customElements.getName in 2026.5,
which crashes on iOS 16 Safari and any WebKit WebView before 17.4. Reporters
saw "getName is not a function" at the first stage render and the page never
recovered.

The polyfill wraps define() to record each tag and constructor pair, then
resolves getName(ctor) from that map. It only installs when the registry is
missing the method, so modern browsers keep their native implementation. The
polyfill bundle is loaded from base/skeleton.html ahead of every interface
entry point, so the wrap is in place before any customElements.define call
runs.

Fixes #22611

Co-Authored-By: Agent (authentik-i22611-committed-cooperative-orchid) <279763771+playpen-agent@users.noreply.github.com>

* Refine.

---------

Co-authored-by: Agent (authentik-i22611-committed-cooperative-orchid) <279763771+playpen-agent@users.noreply.github.com>
Co-authored-by: Connor Peshek <connor@connorpeshek.me>
---
 web/src/polyfill/custom-elements-get-name.ts  |  56 +++++++++
 .../custom-elements-get-name.unit.test.ts     | 106 ++++++++++++++++++
 web/src/polyfill/index.entrypoint.ts          |   1 +
 3 files changed, 163 insertions(+)
 create mode 100644 web/src/polyfill/custom-elements-get-name.ts
 create mode 100644 web/src/polyfill/custom-elements-get-name.unit.test.ts

diff --git a/web/src/polyfill/custom-elements-get-name.ts b/web/src/polyfill/custom-elements-get-name.ts
new file mode 100644
index 0000000000..9ca03e62cc
--- /dev/null
+++ b/web/src/polyfill/custom-elements-get-name.ts
@@ -0,0 +1,56 @@
+/**
+ * @file Polyfill for `CustomElementRegistry.getName()` on older WebKit.
+ *
+ * `getName()` is the reverse of `customElements.get()`: given a custom-element
+ * constructor, it returns the tag name it was registered under (or `null`).
+ * It landed in Chrome/Edge 117, Firefox 119, and Safari 17.4 — so iOS 16, the
+ * iOS 17.0–17.3 series, and any WebKit WebView pinned below 17.4 reach the
+ * authentik flow renderer without it and crash at the first call site.
+ *
+ * The polyfill keeps a reverse map by wrapping `define()` so that any later
+ * registration is recorded; on browsers that already implement `getName()`
+ * natively it is a no-op. Because the wrap can only observe registrations made
+ * *after* it installs, this module must be imported before any
+ * `customElements.define(...)` call — which is what the polyfill entry point
+ * guarantees, since it is loaded ahead of every interface bundle in
+ * `base/skeleton.html`.
+ */
+
+/**
+ * Install the `getName()` polyfill on the given registry if it is absent.
+ *
+ * Exported separately from the side-effect import so that unit tests can drive
+ * the polyfill against a fake registry without touching the global one.
+ */
+export function applyCustomElementsGetNamePolyfill(
+    registry: Partial<CustomElementRegistry>,
+): asserts registry is CustomElementRegistry {
+    if (typeof registry.getName === "function") return;
+
+    if (typeof registry.define !== "function") {
+        console.warn(
+            "CustomElementRegistry.getName polyfill: registry lacks define() method, cannot install polyfill",
+        );
+        return;
+    }
+
+    const nameByCtor = new WeakMap<CustomElementConstructor, string>();
+    const originalDefine = registry.define.bind(registry);
+
+    registry.define = function define(
+        name: string,
+        ctor: CustomElementConstructor,
+        options?: ElementDefinitionOptions,
+    ): void {
+        nameByCtor.set(ctor, name);
+        return originalDefine(name, ctor, options);
+    };
+
+    registry.getName = function getName(ctor: CustomElementConstructor): string | null {
+        return nameByCtor.get(ctor) ?? null;
+    };
+}
+
+if (typeof window !== "undefined" && window.customElements) {
+    applyCustomElementsGetNamePolyfill(window.customElements);
+}
diff --git a/web/src/polyfill/custom-elements-get-name.unit.test.ts b/web/src/polyfill/custom-elements-get-name.unit.test.ts
new file mode 100644
index 0000000000..1010965204
--- /dev/null
+++ b/web/src/polyfill/custom-elements-get-name.unit.test.ts
@@ -0,0 +1,106 @@
+import { applyCustomElementsGetNamePolyfill } from "./custom-elements-get-name.js";
+
+import { describe, expect, it, vi } from "vitest";
+
+type CustomElementRegistryMock = Omit<CustomElementRegistry, "initialize" | "getName"> & {
+    getName?: CustomElementRegistry["getName"];
+};
+
+type ElementConstructorInfo = [
+    name: string,
+    constructor: CustomElementConstructor,
+    options: ElementDefinitionOptions | undefined,
+];
+
+/**
+ * Build a minimal `CustomElementRegistry`-shaped object suitable for driving
+ * the polyfill in a Node environment. `getName` is omitted to simulate older
+ * WebKit; `defined` collects the args that reach the underlying `define`.
+ */
+function createMockRegistry(): {
+    registry: CustomElementRegistryMock;
+    defined: ElementConstructorInfo[];
+} {
+    const defined: ElementConstructorInfo[] = [];
+
+    const registry: CustomElementRegistryMock = {
+        define: vi.fn((name: string, ctor: CustomElementConstructor, options?) => {
+            defined.push([name, ctor, options]);
+        }),
+        get: vi.fn(),
+        whenDefined: vi.fn(),
+        upgrade: vi.fn(),
+    };
+
+    return { registry, defined };
+}
+
+describe("applyCustomElementsGetNamePolyfill", () => {
+    it("installs getName when the registry lacks it", () => {
+        const { registry } = createMockRegistry();
+
+        expect(typeof registry.getName).toBe("undefined");
+
+        applyCustomElementsGetNamePolyfill(registry);
+
+        expect(typeof registry.getName).toBe("function");
+    });
+
+    it("returns the registered tag name for a constructor defined after install", () => {
+        const { registry } = createMockRegistry();
+        applyCustomElementsGetNamePolyfill(registry);
+
+        const Ctor = class {} as unknown as CustomElementConstructor;
+
+        registry.define("ak-test-element", Ctor);
+
+        expect(registry.getName(Ctor)).toBe("ak-test-element");
+    });
+
+    it("forwards the define call to the original implementation with all arguments", () => {
+        const { registry, defined } = createMockRegistry();
+        applyCustomElementsGetNamePolyfill(registry);
+
+        const Ctor = class {} as unknown as CustomElementConstructor;
+
+        const options = { extends: "button" };
+
+        registry.define("ak-extends-button", Ctor, options);
+
+        expect(defined).toHaveLength(1);
+
+        expect(defined[0]?.[0]).toBe("ak-extends-button");
+        expect(defined[0]?.[1]).toBe(Ctor);
+        expect(defined[0]?.[2]).toBe(options);
+    });
+
+    it("returns null for a constructor that was never registered", () => {
+        const { registry } = createMockRegistry();
+        applyCustomElementsGetNamePolyfill(registry);
+        const Unregistered = class {} as unknown as CustomElementConstructor;
+
+        if (typeof registry.getName !== "function") {
+            throw new Error("getName should have been installed by the polyfill");
+        }
+
+        expect(registry.getName(Unregistered)).toBeNull();
+    });
+
+    it("does nothing when the registry already implements getName natively", () => {
+        const nativeGetName = vi.fn(() => "native-tag");
+        const nativeDefine = vi.fn();
+
+        const registry: CustomElementRegistryMock = {
+            define: nativeDefine,
+            getName: nativeGetName,
+            get: vi.fn(),
+            whenDefined: vi.fn(),
+            upgrade: vi.fn(),
+        };
+
+        applyCustomElementsGetNamePolyfill(registry);
+
+        expect(registry.getName).toBe(nativeGetName);
+        expect(registry.define).toBe(nativeDefine);
+    });
+});
diff --git a/web/src/polyfill/index.entrypoint.ts b/web/src/polyfill/index.entrypoint.ts
index 08417ec3b3..641c2285c4 100644
--- a/web/src/polyfill/index.entrypoint.ts
+++ b/web/src/polyfill/index.entrypoint.ts
@@ -1,6 +1,7 @@
 // sort-imports-ignore
 import "@webcomponents/webcomponentsjs";
 import "lit/polyfill-support.js";
+import "./custom-elements-get-name.js";
 import "core-js/actual";
 import "@formatjs/intl-listformat/polyfill.js";
 import "@formatjs/intl-listformat/locale-data/en.js";

From c3c6508b67c82fb5773d289326fb2fd0b15746c4 Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Wed, 10 Jun 2026 00:12:33 +0200
Subject: [PATCH 36/68] providers/radius: fix panic in log due to type (#22965)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 internal/outpost/radius/handler_eap_log.go | 26 ++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/internal/outpost/radius/handler_eap_log.go b/internal/outpost/radius/handler_eap_log.go
index 4d40592d45..12e542db4a 100644
--- a/internal/outpost/radius/handler_eap_log.go
+++ b/internal/outpost/radius/handler_eap_log.go
@@ -1,6 +1,9 @@
 package radius
 
 import (
+	"fmt"
+	"strconv"
+
 	"beryju.io/radius-eap/protocol"
 	"github.com/sirupsen/logrus"
 )
@@ -38,9 +41,28 @@ func (i *iter) At() (k string, v any) {
 
 	if i.i+1 == len(i.f) {
 		// Non even number of elements, add empty string.
-		return i.f[i.i].(string), ""
+		return toString(i.f[i.i]), ""
+	}
+	return toString(i.f[i.i]), i.f[i.i+1]
+}
+
+func toString(v any) string {
+	switch t := v.(type) {
+	case string:
+		return t
+	case *string:
+		return *t
+	case bool:
+		return strconv.FormatBool(t)
+	case float32:
+		return strconv.FormatFloat(float64(t), 'f', -1, 64)
+	case float64:
+		return strconv.FormatFloat(t, 'f', -1, 64)
+	case int:
+		return strconv.FormatInt(int64(t), 10)
+	default:
+		return fmt.Sprintf("%s", t)
 	}
-	return i.f[i.i].(string), i.f[i.i+1]
 }
 
 type logrusAdapter struct {

From 06a37a6db5d92b193f7a1a7a9b1dff0006efd712 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 10 Jun 2026 13:52:40 +0200
Subject: [PATCH 37/68] website: bump semver from 7.8.1 to 7.8.2 in /website
 (#22915)

* website: bump semver from 7.8.1 to 7.8.2 in /website

Bumps [semver](https://github.com/npm/node-semver) from 7.8.1 to 7.8.2.
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md)
- [Commits](https://github.com/npm/node-semver/compare/v7.8.1...v7.8.2)

---
updated-dependencies:
- dependency-name: semver
  dependency-version: 7.8.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* sigh

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
---
 website/docusaurus-theme/package.json | 2 +-
 website/package-lock.json             | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/website/docusaurus-theme/package.json b/website/docusaurus-theme/package.json
index 5bee5f5934..bca9755382 100644
--- a/website/docusaurus-theme/package.json
+++ b/website/docusaurus-theme/package.json
@@ -34,7 +34,7 @@
         "fast-glob": "^3.3.3",
         "remark-directive": "^4.0.0",
         "remark-github": "^12.0.0",
-        "semver": "^7.8.1",
+        "semver": "^7.8.2",
         "typescript": "^6.0.3",
         "unist-util-visit": "^5.0.0"
     }
diff --git a/website/package-lock.json b/website/package-lock.json
index 48df8c8298..d5921e608b 100644
--- a/website/package-lock.json
+++ b/website/package-lock.json
@@ -279,7 +279,7 @@
                 "fast-glob": "^3.3.3",
                 "remark-directive": "^4.0.0",
                 "remark-github": "^12.0.0",
-                "semver": "^7.8.1",
+                "semver": "^7.8.2",
                 "typescript": "^6.0.3",
                 "unist-util-visit": "^5.0.0"
             }
@@ -22765,9 +22765,9 @@
             }
         },
         "node_modules/semver": {
-            "version": "7.8.1",
-            "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.1.tgz",
-            "integrity": "sha512-rkVq3IXh+4FDGch+KwzX3aV9W3kO54GyEgpvBzSyctDA6Xtd7RJQV1xmXbeQp5v7+VzLOfVqiutSE6GICgPFvg==",
+            "version": "7.8.2",
+            "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.2.tgz",
+            "integrity": "sha512-c8jsqUZm3omBOI66G90z1Dyw5z622G8oLG+omfsHBJf3CWQTlOcwOjvOG6wtiNfW6anKm/eA39LMwMtMez2TiQ==",
             "license": "ISC",
             "bin": {
                 "semver": "bin/semver.js"

From 2148f1d35c4d75322523bb07e125b20a28aedf02 Mon Sep 17 00:00:00 2001
From: Dominic R <dominic@goauthentik.io>
Date: Wed, 10 Jun 2026 10:01:03 -0400
Subject: [PATCH 38/68] website/integrations: Cloudflare Access: cleanup
 (#22697)

Clean up the Cloudflare Access guide to match the current OIDC setup flow and authentik provider URLs.

Agent-thread: https://sdko.org/internal/threads/019e6b1f-8fa7-7561-9882-1e65cdb2f583

Co-authored-by: Agent <agent@svc.sdko.net>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
---
 .../security/cloudflare-access/index.md       | 46 +++++++++----------
 1 file changed, 23 insertions(+), 23 deletions(-)

diff --git a/website/integrations/security/cloudflare-access/index.md b/website/integrations/security/cloudflare-access/index.md
index 1809dbc669..bbd635f768 100644
--- a/website/integrations/security/cloudflare-access/index.md
+++ b/website/integrations/security/cloudflare-access/index.md
@@ -14,16 +14,16 @@ support_level: community
 
 The following placeholders are used in this guide:
 
-- `company.cloudflareaccess.com` is the FQDN of your Cloudflare Access subdomain.
+- `company.cloudflareaccess.com` is the FQDN of your Cloudflare Access team domain.
 - `authentik.company` is the FQDN of the authentik installation.
 
-To proceed, you need to register for a free Cloudflare Access account and have both a Cloudflare account and a publicly accessible authentik instance with a trusted SSL certificate.
+To proceed, you need a Cloudflare account with Cloudflare Zero Trust enabled and a publicly accessible authentik instance with a trusted SSL certificate.
 
 :::info
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-:::info
+:::info Cloudflare Dashboard SSO
 Looking to integrate authentik with your Cloudflare Dashboard? See our [integration guide](../../platforms/cloudflare/index.md) for more information.
 :::
 
@@ -31,38 +31,38 @@ Looking to integrate authentik with your Cloudflare Dashboard? See our [integrat
 
 To support the integration of Cloudflare Access with authentik, you need to create an application/provider pair in authentik.
 
+Cloudflare uses your Cloudflare Access team name in the callback URL. You can find the team name in the Cloudflare dashboard under **Settings** > **Team name and domain** > **Team name**.
+
 ### Create an application and provider in authentik
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
-
-- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
-- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
-- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
-    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://company.cloudflareaccess.com/cdn-cgi/access/callback`.
-    - Select any available signing key.
-- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
-
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
+        - Add one `Strict` redirect URI and set it to `https://company.cloudflareaccess.com/cdn-cgi/access/callback`.
+        - Select any available signing key.
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 3. Click **Submit** to save the new application and provider.
 
 ## Cloudflare Access configuration
 
-1. Open the [Cloudflare Access dashboard](https://one.dash.cloudflare.com) and navigate to **Integrations** > **Identity provider**.
-2. Click **Add an identity provider**, and then select **OpenID Connect**.
-3. From the authentik provider you created earlier, copy the following details and paste them into the corresponding fields:
-    - **Client ID** > App ID
-    - **Client Secret** > Client Secret
-    - **Authorize URL** > Auth URL
-    - **Token URL** > Token URL
-    - **JWKS URL** > Certificate URL
+1. Open the [Cloudflare dashboard](https://one.dash.cloudflare.com) and go to **Zero Trust** > **Integrations** > **Identity providers**.
+2. Under **Your identity providers**, click **Add new identity provider**, and then select **OpenID Connect**.
+3. Configure the identity provider using values from the authentik provider created earlier:
+    - **Name**: enter a descriptive name, for example `authentik`.
+    - **App ID**: enter the **Client ID** from authentik.
+    - **Client Secret**: enter the **Client Secret** from authentik.
+    - **Auth URL**: enter `https://authentik.company/application/o/authorize/`.
+    - **Token URL**: enter `https://authentik.company/application/o/token/`.
+    - **Certificate URL**: enter `https://authentik.company/application/o/<application_slug>/jwks/`.
 4. Click **Save**.
-5. Click **Test** to verify the login provider.
 
 ## Configuration verification
 
-To confirm that authentik is properly configured with Cloudflare Access, click the **Test** button found right next to the **Save** button from the previous step.
+To confirm that authentik is properly configured with Cloudflare Access, open Cloudflare Access, go to **Authentication** > **Login methods**, and click **Test** next to the authentik login method. Complete the login flow and verify that Cloudflare displays a successful test result.
 
 ## Resources
 
-- [Cloudflare Access Generic OIDC documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/generic-oidc/)
+- [Cloudflare Access Generic OIDC documentation](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/)

From c9cc70ba532b579294a3d5886cc74c76ff11ddd7 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 10 Jun 2026 16:39:05 +0200
Subject: [PATCH 39/68] web: bump shell-quote from 1.8.3 to 1.8.4 (#22959)

Bumps [shell-quote](https://github.com/ljharb/shell-quote) from 1.8.3 to 1.8.4.
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ljharb/shell-quote/compare/v1.8.3...v1.8.4)

---
updated-dependencies:
- dependency-name: shell-quote
  dependency-version: 1.8.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 package-lock.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 8bec035241..3dbf893e38 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -21492,9 +21492,9 @@
             }
         },
         "node_modules/shell-quote": {
-            "version": "1.8.3",
-            "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.3.tgz",
-            "integrity": "sha512-ObmnIF4hXNg1BqhnHmgbDETF8dLPCggZWBjkQfhZpbszZnYur5DUljTcCHii5LC3J5E0yeO/1LIMyH+UvHQgyw==",
+            "version": "1.8.4",
+            "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.4.tgz",
+            "integrity": "sha512-VsC6n6vz1ihYYyZZwX7YZSF5l5x36ca17OC+a69h94YqB7X6XLwf+5MOgynYir2SLFUbl8gIYvBo8K8RoNQ6bQ==",
             "license": "MIT",
             "engines": {
                 "node": ">= 0.4"

From e7f30a8f0a932efab4013ee50696472b94cf9a4f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 10 Jun 2026 16:45:48 +0200
Subject: [PATCH 40/68] web: bump shell-quote from 1.8.3 to 1.8.4 in /web
 (#22958)

Bumps [shell-quote](https://github.com/ljharb/shell-quote) from 1.8.3 to 1.8.4.
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ljharb/shell-quote/compare/v1.8.3...v1.8.4)

---
updated-dependencies:
- dependency-name: shell-quote
  dependency-version: 1.8.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 web/package-lock.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/web/package-lock.json b/web/package-lock.json
index 677a016272..d674204649 100644
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -17184,9 +17184,9 @@
             }
         },
         "node_modules/shell-quote": {
-            "version": "1.8.3",
-            "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.3.tgz",
-            "integrity": "sha512-ObmnIF4hXNg1BqhnHmgbDETF8dLPCggZWBjkQfhZpbszZnYur5DUljTcCHii5LC3J5E0yeO/1LIMyH+UvHQgyw==",
+            "version": "1.8.4",
+            "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.4.tgz",
+            "integrity": "sha512-VsC6n6vz1ihYYyZZwX7YZSF5l5x36ca17OC+a69h94YqB7X6XLwf+5MOgynYir2SLFUbl8gIYvBo8K8RoNQ6bQ==",
             "license": "MIT",
             "engines": {
                 "node": ">= 0.4"

From f92cf047b34b4635b81a0dc8af58e7c99839255d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 10 Jun 2026 16:57:36 +0200
Subject: [PATCH 41/68] core: bump cryptography from 48.0.0 to 48.0.1 (#22972)

Bumps [cryptography](https://github.com/pyca/cryptography) from 48.0.0 to 48.0.1.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/48.0.0...48.0.1)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 48.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pyproject.toml |  2 +-
 uv.lock        | 90 +++++++++++++++++++++++++-------------------------
 2 files changed, 46 insertions(+), 46 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index dff9bf08c9..aeca2ac862 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -9,7 +9,7 @@ dependencies = [
   "argon2-cffi==25.1.0",
   "cachetools==7.1.4",
   "channels==4.3.2",
-  "cryptography==48.0.0",
+  "cryptography==48.0.1",
   "dacite==1.9.2",
   "deepmerge==2.0",
   "defusedxml==0.7.1",
diff --git a/uv.lock b/uv.lock
index d0c175584f..78ff68f75f 100644
--- a/uv.lock
+++ b/uv.lock
@@ -365,7 +365,7 @@ requires-dist = [
     { name = "argon2-cffi", specifier = "==25.1.0" },
     { name = "cachetools", specifier = "==7.1.4" },
     { name = "channels", specifier = "==4.3.2" },
-    { name = "cryptography", specifier = "==48.0.0" },
+    { name = "cryptography", specifier = "==48.0.1" },
     { name = "dacite", specifier = "==1.9.2" },
     { name = "deepmerge", specifier = "==2.0" },
     { name = "defusedxml", specifier = "==0.7.1" },
@@ -964,55 +964,55 @@ wheels = [
 
 [[package]]
 name = "cryptography"
-version = "48.0.0"
+version = "48.0.1"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "cffi", marker = "platform_python_implementation != 'PyPy'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/9f/a9/db8f313fdcd85d767d4973515e1db101f9c71f95fced83233de224673757/cryptography-48.0.0.tar.gz", hash = "sha256:5c3932f4436d1cccb036cb0eaef46e6e2db91035166f1ad6505c3c9d5a635920", size = 832984, upload-time = "2026-05-04T22:59:38.133Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/12/45/870e7f4bef50e5f53b9f51d4428aee5290eedf58ba443f16b1ebb7ab8e66/cryptography-48.0.1.tar.gz", hash = "sha256:266f4ee051abb2f725b74ef8072b521ce1feacf685a3364fa6a6b45548db791a", size = 832989, upload-time = "2026-06-09T22:32:31.8Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/df/3d/01f6dd9190170a5a241e0e98c2d04be3664a9e6f5b9b872cde63aff1c3dd/cryptography-48.0.0-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:0c558d2cdffd8f4bbb30fc7134c74d2ca9a476f830bb053074498fbc86f41ed6", size = 8001587, upload-time = "2026-05-04T22:57:36.803Z" },
-    { url = "https://files.pythonhosted.org/packages/b2/6e/e90527eef33f309beb811cf7c982c3aeffcce8e3edb178baa4ca3ae4a6fa/cryptography-48.0.0-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:f5333311663ea94f75dd408665686aaf426563556bb5283554a3539177e03b8c", size = 4690433, upload-time = "2026-05-04T22:57:40.373Z" },
-    { url = "https://files.pythonhosted.org/packages/90/04/673510ed51ddff56575f306cf1617d80411ee76831ccd3097599140efdfe/cryptography-48.0.0-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:7995ef305d7165c3f11ae07f2517e5a4f1d5c18da1376a0a9ed496336b69e5f3", size = 4710620, upload-time = "2026-05-04T22:57:42.935Z" },
-    { url = "https://files.pythonhosted.org/packages/14/d5/e9c4ef932c8d800490c34d8bd589d64a31d5890e27ec9e9ad532be893294/cryptography-48.0.0-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:40ba1f85eaa6959837b1d51c9767e230e14612eea4ef110ee8854ada22da1bf5", size = 4696283, upload-time = "2026-05-04T22:57:45.294Z" },
-    { url = "https://files.pythonhosted.org/packages/0c/29/174b9dfb60b12d59ecfc6cfa04bc88c21b42a54f01b8aae09bb6e51e4c7f/cryptography-48.0.0-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:369a6348999f94bbd53435c894377b20ab95f25a9065c283570e70150d8abc3c", size = 5296573, upload-time = "2026-05-04T22:57:47.933Z" },
-    { url = "https://files.pythonhosted.org/packages/95/38/0d29a6fd7d0d1373f0c0c88a04ba20e359b257753ac497564cd660fc1d55/cryptography-48.0.0-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:a0e692c683f4df67815a2d258b324e66f4738bd7a96a218c826dce4f4bd05d8f", size = 4743677, upload-time = "2026-05-04T22:57:50.067Z" },
-    { url = "https://files.pythonhosted.org/packages/30/be/eef653013d5c63b6a490529e0316f9ac14a37602965d4903efed1399f32b/cryptography-48.0.0-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:18349bbc56f4743c8b12dc32e2bccb2cf83ee8b69a3bba74ef8ae857e26b3d25", size = 4330808, upload-time = "2026-05-04T22:57:52.301Z" },
-    { url = "https://files.pythonhosted.org/packages/84/9e/500463e87abb7a0a0f9f256ec21123ecde0a7b5541a15e840ea54551fd81/cryptography-48.0.0-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:7e8eac43dfca5c4cccc6dad9a80504436fca53bb9bc3100a2386d730fbe6b602", size = 4695941, upload-time = "2026-05-04T22:57:54.603Z" },
-    { url = "https://files.pythonhosted.org/packages/e3/dc/7303087450c2ec9e7fbb750e17c2abfbc658f23cbd0e54009509b7cc4091/cryptography-48.0.0-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:9ccdac7d40688ecb5a3b4a604b8a88c8002e3442d6c60aead1db2a89a041560c", size = 5252579, upload-time = "2026-05-04T22:57:57.207Z" },
-    { url = "https://files.pythonhosted.org/packages/d0/c0/7101d3b7215edcdc90c45da544961fd8ed2d6448f77577460fa75a8443f7/cryptography-48.0.0-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:bd72e68b06bb1e96913f97dd4901119bc17f39d4586a5adf2d3e47bc2b9d58b5", size = 4743326, upload-time = "2026-05-04T22:57:59.535Z" },
-    { url = "https://files.pythonhosted.org/packages/ac/d8/5b833bad13016f562ab9d063d68199a4bd121d18458e439515601d3357ec/cryptography-48.0.0-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:59baa2cb386c4f0b9905bd6eb4c2a79a69a128408fd31d32ca4d7102d4156321", size = 4826672, upload-time = "2026-05-04T22:58:01.996Z" },
-    { url = "https://files.pythonhosted.org/packages/98/e1/7074eb8bf3c135558c73fc2bcf0f5633f912e6fb87e868a55c454080ef09/cryptography-48.0.0-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:9249e3cd978541d665967ac2cb2787fd6a62bddf1e75b3e347a594d7dacf4f74", size = 4972574, upload-time = "2026-05-04T22:58:03.968Z" },
-    { url = "https://files.pythonhosted.org/packages/04/70/e5a1b41d325f797f39427aa44ef8baf0be500065ab6d8e10369d850d4a4f/cryptography-48.0.0-cp311-abi3-win32.whl", hash = "sha256:9c459db21422be75e2809370b829a87eb37f74cd785fc4aa9ea1e5f43b47cda4", size = 3294868, upload-time = "2026-05-04T22:58:06.467Z" },
-    { url = "https://files.pythonhosted.org/packages/f4/ac/8ac51b4a5fc5932eb7ee5c517ba7dc8cd834f0048962b6b352f00f41ebf9/cryptography-48.0.0-cp311-abi3-win_amd64.whl", hash = "sha256:5b012212e08b8dd5edc78ef54da83dd9892fd9105323b3993eff6bea65dc21d7", size = 3817107, upload-time = "2026-05-04T22:58:08.845Z" },
-    { url = "https://files.pythonhosted.org/packages/6b/84/70e3feea9feea87fd7cbe77efb2712ae1e3e6edf10749dc6e95f4e60e455/cryptography-48.0.0-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:3cb07a3ed6431663cd321ea8a000a1314c74211f823e4177fefa2255e057d1ec", size = 7986556, upload-time = "2026-05-04T22:58:11.172Z" },
-    { url = "https://files.pythonhosted.org/packages/89/6e/18e07a618bb5442ba10cf4df16e99c071365528aa570dfcb8c02e25a303b/cryptography-48.0.0-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:8c7378637d7d88016fa6791c159f698b3d3eed28ebf844ac36b9dc04a14dae18", size = 4684776, upload-time = "2026-05-04T22:58:13.712Z" },
-    { url = "https://files.pythonhosted.org/packages/be/6a/4ea3b4c6c6759794d5ee2103c304a5076dc4b19ae1f9fe47dba439e159e9/cryptography-48.0.0-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:cc90c0b39b2e3c65ef52c804b72e3c58f8a04ab2a1871272798e5f9572c17d20", size = 4698121, upload-time = "2026-05-04T22:58:16.448Z" },
-    { url = "https://files.pythonhosted.org/packages/2f/59/6ff6ad6cae03bb887da2a5860b2c9805f8dac969ef01ce563336c49bd1d1/cryptography-48.0.0-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:76341972e1eff8b4bea859f09c0d3e64b96ce931b084f9b9b7db8ef364c30eff", size = 4690042, upload-time = "2026-05-04T22:58:18.544Z" },
-    { url = "https://files.pythonhosted.org/packages/ca/b4/fc334ed8cfd705aca282fe4d8f5ae64a8e0f74932e9feecb344610cf6e4d/cryptography-48.0.0-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:55b7718303bf06a5753dcdccf2f3945cf18ad7bffde41b61226e4db31ab89a9c", size = 5282526, upload-time = "2026-05-04T22:58:20.75Z" },
-    { url = "https://files.pythonhosted.org/packages/11/08/9f8c5386cc4cd90d8255c7cdd0f5baf459a08502a09de30dc51f553d38dc/cryptography-48.0.0-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:a64697c641c7b1b2178e573cbc31c7c6684cd56883a478d75143dbb7118036db", size = 4733116, upload-time = "2026-05-04T22:58:23.627Z" },
-    { url = "https://files.pythonhosted.org/packages/b8/77/99307d7574045699f8805aa500fa0fb83422d115b5400a064ddd306d7750/cryptography-48.0.0-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:561215ea3879cb1cbbf272867e2efda62476f240fb58c64de6b393ae19246741", size = 4316030, upload-time = "2026-05-04T22:58:25.581Z" },
-    { url = "https://files.pythonhosted.org/packages/fd/36/a608b98337af3cb2aff4818e406649d30572b7031918b04c87d979495348/cryptography-48.0.0-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:ad64688338ed4bc1a6618076ba75fd7194a5f1797ac60b47afe926285adb3166", size = 4689640, upload-time = "2026-05-04T22:58:27.747Z" },
-    { url = "https://files.pythonhosted.org/packages/dd/a6/825010a291b4438aecc1f568bc428189fc1175515223632477c07dc0a6df/cryptography-48.0.0-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:906cbf0670286c6e0044156bc7d4af9cbb0ef6db9f73e52c3ec56ba6bdde5336", size = 5237657, upload-time = "2026-05-04T22:58:29.848Z" },
-    { url = "https://files.pythonhosted.org/packages/b9/09/4e76a09b4caa29aad535ddc806f5d4c5d01885bd978bd984fbc6ca032cae/cryptography-48.0.0-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:ea8990436d914540a40ab24b6a77c0969695ed52f4a4874c5137ccf7045a7057", size = 4732362, upload-time = "2026-05-04T22:58:32.009Z" },
-    { url = "https://files.pythonhosted.org/packages/18/78/444fa04a77d0cb95f417dda20d450e13c56ba8e5220fc892a1658f44f882/cryptography-48.0.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:c18684a7f0cc9a3cb60328f496b8e3372def7c5d2df39ac267878b05565aaaae", size = 4819580, upload-time = "2026-05-04T22:58:34.254Z" },
-    { url = "https://files.pythonhosted.org/packages/38/85/ea67067c70a1fd4be2c63d35eeed82658023021affccc7b17705f8527dd2/cryptography-48.0.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:9be5aafa5736574f8f15f262adc81b2a9869e2cfe9014d52a44633905b40d52c", size = 4963283, upload-time = "2026-05-04T22:58:36.376Z" },
-    { url = "https://files.pythonhosted.org/packages/75/54/cc6d0f3deac3e81c7f847e8a189a12b6cdd65059b43dad25d4316abd849a/cryptography-48.0.0-cp314-cp314t-win32.whl", hash = "sha256:c17dfe85494deaeddc5ce251aebd1d60bbe6afc8b62071bb0b469431a000124f", size = 3270954, upload-time = "2026-05-04T22:58:38.791Z" },
-    { url = "https://files.pythonhosted.org/packages/49/67/cc947e288c0758a4e5473d1dcb743037ab7785541265a969240b8885441a/cryptography-48.0.0-cp314-cp314t-win_amd64.whl", hash = "sha256:27241b1dc9962e056062a8eef1991d02c3a24569c95975bd2322a8a52c6e5e12", size = 3797313, upload-time = "2026-05-04T22:58:40.746Z" },
-    { url = "https://files.pythonhosted.org/packages/f2/63/61d4a4e1c6b6bab6ce1e213cd36a24c415d90e76d78c5eb8577c5541d2e8/cryptography-48.0.0-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:58d00498e8933e4a194f3076aee1b4a97dfec1a6da444535755822fe5d8b0b86", size = 7983482, upload-time = "2026-05-04T22:58:43.769Z" },
-    { url = "https://files.pythonhosted.org/packages/d5/ac/f5b5995b87770c693e2596559ffafe195b4033a57f14a82268a2842953f3/cryptography-48.0.0-cp39-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:614d0949f4790582d2cc25553abd09dd723025f0c0e7c67376a1d77196743d6e", size = 4683266, upload-time = "2026-05-04T22:58:46.064Z" },
-    { url = "https://files.pythonhosted.org/packages/ec/c6/8b14f67e18338fbc4adb76f66c001f5c3610b3e2d1837f268f47a347dbbb/cryptography-48.0.0-cp39-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:7ce4bfae76319a532a2dc68f82cc32f5676ee792a983187dac07183690e5c66f", size = 4696228, upload-time = "2026-05-04T22:58:48.22Z" },
-    { url = "https://files.pythonhosted.org/packages/ea/73/f808fbae9514bd91b47875b003f13e284c8c6bdfd904b7944e803937eec1/cryptography-48.0.0-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:2eb992bbd4661238c5a397594c83f5b4dc2bc5b848c365c8f991b6780efcc5c7", size = 4689097, upload-time = "2026-05-04T22:58:50.9Z" },
-    { url = "https://files.pythonhosted.org/packages/93/01/d86632d7d28db8ae83221995752eeb6639ffb374c2d22955648cf8d52797/cryptography-48.0.0-cp39-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:22a5cb272895dce158b2cacdfdc3debd299019659f42947dbdac6f32d68fe832", size = 5283582, upload-time = "2026-05-04T22:58:53.017Z" },
-    { url = "https://files.pythonhosted.org/packages/02/e1/50edc7a50334807cc4791fc4a0ce7468b4a1416d9138eab358bfc9a3d70b/cryptography-48.0.0-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:2b4d59804e8408e2fea7d1fbaf218e5ec984325221db76e6a241a9abd6cdd95c", size = 4730479, upload-time = "2026-05-04T22:58:55.611Z" },
-    { url = "https://files.pythonhosted.org/packages/6f/af/99a582b1b1641ff5911ac559beb45097cf79efd4ead4657f578ef1af2d47/cryptography-48.0.0-cp39-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:984a20b0f62a26f48a3396c72e4bc34c66e356d356bf370053066b3b6d54634a", size = 4326481, upload-time = "2026-05-04T22:58:57.607Z" },
-    { url = "https://files.pythonhosted.org/packages/90/ee/89aa26a06ef0a7d7611788ffd571a7c50e368cc6a4d5eef8b4884e866edb/cryptography-48.0.0-cp39-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:5a5ed8fde7a1d09376ca0b40e68cd59c69fe23b1f9768bd5824f54681626032a", size = 4688713, upload-time = "2026-05-04T22:59:00.077Z" },
-    { url = "https://files.pythonhosted.org/packages/70/ba/bcb1b0bb7a33d4c7c0c4d4c7874b4a62ae4f56113a5f4baefa362dfb1f0f/cryptography-48.0.0-cp39-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:8cd666227ef7af430aa5914a9910e0ddd703e75f039cef0825cd0da71b6b711a", size = 5238165, upload-time = "2026-05-04T22:59:02.317Z" },
-    { url = "https://files.pythonhosted.org/packages/c9/70/ca4003b1ce5ca3dc3186ada51908c8a9b9ff7d5cab83cc0d43ee14ec144f/cryptography-48.0.0-cp39-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:9071196d81abc88b3516ac8cdfad32e2b66dd4a5393a8e68a961e9161ddc6239", size = 4729947, upload-time = "2026-05-04T22:59:05.255Z" },
-    { url = "https://files.pythonhosted.org/packages/44/a0/4ec7cf774207905aef1a8d11c3750d5a1db805eb380ee4e16df317870128/cryptography-48.0.0-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:1e2d54c8be6152856a36f0882ab231e70f8ec7f14e93cf87db8a2ed056bf160c", size = 4822059, upload-time = "2026-05-04T22:59:07.802Z" },
-    { url = "https://files.pythonhosted.org/packages/1e/75/a2e55f99c16fcac7b5d6c1eb19ad8e00799854d6be5ca845f9259eae1681/cryptography-48.0.0-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:a5da777e32ffed6f85a7b2b3f7c5cbc88c146bfcd0a1d7baf5fcc6c52ee35dd4", size = 4960575, upload-time = "2026-05-04T22:59:09.851Z" },
-    { url = "https://files.pythonhosted.org/packages/b8/23/6e6f32143ab5d8b36ca848a502c4bcd477ae75b9e1677e3530d669062578/cryptography-48.0.0-cp39-abi3-win32.whl", hash = "sha256:77a2ccbbe917f6710e05ba9adaa25fb5075620bf3ea6fb751997875aff4ae4bd", size = 3279117, upload-time = "2026-05-04T22:59:12.019Z" },
-    { url = "https://files.pythonhosted.org/packages/9d/9a/0fea98a70cf1749d41d738836f6349d97945f7c89433a259a6c2642eefeb/cryptography-48.0.0-cp39-abi3-win_amd64.whl", hash = "sha256:16cd65b9330583e4619939b3a3843eec1e6e789744bb01e7c7e2e62e33c239c8", size = 3792100, upload-time = "2026-05-04T22:59:14.884Z" },
+    { url = "https://files.pythonhosted.org/packages/1b/bc/ee4137cbbe105652c0ee4252792b78fc8e7afa4b8e61d9d5dc05a7f45731/cryptography-48.0.1-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:3e4a1a3232eef2e6c732827d5722db29a0cc8b27af2a4d865b094cf954be9ca1", size = 8008324, upload-time = "2026-06-09T22:31:00.702Z" },
+    { url = "https://files.pythonhosted.org/packages/d5/85/6379d42181bfc713094f081360fc5784d6c816b599d45e7f082502d173ce/cryptography-48.0.1-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:32143b24adb918f078134e1e230f1eb8cc04886b92c28b5f0041aaf3e5699225", size = 4696243, upload-time = "2026-06-09T22:32:33.446Z" },
+    { url = "https://files.pythonhosted.org/packages/9c/87/c85d147b53323c7eb4d850920c8901377323c2a0ff8d79c262d4fee89aa2/cryptography-48.0.1-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:f0d27a5696721ef7a672b8c810f6aded391058e0b9486e63e6d93baf765da691", size = 4713235, upload-time = "2026-06-09T22:31:40.141Z" },
+    { url = "https://files.pythonhosted.org/packages/79/58/67cbf8cf1ee7c54b439ca07bbecf8362c07afc11a3724fea70f745784add/cryptography-48.0.1-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:eb86ce1af36fe65041b6db9a8bb064ee621a7e5fded0f80d475ec243477cd242", size = 4702323, upload-time = "2026-06-09T22:31:42.191Z" },
+    { url = "https://files.pythonhosted.org/packages/89/c6/24266ac10c47f6cd2a865f4446062b466da1d1f10b27189eac00e61bf0c9/cryptography-48.0.1-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:b024e784ad6c077ee0147b35ea9cbfc1e34e1fd4c1dcca214c2794d73a12df08", size = 5300085, upload-time = "2026-06-09T22:31:58.703Z" },
+    { url = "https://files.pythonhosted.org/packages/d2/bb/cc4b78784f97efc8c5874c2a9743708d172be6663024b34a0467885ae0c8/cryptography-48.0.1-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:3752f2dbc8f07a30aad2932c986cea495b03bb554887828225da104f732852b6", size = 4746137, upload-time = "2026-06-09T22:31:31.01Z" },
+    { url = "https://files.pythonhosted.org/packages/1f/52/0c44de3f5267f8fbe8e835138017522a333436166e406f0db9b9e6e3033f/cryptography-48.0.1-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:bd81490cd5801d755cf97bb68ac191f14b708470b1c7cf4580f669b9c9264cd8", size = 4333867, upload-time = "2026-06-09T22:32:28.096Z" },
+    { url = "https://files.pythonhosted.org/packages/9a/2e/772d7adbfa931537bc401640b7cac9976bff689bda187833e5d63b428e49/cryptography-48.0.1-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:66fd0771e7b9c6dcd44cf1120690d2338d16d72795cf40cae2786a39eba65429", size = 4701805, upload-time = "2026-06-09T22:31:38.284Z" },
+    { url = "https://files.pythonhosted.org/packages/f8/a3/b06844f303873493c963caf581c04df31c7035e0c1b0f02c4814d319ec80/cryptography-48.0.1-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:3fd2ca57062b241c856670b073487d2e86c4637937ca5601e48f97bf8e11fc8f", size = 5258461, upload-time = "2026-06-09T22:31:04.187Z" },
+    { url = "https://files.pythonhosted.org/packages/9f/13/8b765e2e12b07c74941caadb9d1c8fdc006c4dfbf2b8f2d610519758954d/cryptography-48.0.1-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:0ee6ea481db1ab889cba043ec1eda17bb9c1ea79db6722f779c3667f9f70322f", size = 4745488, upload-time = "2026-06-09T22:32:30.07Z" },
+    { url = "https://files.pythonhosted.org/packages/2e/aa/48972bce55049b32a94f4907eda4d75fa385aad8a39506cc2fc72196ecf0/cryptography-48.0.1-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:f2ceef93cb096aa3c4cc4b5c94ca6131f9196d28c64d6111533402a9b2054d41", size = 4830256, upload-time = "2026-06-09T22:31:43.868Z" },
+    { url = "https://files.pythonhosted.org/packages/47/a2/e5079a032fb85cf6005046ca92bbd78b0c82dad2b5751ab8c311659da06f/cryptography-48.0.1-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:9bd3f92d76217892b15df84ca256c2c113d386fdda7a7d8691aeeced976507c6", size = 4979117, upload-time = "2026-06-09T22:31:05.845Z" },
+    { url = "https://files.pythonhosted.org/packages/b7/a0/8f50cae9c74e718ed769d63ed5c74bd0ea830c9550a74629cebd1b9c7bc7/cryptography-48.0.1-cp311-abi3-win32.whl", hash = "sha256:b9a32b876490d66c8bcc9963ef220199569748434ab01a9d6aaeabf88e7f5158", size = 3304154, upload-time = "2026-06-09T22:32:16.845Z" },
+    { url = "https://files.pythonhosted.org/packages/c5/69/0572c77dbace6fef72f33755bd52ea399c71367250d366237f8691826b9e/cryptography-48.0.1-cp311-abi3-win_amd64.whl", hash = "sha256:39489bfca54c7a1f6b297efcd8bc608ab92d16c4ca631b0cad4da46724588b24", size = 3817138, upload-time = "2026-06-09T22:32:00.388Z" },
+    { url = "https://files.pythonhosted.org/packages/42/06/3e768b4c3bc78201583fa35a0e18f640dd782ff41afba88f8545481a8874/cryptography-48.0.1-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:f817adc181390bd54f2f700107a7419040fb7c1bdf2fc26f36551a06a68c3345", size = 7989830, upload-time = "2026-06-09T22:31:07.8Z" },
+    { url = "https://files.pythonhosted.org/packages/8a/13/6476736484b94041110c8340a3eb63962fea4975baea8cb4a512adb44d4d/cryptography-48.0.1-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:d5d30989c6917b478b5817902e85fddaea2261efa8648383d965381ccb9e1ac4", size = 4689201, upload-time = "2026-06-09T22:31:09.745Z" },
+    { url = "https://files.pythonhosted.org/packages/79/62/65a87f34d2a431546e2509b85d55e8c90df86d668f6731da64d538512ac2/cryptography-48.0.1-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:df637c05205ea7c1d7fbcbe54bbfea648a52951155f997af13d895d0ecc96991", size = 4702822, upload-time = "2026-06-09T22:32:24.409Z" },
+    { url = "https://files.pythonhosted.org/packages/7f/59/810b5204b0a9b10f4b6bc06bd551a8b609803cd931806bc3b71884b225e5/cryptography-48.0.1-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:869c3b8a53bfe27147832df48b32adadf558249d50e76cb3769d40e986b13265", size = 4694875, upload-time = "2026-06-09T22:32:08.737Z" },
+    { url = "https://files.pythonhosted.org/packages/24/dc/d8ca05ffea724eec6d232ea6f18e74c269eb6bdfdcc9bfba689790d1325f/cryptography-48.0.1-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:e361afba8918070d376df76f408a4f67fec0ee9cff81a99e48fe9a233ef59e17", size = 5290385, upload-time = "2026-06-09T22:31:15.212Z" },
+    { url = "https://files.pythonhosted.org/packages/03/8c/3be6cb4da181f5bb6c19cf560c2359d60644a6b5fc5b57854e528f47b296/cryptography-48.0.1-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:d069066deead00ac7f090be101be875a06855908f7ec004c27b8fefb4acfb411", size = 4737082, upload-time = "2026-06-09T22:32:22.66Z" },
+    { url = "https://files.pythonhosted.org/packages/aa/f6/d5f60a5a1434dbfd949e227fd0065d194c7e6b6ac526b17f5c06152b8231/cryptography-48.0.1-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:09f73a725d582cef64b91281a322cd798d14a33b2b6f2b7ad9531dc336d84c02", size = 4325328, upload-time = "2026-06-09T22:32:10.777Z" },
+    { url = "https://files.pythonhosted.org/packages/17/b7/ba75dd947a14b6ad907b01ae8f6b5b348cdd1b48142f0063dee9e20c1d9d/cryptography-48.0.1-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:15254441469dd6bf027039453288e2072124f8b6603563f5d759e1c9b69273fa", size = 4694530, upload-time = "2026-06-09T22:31:53.105Z" },
+    { url = "https://files.pythonhosted.org/packages/62/29/50d6b9e8aff12d8b67afaeb3569335e32dc83a5723e3bbded24fdac9f809/cryptography-48.0.1-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:8ace4507d1e6533c125f4fac754f8bb8b6a74c08e92179dabd7e16571a3efbf3", size = 5245046, upload-time = "2026-06-09T22:31:25.774Z" },
+    { url = "https://files.pythonhosted.org/packages/9f/04/618f4115cfc0add0838c82507aa18a346089428da8653ad38b3ff36f5cb3/cryptography-48.0.1-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:b4e391975f038e66432328639620a4aff2d307513b004f1ca06d6225bced815c", size = 4736660, upload-time = "2026-06-09T22:32:12.676Z" },
+    { url = "https://files.pythonhosted.org/packages/24/9c/06e062462a0de28a3b3911322eded4c16deb9f441b1b7575d3dc59488ab5/cryptography-48.0.1-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:42fcd8e26fe555d9b3577a135f5091fefa0aa4e99129c23fb56787a1bd4ada72", size = 4822229, upload-time = "2026-06-09T22:31:17.062Z" },
+    { url = "https://files.pythonhosted.org/packages/f4/be/0561971eaaee4b8a0e7d5113c536921063ab91aaf23278ac374eaf881e11/cryptography-48.0.1-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:c1400da5e32a43253392277eac7490a60e497d810a63dd5608d71bbd7af507c9", size = 4966364, upload-time = "2026-06-09T22:31:32.842Z" },
+    { url = "https://files.pythonhosted.org/packages/a4/27/728c77876f12b000820b69ae490f3c4083775e79e07827e9e60be07ad209/cryptography-48.0.1-cp314-cp314t-win32.whl", hash = "sha256:0df56b056bc17c1b7d6821dfa65216e62bd232d8ab05eb3db44e71d235651471", size = 3278498, upload-time = "2026-06-09T22:31:29.154Z" },
+    { url = "https://files.pythonhosted.org/packages/06/e3/79a612c6d7b1e6ee0edd43633d53035bec2cfb78c82b76f7864f39e36f34/cryptography-48.0.1-cp314-cp314t-win_amd64.whl", hash = "sha256:9de21387aa95e2a895823d0745b430bed4f33503ba9ab5e0b5311f33e37d66d2", size = 3798790, upload-time = "2026-06-09T22:31:56.697Z" },
+    { url = "https://files.pythonhosted.org/packages/ca/6c/00fa2a95997164c8b2072ce327c23d4ab20809ccc323ea5fab91e53a4bba/cryptography-48.0.1-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:4fdc69f8e4316bcf0c8c8ec1f26f285d12e8142d88d96c876a59a03be3f6ae67", size = 7987408, upload-time = "2026-06-09T22:32:20.777Z" },
+    { url = "https://files.pythonhosted.org/packages/b0/d9/45f309a7e4e5f3f8f121d6d3be9e94024a7726ec598d6e08ae04edb2f04d/cryptography-48.0.1-cp39-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:48fe40804d4caa2288f24e70ca8c64c42dd826da0ad7e4f1b41b2128d679e6c8", size = 4690196, upload-time = "2026-06-09T22:31:54.74Z" },
+    { url = "https://files.pythonhosted.org/packages/5f/9f/a1bc8bcc798811b8527eb374bbccf30a3f3e806829d967118222bf1125eb/cryptography-48.0.1-cp39-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:86be3b1b0b6bf09482fb50a979c508d2950ed95f5621ec77f4e385962006b83a", size = 4696782, upload-time = "2026-06-09T22:31:45.615Z" },
+    { url = "https://files.pythonhosted.org/packages/66/c2/81a4fb4e4373c500bb526bc337ac5719dd31dd15b970b84a238168c6aa08/cryptography-48.0.1-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:4ab0a343c807bbcd90c971cd1ecf072937cd01847a9e002bef88fb47ac6be577", size = 4696618, upload-time = "2026-06-09T22:31:11.564Z" },
+    { url = "https://files.pythonhosted.org/packages/e5/0b/aa68b221dde92d09cb29a024ede17550ee21e77a404e59fc093c82bb51e1/cryptography-48.0.1-cp39-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:9621de99d2da096006b629979efd8ae7eb2d8b822488d0c89ee4000c306c59b1", size = 5289970, upload-time = "2026-06-09T22:31:20.368Z" },
+    { url = "https://files.pythonhosted.org/packages/78/13/fba657f958d2af66ea959a4ba01212632089249d34af1ae48054136344d7/cryptography-48.0.1-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:88c852a0ae366e262e5a1744b685e6a433dc8788dd2a277e418bf4904203609d", size = 4731873, upload-time = "2026-06-09T22:31:22.253Z" },
+    { url = "https://files.pythonhosted.org/packages/4c/4c/9a964756d24a26b3e34dfcb16f961b89838786e6700b635b0d1e3adff4b6/cryptography-48.0.1-cp39-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:43c5835e2cb98c8733d86f57d6fc879b613f5c3478607281c3e36daffc6dd8a6", size = 4330804, upload-time = "2026-06-09T22:31:36.56Z" },
+    { url = "https://files.pythonhosted.org/packages/4b/0f/a10f3a6eb12950a10e3a874070283aa2dd5875b2bfd15fad8a3e17b3f13e/cryptography-48.0.1-cp39-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:fe0180af5bf9236518a087e35bf2d9a347d5f5f51e63c579d683ddff424e3d46", size = 4696217, upload-time = "2026-06-09T22:31:13.351Z" },
+    { url = "https://files.pythonhosted.org/packages/f3/6f/5cd12f951165ea73ef85266775d97e4c763b2474ccfd816dd69d3a18d6f8/cryptography-48.0.1-cp39-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:b7a2d1a937a738a881737cec135a38bb61470589b17515b9f73f571d0ae10401", size = 5245252, upload-time = "2026-06-09T22:32:02.193Z" },
+    { url = "https://files.pythonhosted.org/packages/68/ab/8aaa12e4516ec4464033ab79b6f3b592bd5a92102467c4ace8a0d970203f/cryptography-48.0.1-cp39-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:b74ca3b8e5ecdd833bf6a002ca41b4793bb27fb8f1c06ffaf2643c9e9140e31b", size = 4731388, upload-time = "2026-06-09T22:32:04.019Z" },
+    { url = "https://files.pythonhosted.org/packages/1b/24/50027ea4dca85ec1f40688f3c24fb32ccacd520583c9592c3cc95628e6fb/cryptography-48.0.1-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:2c37f2461406063b417837f5f3daab668652acd82423efcd7f0a9f04be972de1", size = 4824186, upload-time = "2026-06-09T22:32:18.707Z" },
+    { url = "https://files.pythonhosted.org/packages/52/41/04cb5eb17085ade6f50cc611fb657df6a0f5885350de8764ece89c050197/cryptography-48.0.1-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:86fe77abb1bd87afb251d4d02ada7ecf53a32cee9b67d976abb2e45a13297475", size = 4964539, upload-time = "2026-06-09T22:31:18.793Z" },
+    { url = "https://files.pythonhosted.org/packages/36/bf/ed70785c496e89d7e73b7cda2d21f2447fd6d4e821714b8d04ff217fed92/cryptography-48.0.1-cp39-abi3-win32.whl", hash = "sha256:6b2c0c3e6ccf3ade7750f836ef3ee36eea250cc467d45c256895573ac08cc6f1", size = 3282307, upload-time = "2026-06-09T22:30:53.162Z" },
+    { url = "https://files.pythonhosted.org/packages/b3/ff/371ea7d252656ee1eb6d83eeeef3d1d0c6baf1d6497687d081ea03814670/cryptography-48.0.1-cp39-abi3-win_amd64.whl", hash = "sha256:9a49ca6c81417f6a5edb50375a60cccdd70fa0a91a5211829dbea74eba94d2ac", size = 3793408, upload-time = "2026-06-09T22:32:15.191Z" },
 ]
 
 [[package]]

From cc5ff4b94a25fc6589968f39bb16e046df87129d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 10 Jun 2026 16:57:41 +0200
Subject: [PATCH 42/68] core: bump goauthentik/fips-python from `dc515b7` to
 `ede0a00` in /lifecycle/container (#22971)

core: bump goauthentik/fips-python in /lifecycle/container

Bumps goauthentik/fips-python from `dc515b7` to `ede0a00`.

---
updated-dependencies:
- dependency-name: goauthentik/fips-python
  dependency-version: 3.14.5-slim-trixie-fips
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 lifecycle/container/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lifecycle/container/Dockerfile b/lifecycle/container/Dockerfile
index 188f1c47c1..3573c7d79c 100644
--- a/lifecycle/container/Dockerfile
+++ b/lifecycle/container/Dockerfile
@@ -118,7 +118,7 @@ RUN cat /root/.rustup/settings.toml
 # Stage: Download uv
 FROM ghcr.io/astral-sh/uv:0.11.19@sha256:b46b03ddfcfbf8f547af7e9eaefdf8a39c8cebcba7c98858d3162bd28cf536f6 AS uv
 # Stage: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.14.5-slim-trixie-fips@sha256:dc515b79d2c76d12adae52116c655f6cf3f8a217f88afa103278cf036bda8597 AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.14.5-slim-trixie-fips@sha256:ede0a006a873bfd3e66fd0e56827bc8e46ea75341e1a6a35dae6edd6ad6be691 AS python-base
 
 ENV VENV_PATH="/ak-root/.venv" \
     PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \

From 4e021ff98dbb69b50d8a9b72765e546d6305a301 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 10 Jun 2026 16:57:46 +0200
Subject: [PATCH 43/68] web: bump @sentry/browser from 10.55.0 to 10.56.0 in
 /web in the sentry group across 1 directory (#22970)

web: bump @sentry/browser in /web in the sentry group across 1 directory

Bumps the sentry group with 1 update in the /web directory: [@sentry/browser](https://github.com/getsentry/sentry-javascript).


Updates `@sentry/browser` from 10.55.0 to 10.56.0
- [Release notes](https://github.com/getsentry/sentry-javascript/releases)
- [Changelog](https://github.com/getsentry/sentry-javascript/blob/develop/CHANGELOG.md)
- [Commits](https://github.com/getsentry/sentry-javascript/compare/10.55.0...10.56.0)

---
updated-dependencies:
- dependency-name: "@sentry/browser"
  dependency-version: 10.56.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: sentry
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 web/package-lock.json | 60 +++++++++++++++++++++----------------------
 web/package.json      |  2 +-
 2 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/web/package-lock.json b/web/package-lock.json
index d674204649..5ce5d55e2f 100644
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -44,7 +44,7 @@
                 "@patternfly/elements": "^4.4.0",
                 "@patternfly/patternfly": "^4.224.2",
                 "@playwright/test": "^1.60.0",
-                "@sentry/browser": "^10.55.0",
+                "@sentry/browser": "^10.56.0",
                 "@storybook/addon-docs": "^10.4.2",
                 "@storybook/addon-links": "^10.4.2",
                 "@storybook/web-components": "^10.4.2",
@@ -3838,75 +3838,75 @@
             "license": "MIT"
         },
         "node_modules/@sentry-internal/browser-utils": {
-            "version": "10.55.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-10.55.0.tgz",
-            "integrity": "sha512-zUvyBr13EK0evKsSTzwSimRzZ3P9kugS32dLCj3ea5gNN+/DFtU/GsMTdcIQDhusEDraIlH17AGgqJH5gUAv5w==",
+            "version": "10.56.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-10.56.0.tgz",
+            "integrity": "sha512-I8tZWAFg8SZpD8BFUpglEtSTzhZjacmcThB5/Mlq/iFiiT8mBPG4ZWDWssSfmIBKvZywJZJ83uDA0+uiJU73Tw==",
             "license": "MIT",
             "dependencies": {
-                "@sentry/core": "10.55.0"
+                "@sentry/core": "10.56.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry-internal/feedback": {
-            "version": "10.55.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-10.55.0.tgz",
-            "integrity": "sha512-32X9WW1xs5DjCRlp89QJ/PLw4kbTIX6MsBDXN2RBN1nWBjm/2WcwXqO/v/WoIS4W2kTWXcZnQwalLSI22Fp33A==",
+            "version": "10.56.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-10.56.0.tgz",
+            "integrity": "sha512-fkRR9JroESTIlErkht3OrH4DXKd/DbPozr2KLdX7boMo31hPu4cL9fuqzwOrwyDPRq9B4j+qEgIWB8JrTbgvmg==",
             "license": "MIT",
             "dependencies": {
-                "@sentry/core": "10.55.0"
+                "@sentry/core": "10.56.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry-internal/replay": {
-            "version": "10.55.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-10.55.0.tgz",
-            "integrity": "sha512-OkQpANGwYU5UKfwLk6Y+NpESRC8nrLBjawRDLwF6cJ8HpNScOuNNJDEJEGwXHVkJPH0pcIixsH8y0Qfcltq6Xw==",
+            "version": "10.56.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-10.56.0.tgz",
+            "integrity": "sha512-DjF09hpy3TF7Km/kOZc73YJmBqcbPCxuZ5rtRs+KtVHu3Vq48xeW83qKUcFEZv20ur9UD99OAJ/gaEt//1Qbwg==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/browser-utils": "10.55.0",
-                "@sentry/core": "10.55.0"
+                "@sentry-internal/browser-utils": "10.56.0",
+                "@sentry/core": "10.56.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry-internal/replay-canvas": {
-            "version": "10.55.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-10.55.0.tgz",
-            "integrity": "sha512-lu/y7k9cK7FZ/qJpL0fBX4WqK6IFa/+bTPhedEaC5UpzjUNP7BfXt0H+R7q9CHWmp20Ffh/wGfO3j7O+Tv2MAA==",
+            "version": "10.56.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-10.56.0.tgz",
+            "integrity": "sha512-SDg2K0CAZT/TnhrixQGwXoi6ZsWUB+DQy3UUk0bSQm6c/5k5zFBpGOiughQN+DYsDilKREfPKmUEEnqvUjm1HQ==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/replay": "10.55.0",
-                "@sentry/core": "10.55.0"
+                "@sentry-internal/replay": "10.56.0",
+                "@sentry/core": "10.56.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry/browser": {
-            "version": "10.55.0",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-10.55.0.tgz",
-            "integrity": "sha512-5n1kxmW1m4j16ZDV9kt+Zo5uafFnKTy7s5YyEcGnC45KnOiO1Gy+QFd3woXns1K5GNxpjF7oOOc6tXgZLuXnQQ==",
+            "version": "10.56.0",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-10.56.0.tgz",
+            "integrity": "sha512-80X3NmsGB6tLmfzXYdjzWWdVAdL5CRukGKLcRWIcNhgGjtskOmnzaGb93egEZGI5bUTbtONJ0oyscQ3Z9yoAtQ==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/browser-utils": "10.55.0",
-                "@sentry-internal/feedback": "10.55.0",
-                "@sentry-internal/replay": "10.55.0",
-                "@sentry-internal/replay-canvas": "10.55.0",
-                "@sentry/core": "10.55.0"
+                "@sentry-internal/browser-utils": "10.56.0",
+                "@sentry-internal/feedback": "10.56.0",
+                "@sentry-internal/replay": "10.56.0",
+                "@sentry-internal/replay-canvas": "10.56.0",
+                "@sentry/core": "10.56.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry/core": {
-            "version": "10.55.0",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-10.55.0.tgz",
-            "integrity": "sha512-XUyoNtDSYCvgJnoNzlh+YeAXfIPhCRIXbhWqqM3GQ3AFtZICi85lkyfsrwXEl9wzlPGYnU+Eg8F4tOfScx+FcQ==",
+            "version": "10.56.0",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-10.56.0.tgz",
+            "integrity": "sha512-L+u1dIz5SANrmST5jhIwETtt4apILgKrylv12X4hKJU0PvZl+NorjeV/ty3MwzpKQPg6b6q6qMOSLc1rLpy3iQ==",
             "license": "MIT",
             "engines": {
                 "node": ">=18"
diff --git a/web/package.json b/web/package.json
index 170f5f21ed..39563a776b 100644
--- a/web/package.json
+++ b/web/package.json
@@ -119,7 +119,7 @@
         "@patternfly/elements": "^4.4.0",
         "@patternfly/patternfly": "^4.224.2",
         "@playwright/test": "^1.60.0",
-        "@sentry/browser": "^10.55.0",
+        "@sentry/browser": "^10.56.0",
         "@storybook/addon-docs": "^10.4.2",
         "@storybook/addon-links": "^10.4.2",
         "@storybook/web-components": "^10.4.2",

From 3f3903b44214b15ec19635c622c7b1f9ca5a1195 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 10 Jun 2026 16:57:51 +0200
Subject: [PATCH 44/68] core: bump github.com/jackc/pgx/v5 from 5.9.2 to 5.10.0
 (#22969)

Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.9.2 to 5.10.0.
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md)
- [Commits](https://github.com/jackc/pgx/compare/v5.9.2...v5.10.0)

---
updated-dependencies:
- dependency-name: github.com/jackc/pgx/v5
  dependency-version: 5.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index d67faa054c..1cfb5ba50a 100644
--- a/go.mod
+++ b/go.mod
@@ -19,7 +19,7 @@ require (
 	github.com/gorilla/sessions v1.4.0
 	github.com/gorilla/websocket v1.5.3
 	github.com/grafana/pyroscope-go v1.3.1
-	github.com/jackc/pgx/v5 v5.9.2
+	github.com/jackc/pgx/v5 v5.10.0
 	github.com/jellydator/ttlcache/v3 v3.4.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
diff --git a/go.sum b/go.sum
index a09f0ff659..c184cdecb7 100644
--- a/go.sum
+++ b/go.sum
@@ -119,8 +119,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
-github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
+github.com/jackc/pgx/v5 v5.10.0 h1:VhSvgU2jSli8o3AqIEOTJr7rZwAEUVo4E4XhR94Zfr0=
+github.com/jackc/pgx/v5 v5.10.0/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=

From 226c69d213cd373e7f609d26806faccba98ee250 Mon Sep 17 00:00:00 2001
From: Dominic R <dominic@goauthentik.io>
Date: Wed, 10 Jun 2026 12:31:48 -0400
Subject: [PATCH 45/68] core, web: Remove stale compatibility paths (#22192)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Remove stale compatibility paths

* fix schema

* should have vibecoded this

---------

Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
---
 .../tests/fixtures/conditional_fields.yaml    |  2 +-
 authentik/events/apps.py                      |  7 ------
 authentik/events/logs.py                      |  9 --------
 authentik/sources/oauth/apps.py               |  1 -
 .../0014_migrate_azuread_to_entraid.py        | 23 +++++++++++++++++++
 authentik/sources/oauth/models.py             | 11 ---------
 authentik/sources/oauth/types/azure_ad.py     | 17 --------------
 blueprints/schema.json                        |  3 +--
 .../client-ts/src/models/ProviderTypeEnum.ts  |  3 +--
 schema.yml                                    |  3 +--
 .../sources/oauth/OAuthSourceViewPage.ts      |  2 --
 .../AuthenticatorValidateStageForm.ts         |  9 --------
 12 files changed, 27 insertions(+), 63 deletions(-)
 create mode 100644 authentik/sources/oauth/migrations/0014_migrate_azuread_to_entraid.py
 delete mode 100644 authentik/sources/oauth/types/azure_ad.py

diff --git a/authentik/blueprints/tests/fixtures/conditional_fields.yaml b/authentik/blueprints/tests/fixtures/conditional_fields.yaml
index 4e87f5f155..481454f4b4 100644
--- a/authentik/blueprints/tests/fixtures/conditional_fields.yaml
+++ b/authentik/blueprints/tests/fixtures/conditional_fields.yaml
@@ -31,7 +31,7 @@ entries:
         slug: "%(uid)s-source"
       attrs:
         name: "%(uid)s-source"
-        provider_type: azuread
+        provider_type: entraid
         consumer_key: "%(uid)s"
         consumer_secret: "%(uid)s"
         icon: https://goauthentik.io/img/icon.png
diff --git a/authentik/events/apps.py b/authentik/events/apps.py
index ccca6df76b..df77288763 100644
--- a/authentik/events/apps.py
+++ b/authentik/events/apps.py
@@ -7,13 +7,6 @@ from authentik.lib.config import CONFIG, ENV_PREFIX
 from authentik.lib.utils.time import fqdn_rand
 from authentik.tasks.schedules.common import ScheduleSpec
 
-# TODO: Deprecated metric - remove in 2024.2 or later
-GAUGE_TASKS = Gauge(
-    "authentik_system_tasks",
-    "System tasks and their status",
-    ["tenant", "task_name", "task_uid", "status"],
-)
-
 SYSTEM_TASK_TIME = Histogram(
     "authentik_system_tasks_time_seconds",
     "Runtime of system tasks",
diff --git a/authentik/events/logs.py b/authentik/events/logs.py
index 09b8148283..bcf665fc44 100644
--- a/authentik/events/logs.py
+++ b/authentik/events/logs.py
@@ -49,15 +49,6 @@ class LogEventSerializer(PassiveSerializer):
     event = CharField()
     attributes = DictField()
 
-    # TODO(2024.6?): This is a migration helper to return a correct API response for logs that
-    # have been saved in an older format (mostly just list[str] with just the messages)
-    def to_representation(self, instance):
-        if isinstance(instance, str):
-            instance = LogEvent(instance, "", "")
-        elif isinstance(instance, list):
-            instance = [LogEvent(x, "", "") for x in instance]
-        return super().to_representation(instance)
-
 
 @contextmanager
 def capture_logs(log_default_output=True) -> Generator[list[LogEvent]]:
diff --git a/authentik/sources/oauth/apps.py b/authentik/sources/oauth/apps.py
index 032154c48f..dedd69246a 100644
--- a/authentik/sources/oauth/apps.py
+++ b/authentik/sources/oauth/apps.py
@@ -10,7 +10,6 @@ LOGGER = get_logger()
 
 AUTHENTIK_SOURCES_OAUTH_TYPES = [
     "authentik.sources.oauth.types.apple",
-    "authentik.sources.oauth.types.azure_ad",
     "authentik.sources.oauth.types.discord",
     "authentik.sources.oauth.types.entra_id",
     "authentik.sources.oauth.types.facebook",
diff --git a/authentik/sources/oauth/migrations/0014_migrate_azuread_to_entraid.py b/authentik/sources/oauth/migrations/0014_migrate_azuread_to_entraid.py
new file mode 100644
index 0000000000..944d1c6bf2
--- /dev/null
+++ b/authentik/sources/oauth/migrations/0014_migrate_azuread_to_entraid.py
@@ -0,0 +1,23 @@
+# Generated by Django 5.2.14 on 2026-05-09 19:01
+
+from django.db import migrations
+
+
+def migrate_azuread_to_entraid(apps, schema_editor):
+    OAuthSource = apps.get_model("authentik_sources_oauth", "OAuthSource")
+
+    db_alias = schema_editor.connection.alias
+    OAuthSource.objects.using(db_alias).filter(provider_type="azuread").update(
+        provider_type="entraid"
+    )
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_oauth", "0013_useroauthsourceconnection_refresh_token"),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_azuread_to_entraid, migrations.RunPython.noop),
+    ]
diff --git a/authentik/sources/oauth/models.py b/authentik/sources/oauth/models.py
index 3e57e0e4d8..ec35e96f6a 100644
--- a/authentik/sources/oauth/models.py
+++ b/authentik/sources/oauth/models.py
@@ -251,17 +251,6 @@ class GoogleOAuthSource(CreatableType, OAuthSource):
         verbose_name_plural = _("Google OAuth Sources")
 
 
-class AzureADOAuthSource(CreatableType, OAuthSource):
-    """(Deprecated) Social Login using Azure AD."""
-
-    class Meta:
-        abstract = True
-        verbose_name = _("Azure AD OAuth Source")
-        verbose_name_plural = _("Azure AD OAuth Sources")
-
-
-# TODO: When removing this, add a migration for OAuthSource that sets
-# provider_type to `entraid` if it is currently `azuread`
 class EntraIDOAuthSource(CreatableType, OAuthSource):
     """Social Login using Entra ID."""
 
diff --git a/authentik/sources/oauth/types/azure_ad.py b/authentik/sources/oauth/types/azure_ad.py
deleted file mode 100644
index 34680b3569..0000000000
--- a/authentik/sources/oauth/types/azure_ad.py
+++ /dev/null
@@ -1,17 +0,0 @@
-"""AzureAD OAuth2 Views"""
-
-from authentik.sources.oauth.types.entra_id import EntraIDType
-from authentik.sources.oauth.types.registry import registry
-
-# TODO: When removing this, add a migration for OAuthSource that sets
-# provider_type to `entraid` if it is currently `azuread`
-
-
-@registry.register()
-class AzureADType(EntraIDType):
-    """Azure AD Type definition"""
-
-    verbose_name = "Azure AD"
-    name = "azuread"
-
-    urls_customizable = True
diff --git a/blueprints/schema.json b/blueprints/schema.json
index 418f243020..03bd2a617c 100644
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@@ -12945,10 +12945,9 @@
                     "type": "string",
                     "enum": [
                         "apple",
+                        "discord",
                         "openidconnect",
                         "entraid",
-                        "azuread",
-                        "discord",
                         "facebook",
                         "github",
                         "gitlab",
diff --git a/packages/client-ts/src/models/ProviderTypeEnum.ts b/packages/client-ts/src/models/ProviderTypeEnum.ts
index 8332d3668c..d5c0c5f8b4 100644
--- a/packages/client-ts/src/models/ProviderTypeEnum.ts
+++ b/packages/client-ts/src/models/ProviderTypeEnum.ts
@@ -18,10 +18,9 @@
  */
 export const ProviderTypeEnum = {
     Apple: "apple",
+    Discord: "discord",
     Openidconnect: "openidconnect",
     Entraid: "entraid",
-    Azuread: "azuread",
-    Discord: "discord",
     Facebook: "facebook",
     Github: "github",
     Gitlab: "gitlab",
diff --git a/schema.yml b/schema.yml
index 80ccf73303..6a3f2c51c1 100644
--- a/schema.yml
+++ b/schema.yml
@@ -52664,10 +52664,9 @@ components:
     ProviderTypeEnum:
       enum:
       - apple
+      - discord
       - openidconnect
       - entraid
-      - azuread
-      - discord
       - facebook
       - github
       - gitlab
diff --git a/web/src/admin/sources/oauth/OAuthSourceViewPage.ts b/web/src/admin/sources/oauth/OAuthSourceViewPage.ts
index a3d130a41e..317d50bea6 100644
--- a/web/src/admin/sources/oauth/OAuthSourceViewPage.ts
+++ b/web/src/admin/sources/oauth/OAuthSourceViewPage.ts
@@ -37,8 +37,6 @@ export function ProviderToLabel(provider?: ProviderTypeEnum): string {
             return "";
         case ProviderTypeEnum.Apple:
             return "Apple";
-        case ProviderTypeEnum.Azuread:
-            return "Azure Active Directory (Deprecated)";
         case ProviderTypeEnum.Discord:
             return "Discord";
         case ProviderTypeEnum.Facebook:
diff --git a/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts b/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
index 1989210307..bf1cb5db7d 100644
--- a/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
+++ b/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
@@ -1,5 +1,4 @@
 import "#elements/ak-checkbox-group/ak-checkbox-group";
-import "#elements/Alert";
 import "#elements/ak-dual-select/ak-dual-select-dynamic-selected-provider";
 import "#elements/ak-dual-select/ak-dual-select-provider";
 import "#elements/forms/FormGroup";
@@ -362,14 +361,6 @@ export class AuthenticatorValidateStageForm extends BaseStageForm<AuthenticatorV
                                 "Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.",
                             )}
                         </p>
-                        <ak-alert inline>
-                            ${
-                                /* TODO: Remove this after 2024.6..or maybe later? */
-                                msg(
-                                    "This restriction only applies to devices created in authentik 2024.4 or later.",
-                                )
-                            }
-                        </ak-alert>
                     </ak-form-element-horizontal>
                 </div>
             </ak-form-group>

From f54840d460f3ff204ed98d4d11213bab6ec9fc11 Mon Sep 17 00:00:00 2001
From: Dominic R <dominic@goauthentik.io>
Date: Wed, 10 Jun 2026 13:21:26 -0400
Subject: [PATCH 46/68] website/integrations: add Box integration (#22932)

Document Box SAML SSO setup with authentik, including metadata submission and optional SAML group support.

Closes: #22911

Agent-thread: https://sdko.org/internal/thr/ak/019ea7e8-d5ff-7131-a39b-e30219873e8a

A7k-product: product

A7k-product-repo: 1

Co-authored-by: Agent <agent@svc.sdko.net>
---
 website/integrations/platforms/box/index.md | 126 ++++++++++++++++++++
 1 file changed, 126 insertions(+)
 create mode 100644 website/integrations/platforms/box/index.md

diff --git a/website/integrations/platforms/box/index.md b/website/integrations/platforms/box/index.md
new file mode 100644
index 0000000000..64d4a02050
--- /dev/null
+++ b/website/integrations/platforms/box/index.md
@@ -0,0 +1,126 @@
+---
+title: Integrate with Box
+sidebar_label: Box
+support_level: community
+---
+
+## What is Box?
+
+> Box is a cloud content management platform for secure file storage, sharing, collaboration, e-signatures, and content workflows.
+>
+> -- https://www.box.com/
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `authentik.company` is the FQDN of the authentik installation.
+
+:::info
+This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
+:::
+
+:::info Box requirements
+Box SSO requires a Business or Enterprise account. To let Box create users automatically from SSO, make sure each authentik user has an email address and a full name with a first and last name.
+:::
+
+## authentik configuration
+
+To support the integration of Box with authentik, you need to create property mappings and an application/provider pair in authentik.
+
+### Create property mappings
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Customization** > **Property Mappings** and click **Create**.
+3. Create three **SAML Provider Property Mapping**s with the following settings:
+    - **Email mapping**:
+        - **Name**: `Box email`
+        - **SAML Attribute Name**: `email`
+        - **Expression**:
+
+            ```python
+            return request.user.email
+            ```
+
+    - **First name mapping**:
+        - **Name**: `Box firstName`
+        - **SAML Attribute Name**: `firstName`
+        - **Expression**:
+
+            ```python
+            name = request.user.name.strip()
+            return name.split(" ", 1)[0] if name else ""
+            ```
+
+    - **Last name mapping**:
+        - **Name**: `Box lastName`
+        - **SAML Attribute Name**: `lastName`
+        - **Expression**:
+
+            ```python
+            name = request.user.name.strip()
+            return name.rsplit(" ", 1)[1] if " " in name else ""
+            ```
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **Slug** as it will be required later.
+    - **Choose a Provider type**: select **SAML Provider** as the provider type.
+    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+        - Set **ACS URL** to `https://sso.services.box.net/sp/ACS.saml2`.
+        - Set **Audience** to `box.net`.
+        - Under **Advanced protocol settings**:
+            - Select an available **Signing Certificate**.
+            - Set **NameID Property Mapping** to `authentik default SAML Mapping: Email`.
+            - Add the three property mappings that you created in the previous section.
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
+3. Click **Submit** to save the new application and provider.
+
+### Download metadata file
+
+1. In authentik, navigate to **Applications** > **Providers** and click the provider that you created for Box.
+2. Under **Related objects** > **Metadata**, click **Download**. This metadata file is required in the next section.
+
+## Box configuration
+
+1. Log in to Box and open the **Admin Console**.
+2. Navigate to **Enterprise Settings** > **User Settings**.
+3. In the **Configure Single Sign-On (SSO) for All Users** section, click **Configure**.
+4. Submit the [Box SSO Setup Support Form](https://support.box.com/hc/en-us/requests/new) and provide the authentik metadata file.
+5. Use the following values for individual SAML fields:
+    - **Entity ID**, **Connection ID**, or **External Key**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **Redirect URL**: `https://authentik.company/application/saml/<application_slug>/`
+    - **Public Certificate**: the signing certificate from the authentik SAML provider.
+    - **Email attribute**: `email`
+    - **First name attribute**: `firstName`
+    - **Last name attribute**: `lastName`
+6. After Box processes the SSO configuration, return to **Admin Console** > **Enterprise Settings** > **User Settings**.
+7. In the **Enable Single Sign-On (SSO) for All Users** section, enable **SSO Test Mode**.
+8. After you test the integration, disable **SSO Test Mode** and enable **SSO Required**.
+
+:::warning SSO Required
+Test the SSO login flow before enabling **SSO Required**. Enabling **SSO Required** limits managed users to SSO login and is treated by Box as a critical administrator action.
+:::
+
+## Box SSO account settings
+
+### On-the-fly registration _(optional)_
+
+Box can create user accounts when a user signs in with SSO for the first time. To use on-the-fly registration, contact Box Customer Success or Box Product Support and provide the `email`, `firstName`, and `lastName` SAML attribute names.
+
+### Group membership _(optional)_
+
+Box can update Box group membership from SAML assertions when users sign in. To send authentik group names to Box, add `authentik default SAML Mapping: Groups` to the Box SAML provider's **Property mappings**.
+
+If Box does not show the **User Groups Settings** section after SSO is enabled, contact Box Customer Success or Box Product Support to enable SAML groups. Nested group membership is not supported by Box.
+
+## Configuration verification
+
+To confirm that authentik is properly configured with Box, open Box in a private or incognito browser window. Click **Sign In with SSO**, enter the email address of a managed Box user, and confirm that you are redirected to authentik and then back to Box.
+
+## Resources
+
+- [Box Support - Setting Up Single Sign-On (SSO) for Your Organization](https://support.box.com/hc/en-us/articles/360043696514-Setting-Up-Single-Sign-On-SSO-for-Your-Organization)
+- [Box Support - Logging in with Single Sign On (SSO)](https://support.box.com/hc/en-us/articles/360044195153-Logging-in-with-Single-Sign-On-SSO)

From d1ade08e24efea130fb46307ff77ebe993816c40 Mon Sep 17 00:00:00 2001
From: Connor Peshek <connor@connorpeshek.me>
Date: Wed, 10 Jun 2026 12:33:06 -0500
Subject: [PATCH 47/68] website/docs: add release notes for 2026.5.3 (#22976)

update release notes for 2026.5.3
---
 website/docs/releases/2026/v2026.5.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/website/docs/releases/2026/v2026.5.md b/website/docs/releases/2026/v2026.5.md
index 5805ee48d5..efbd4abcd2 100644
--- a/website/docs/releases/2026/v2026.5.md
+++ b/website/docs/releases/2026/v2026.5.md
@@ -515,6 +515,18 @@ This release has been skipped.
 - security: GHSA-wr38-7xg8-fqxr
 - security: GHSA-xp7f-xjjx-gwm8
 
+## Fixed in 2026.5.3
+
+- blueprints: handle integrity exception when applying blueprints (cherry-pick #22599 to version-2026.5) (#22927)
+- core: bump django from 5.2.14 to v5.2.15 (cherry-pick #22956 to version-2026.5) (#22962)
+- endpoints/connectors/agent: fix exception with invalid auth type (cherry-pick #22943 to version-2026.5) (#22951)
+- enterprise/providers/scim: fix interactive OAuth overriding refresh_token (cherry-pick #22858 to version-2026.5) (#22861)
+- providers/oauth: skip post logout redirect matching if none are saved on the provider (cherry-pick #22718 to version-2026.5) (#22955)
+- providers/radius: fix panic in log due to type (cherry-pick #22965 to version-2026.5) (#22967)
+- tests/e2e: fix proxy tests failing due to in-use port (cherry-pick #22785 to version-2026.5) (#22792)
+- web/admin: fix Docker outpost integration form CA Cert filter (cherry-pick #22863 to version-2026.5) (#22895)
+- web/polyfill: polyfill customElements.getName for Safari < 17.4 (cherry-pick #22940 to version-2026.5) (#22963)
+
 ## API Changes
 
 ### authentik (v 2026.5.0)

From d9af3ab85c309ce58907d5e1410b2bfcc2df5689 Mon Sep 17 00:00:00 2001
From: Dominic R <dominic@goauthentik.io>
Date: Wed, 10 Jun 2026 13:41:36 -0400
Subject: [PATCH 48/68] website/integrations: Bitwarden: cleanup (#22698)

Clean up the Bitwarden integration guide to match the current template and verified SSO settings.

Agent-thread: https://sdko.org/internal/threads/019e6b1f-ead2-7471-8d76-55c57b09a495

Co-authored-by: Agent <agent@svc.sdko.net>
---
 .../integrations/security/bitwarden/index.mdx | 97 ++++++++-----------
 1 file changed, 39 insertions(+), 58 deletions(-)

diff --git a/website/integrations/security/bitwarden/index.mdx b/website/integrations/security/bitwarden/index.mdx
index 18303a537a..10bde10045 100644
--- a/website/integrations/security/bitwarden/index.mdx
+++ b/website/integrations/security/bitwarden/index.mdx
@@ -25,7 +25,7 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-:::info
+:::info Enterprise subscription
 To enable Single Sign-On (SSO) with Bitwarden, an [enterprise subscription](https://bitwarden.com/help/password-manager-plans/#compare-business-plans) is required.
 :::
 
@@ -43,67 +43,46 @@ You can configure Bitwarden to use either OIDC or SAML; this guide explains both
 
 ## authentik configuration
 
-To support the integration of Bitwarden with authentik, you need to create a property mapping and an application/provider pair in authentik.
-
-### Create a property mapping
-
-Bitwarden requires a first and last name for every user. However, authentik, by default, only supplies a full name as a single string. As a result, a property mapping must be created to separate and provide first and last names to Bitwarden.
-
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Customization** > **Property Mappings** and click **Create**.
-    - **Select type**: select **Scope Mapping**.
-    - **Configure the Scope Mapping**: Provide a descriptive name (e.g. `Bitwarden Profile Scope`), and an optional description.
-        - **Scope name**: `profile`
-        - **Expression**:
-
-        ```python showLineNumbers
-        return {
-            "name": request.user.name,
-            "preferred_username": request.user.username,
-            "nickname": request.user.username,
-            "groups": [group.name for group in request.user.groups.all()],
-            "surname": request.user.name.rsplit(" ", 1)[-1],
-            "givenname": request.user.name.rsplit(" ", 1)[0],
-        }
-        ```
-
-3. Click **Finish** to save the property mapping.
+To support the integration of Bitwarden with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Applications** > **Applications** and click **New Application** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
+2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
     - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to:
-            - `https://sso.bitwarden.com/oidc-signin` for non-EU-based SaaS Bitwarden.
-            - `https://sso.bitwarden.eu/oidc-signin` for EU-based SaaS Bitwarden.
-            - `https://bitwarden.company/oidc-signin` for self-hosted Bitwarden.
-        - Select any available signing key.
-        - Under **Advanced protocol settings**, **Selected Scopes**:
-            - Remove `authentik default OAuth Mapping: OpenID 'profile'` and add the property mapping that you created.
+        - Add the redirect URIs for your Bitwarden deployment:
+            - For Bitwarden Cloud US:
+                - Set a `Strict` `Authorization` redirect URI to `https://sso.bitwarden.com/oidc-signin`.
+                - Set a `Strict` `Post Logout` redirect URI to `https://sso.bitwarden.com/oidc-signedout`.
+            - For Bitwarden Cloud EU:
+                - Set a `Strict` `Authorization` redirect URI to `https://sso.bitwarden.eu/oidc-signin`.
+                - Set a `Strict` `Post Logout` redirect URI to `https://sso.bitwarden.eu/oidc-signedout`.
+            - For self-hosted Bitwarden:
+                - Set a `Strict` `Authorization` redirect URI to `https://bitwarden.company/sso/oidc-signin`.
+                - Set a `Strict` `Post Logout` redirect URI to `https://bitwarden.company/sso/oidc-signedout`.
+        - Select any available **Signing Key**.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
 3. Click **Submit** to save the new application and provider.
 
 ## Bitwarden configuration
 
-1. Log in to the [Bitwarden dashboard](https://vault.bitwarden.com/#/login) as an administrator (choose `Accessing: bitwarden.eu` for Bitwarden accounts based in the EU). If you are using a self-hosted Bitwarden, go to `https://bitwarden.company/#/login`.
-2. In the sidebar, navigate to **Admin Console** > **Settings** > **Single sign-on**, and enter the following settings:
+1. Log in to the Bitwarden web app as an administrator. For Bitwarden Cloud EU accounts, select `bitwarden.eu` from the **Accessing** menu. If you are using self-hosted Bitwarden, log in to `https://bitwarden.company/#/login`.
+2. Open the **Admin Console** using the product switcher.
+3. In the sidebar, navigate to **Settings** > **Single sign-on**, and enter the following settings:
     - **Allow SSO authentication**: Select this option.
-    - **SSO Identifier**: enter a globally unique SSO identifier (this is not required if using self-hosted Bitwarden, or if you have claimed a domain, see the [Bitwarden Claimed Domains documentation](https://bitwarden.com/help/claimed-domains/)).
-    - **Type**: `OIDC`
+    - **SSO Identifier**: enter a globally unique SSO identifier. Members with a matching [claimed domain](https://bitwarden.com/help/claimed-domains/) can bypass entering this identifier; domain verification is outside the scope of this guide.
+    - **Type**: select **OpenID Connect**.
     - Under **OpenID connect configuration**:
         - **Authority**: `https://authentik.company/application/o/<application_slug>/`
-        - **Client ID**: Client ID from authentik.
-        - **Client secret**: Client secret from authentik.
-        - **Metadata address**: `https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration`
-        - **OIDC redirect behavior**: `Redirect GET`
-        - **Get claims from user info endpoint**: Select this option.
+        - **Client ID**: `<Client ID from authentik>`
+        - **Client Secret**: `<Client Secret from authentik>`
+        - **OIDC Redirect Behavior**: select **Redirect GET**.
 
-3. Click **Save**.
+4. Click **Save**.
 
 </TabItem>
 
@@ -118,12 +97,12 @@ To support the integration of Bitwarden with authentik, you need to create an ap
 <SAMLProvider20265Warning />
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Applications** > **Applications** and click **New Application** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
-    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
+2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the **slug** value because it will be required later.
     - **Choose a Provider type**: select **SAML Provider** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Temporarily set the **ACS URL** to `https://temp.temp`
-        - Under **Advanced protocol settings**, set **Signing Certificate** to use any available certificate.
+        - Under **Advanced protocol settings**, select any available **Signing Certificate**.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
 3. Click **Submit** to save the new application and provider.
@@ -136,20 +115,21 @@ To support the integration of Bitwarden with authentik, you need to create an ap
 
 ## Bitwarden configuration
 
-1. Log in to the [Bitwarden dashboard](https://vault.bitwarden.com/#/login) as an administrator (select `Accessing: bitwarden.eu` for EU-based Bitwarden accounts). For self-hosted Bitwarden use `https://bitwarden.company/#/login`.
-2. In the sidebar, navigate to **Admin Console** > **Settings** > **Single sign-on**, and enter the following settings:
+1. Log in to the Bitwarden web app as an administrator. For Bitwarden Cloud EU accounts, select `bitwarden.eu` from the **Accessing** menu. If you are using self-hosted Bitwarden, log in to `https://bitwarden.company/#/login`.
+2. Open the **Admin Console** using the product switcher.
+3. In the sidebar, navigate to **Settings** > **Single sign-on**, and enter the following settings:
     - **Allow SSO authentication**: Select this option.
-    - **SSO Identifier**: enter a globally unique SSO identifier (this is not required if using self-hosted Bitwarden, or if you have claimed a domain, see the [Bitwarden Claimed Domains documentation](https://bitwarden.com/help/claimed-domains/)).
-    - **Type**: `SAML 2.0`
+    - **SSO Identifier**: enter a globally unique SSO identifier. Members with a matching [claimed domain](https://bitwarden.com/help/claimed-domains/) can bypass entering this identifier; domain verification is outside the scope of this guide.
+    - **Type**: select **SAML 2.0**.
     - Under **SAML service provider configuration**:
         - **Expect signed assertions**: Select this option.
     - Under **SAML identity provider configuration**:
         - **Entity ID**: `https://authentik.company/application/saml/<application_slug>/metadata/`
         - **Single sign-on service URL**: `https://authentik.company/application/saml/<application_slug>/`
         - **Single log-out service URL**: `https://authentik.company/application/saml/<application_slug>/`
-        - **X509 public certificate**: Paste the contents of your certificate file.
-3. Under **SAML service provider configuration**, take note of the **SP entity ID** and **Assertion consumer service (ACS) URL** values. These will be required in the next section.
-4. Click **Save**.
+        - **X509 public certificate**: Paste the contents of your certificate file, without the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines.
+4. Under **SAML service provider configuration**, note the **SP entity ID** and **Assertion consumer service (ACS) URL** values because they will be required in the next section.
+5. Click **Save**.
 
 ## Reconfigure authentik provider
 
@@ -158,23 +138,24 @@ To support the integration of Bitwarden with authentik, you need to create an ap
 3. Under **Protocol settings**, set the following required configurations:
     - **ACS URL**: set to the **Assertion consumer service (ACS) URL** from Bitwarden.
     - **Audience**: set to the **SP entity ID** from Bitwarden.
-4. Click **Update**
+4. Click **Update**.
 
 </TabItem>
 </Tabs>
 
 ## Configuration verification
 
-To confirm that authentik is properly configured with Bitwarden, log out and go to the [Bitwarden login page](https://vault.bitwarden.com/#/login) (select `Accessing: bitwarden.eu` for EU-based Bitwarden accounts or use `https://bitwarden.company/#/login` for self-hosted Bitwarden).
+To confirm that authentik is properly configured with Bitwarden, log out and open Bitwarden.
 
 Enter the email address of a Bitwarden account and click **Use single sign-on**. If you haven't claimed the email domain in Bitwarden, enter the unique SSO identifier that you selected, and click **Continue**. You should be redirected to authentik to log in. After successfully logging in, you should be redirected to the Bitwarden dashboard.
 
-:::info
-Depending on your `Member decryption options` setting, which is set in Bitwarden via **Admin Console** > **Settings** > **Single sign-on**, you may still be required to enter your master password after signing in via SSO.
+:::info Member decryption options
+Depending on your **Member decryption options** setting in Bitwarden, you may still be required to enter your master password after signing in via SSO.
 :::
 
 ## Resources
 
 - [Bitwarden Help - OIDC Configuration](https://bitwarden.com/help/configure-sso-oidc/)
 - [Bitwarden Help - SAML 2.0 Configuration](https://bitwarden.com/help/configure-sso-saml/)
+- [Bitwarden Help - About Single Sign-On](https://bitwarden.com/help/about-sso/)
 - [Bitwarden Help - Claimed Domains](https://bitwarden.com/help/claimed-domains/)

From 929a65c1b54326a701bda9550a7662298d5ef12a Mon Sep 17 00:00:00 2001
From: Connor Peshek <connor@connorpeshek.me>
Date: Wed, 10 Jun 2026 21:32:15 -0500
Subject: [PATCH 49/68] website/integrations: dokuwiki: add post logout and
 logout urls (#22984)

* docs/integrations: update dokuwiki with post logout and logout url

* update oauth config screenshot

* Optimised images with calibre/image-actions

---------

Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
---
 .../dokuwiki/dokuwiki_oauth_generic.png       | Bin 35178 -> 163554 bytes
 .../documentation/dokuwiki/index.md           |   5 ++++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/website/integrations/documentation/dokuwiki/dokuwiki_oauth_generic.png b/website/integrations/documentation/dokuwiki/dokuwiki_oauth_generic.png
index 6141ebf41909bfa80454d8a8afc8fe711e36fe13..623096900293741a40fce9191b9ec9756b86dfe4 100644
GIT binary patch
literal 163554
zcmb5VbyQUC_Xo-hAf<FDpp<kBp@blafJjR>3?QI%NY|J&NDj?cB&3Iy9zk*l1?dtH
zknXN~X0YD7e(SDv|IpFrob$wf_WtY+exxdYg^-pI3k&Ot!b4dN;0K0<MX-X84U7zo
z>RbkXBpxYi$(^5{TUl9w!Qg}ay{^e~At9mhvC*})wd141uCA`*<Ku;e`R(nk*w|Pf
zAD`UZ+}he&6&01GJjYA!=PP5~E5JMiP7n26v9O3J(0@Q!Nhw#cuo$rvWTmw{M^{pV
zy=QsIv6>gC2tUyuO`V&;4Pif6hUgRXCQ^g#2}l)%zulVf_QE|lGy)GT*Vyo8Y1tT?
z0<(UvDl1ZaZQ5;6yu3>rU|44LJOD<Mjpg6q&jbY?2L!_2L18e^$y@wkDiCn00~TCm
z3J^BVWf(rNJ{Bnm`yLXj9sPt6?=lt$n-P2o7?wq1k@91?Ac21Z&ww|AU?B9%EZ|GP
zXJSxb{2uXDEbyg!H~@*zQvv@32C%T+VqXH5BjaaAzw^&Dq`(O909X$g2Oj>O<_8SK
z2t~j6dm33Jurd~UZQvI(3;tCy{@<JYcl@8(Vf6f1IG2N9Oi<v{f5zK??U)QbC2%xg
z2fzmZvw8H<7@@%C!Iw6w7*nan*urZ4Gsxyrthqpc&W<#8C0A<h^hiIOS3Vl!L$y8z
z|DhaA{Ooc3^Zf@U-zxP0vSN0ErijF}sqoVwt5hMwqrST0=T77o)B;Eh5IT*qrBQgq
z@xjgo9e}@qEgpDlg?QBuz~Pi6hQNRSP-$Z>=xOh?p>H!V@`qmE#lg@q!}EwRCWKOO
zpqE8e0)vhSE3Jjrp+;bFF{GHy!E8KiQw~{PX4uXiqs)t5;9`58Vvk|fo4jMC$df@u
z7Q)oY#U@Kh-$K(tod!vw1e;>hM5DiC-Vj{9m*OwsH}Uf4(ag>m57dT|KdRfljlcRY
zo&PsmO21vX<O9!C-*Sn|eUx!099G}HaTOuQk(CeAhq&^#5cL!NWf=Dz{g&{Ln+P1_
z37_HoEwC`v^oQeXa<_&5xgtp6%$vJo@tz6+72oylu3QBr<8-aK&nK8%Yz@Xh1=7UY
za2~uz$y%!_3yPV}(G}C48tpVwFX=RtWT*(J96eGMt-9VWf$a;%P!h=yhuvCi1%r_C
z3lQmzzZkBMoec6GmI39n18frziDm=fOli~zDlAEvFfIG4Da}OzXja#>5V-O>z~_>e
zF(mv>f&$4Pu_TqWxbGGo=Go7gzrnwXRHNhvSQafmZvbh#q*2|p$*cQAA^!Uin=;pJ
zVDbxoIoqY@_rHtnOYHFw+;8Yyda!R5%NKo{C;^z!AH#{j7D)MFyF;wcd5Z$tVkr@N
z@BCwG)w;n}7xHkyFdKZz>-wzNJl7JJyShBUR&D0H|8kP2Fizza0sj6a`)A<z(oeF5
zkBaxOEd>NF#Qs87CCWZ4#R(UX2(lU%`EV>Bi`~kOes8Z`D|_%M#%dAQZc~HhUv`_O
zbu_#rTp<<dRdO7I9E`q79r3}j<LG2A)8vACe=!$~K5gG}my{OOixqlI<~Qb*@JJi!
zyDRh`(J+}G$<xlxZ(~B$HszQHXGg+c`vqwubsFcMB&>3cI{rJOsJzm83f$FBSuEf{
zpno#A*;zv<@UI*Iuyg?}Z?OT&{{|oo&iod5%sBYL{|#8^am>YIVCRp_Vf|SFJ$?^)
zaW{bU{bvQtIEI{P*!;`ke<2Y)j(-(E%!?!a2m8?D7)%5%AL{~#(5wDk0W*$<u>T9U
z{(vzsGZq??|KBU1#~Go20OLO^V8$_kgn@p{3MU2h2)Gp8An@76Nj6-Wp%;??kcz=A
zG~;9afjIQpeuM1=l`a7DEFM20eu!?>IO}X2mg$>4pe+Un0M-QpeK&0f3C#>T-eT=)
zYnyptL$E2EZxFO8`p>eOEYK-ts9@Sr3QWwb{yut1U>g8FLw>*}s1dz(l6AaLp$DF5
z{dBRJ@78iiEf&J)#)k_(0O(xRtc>4+CuCB&l<F)NLu@_wyYoX`);5&ZmztB|b%9^R
zXP?>JG8wcDvhKJ#*e8wTn?`Vw+1c$b6*_H7tg0-^fv}K`gcsu8_5*eWOpU{tZ89>%
z1GO~#AC>JmbAlw9V7(8O@bzm_B5QJVrh8=BFCW`*P22MDrbJC`>qhwyEJAHX)voDR
zF|HM6Uq*b<b!agGCd9%C!)S=_^0LSp-k?t&UD{(mwPRqoEL-`C8nN1(_*(c+2(GJb
zO_Qb)S&J5ilNK*}@;1XAQ(?ySh$GtG-MMkbXVWj0C=jDdwpU*bIZEzv^?MG#z;E;j
zrEtaC$T`Cy$EfVHJbHuz($0m|ITg371*Y9TJ&LQGrPh>QES->va8w`d+&pW^nT0T?
z)DY>RK(-4@r1sm31=R!3;#Gp7wl24I7y-81pm>Opn+-tuNYWtRmciyohfoc;>U9;f
z+6V~6Yi@tq_6NIL+1iAzsrbXT;vzv4hU7)n1D-m(Ls5h-2rvkc{PcSm!9q@@V+-Ra
zcynI5MWA;%gz7eT-cBizAxA<<>#$y!N0z9*6R)K!`EV|5b>R(-;EG)xy@86{J&k*7
ztbtQ{&jA)dsxe|X9Z3=j%Qbk>K*1k{V;2EiC8rXm<r=w8$!uOiALwSX4$khy<w=7J
zOQsPe+(R?(clNgzJY?aDG#ccYAkb6%p*V&!3ugyY_m+xT=Hq-(z8q5jV+Y}vK9dN0
zt*H~0&vOH};LSIU+Jbu*6I@(ej<$4Nw)vJm?6LP^#wFYU1JnE2L&31u!-K3jeur9L
zoWiqi*{PS^gi6=n&w%qLQyjZm7-r*-2E!6H(piXKQsDz|bMotw{Pl?SK47Qwa1(qn
z9F~7#&NoE+{?Q?m@s@1d4^}H@Rup+p7Q1iafwqLC{Y~Y<VXd6WytQ%9w60@%HC&z>
z3~lc@WJrL6Nj<-ib14YeYQ{BEy93)NN|;XnV1@T*?5?xxOo5_egORr4nRj(&zwxQ!
zL3z&CHb_79=bx6@;v#7|19L`5b2&NtWlvJHsdYeb^8yjd>G{ty0;LN^3QRJUnTj+n
zZwfoE?&Oct_0{;h=}%3H94Reb#aNT+_b?V4jNynLL1Cn_<$Y-U->V0-W-TkU^rnjf
z&Skwb&~Ly(KzxaZpK=S(p-v>v?<2oQ8l1h>);CH7jZ543Kl_ck6I6)fMdM}E`YS5@
z69tsi$c}CJ`JB{=^|{)KqX2(LFYzz@Ly!;+JH7#4l14R>pP8F~7ykSQx&bY3T6PjM
z&`@*|c;0m$98eyfcd~I|u##d_`gM@fnH%m$m19W|hF^hAYI$HEWWp3|=Wat#4GfJu
z-k!}oW6y$0&UUn}w;o3E4X_Q?+q=2EnmC#3eQdb$Okgl=iqo>&T3kH+yY0j{3>Jkk
zh%xgw+(UjV{othzNlhNyU$do`<1zQF=R@%jw|R7uHi=60Wf@a9R;@<hwa+m=55R9z
za!0xFL8o69uNU6YBYwWwECW~}7dVW4KnwEum{JuZ>PI@#@o4p7KpE^c-w$JuA&GOg
z6s`|{Gk~CT3_}OgOux)}KneOL!mdbtHOu+_@c|KdkLp~POoX1;5obR!k^t=P?LfZ}
zc($&vRAler@;UFU3pZDic&J+>+vM@V_p*tJ1Sn1zMuIL(WficySGQ7`U#e-mjRKNy
zb^Ao&%+as-#P1q$?d5a*GNV<;AGgmZ?^7UL{MT3lj3e#e*Q_-A_^rP2S(FMszf(@a
zcTGjCVtH1y59M?nzB#+tKjeS|Z>Zj;h?uwm;XH5SK^@(3k8xBM$vg5QN0g0x^m=;A
zwAkB><8i(a@gK52Le`B4b1U6zze>i#@n{Cpmta3KL)Y-+-oa<Ol99XS8O<n_t5x#J
z<}INXClAz~SJ($k+dsMIM#g__l(M4t?!DPg(O6ErBZ)^t#8>?2;-nOe=J6BqhAQW=
z*WL{B@kPoE!V-zFE7mmVzH}0vd%GpS^<oPf+$8mwU<q+{x2uij->{WvD%gFoM47Oq
zbH{es{JCw4LzTPLik-K0`smL7ZKH5{tLBw{!PcR9=WK$tMzR@E%O#pWsvUhfsj$OG
zADEe!d#di2uuM&I+$U9h8Y{F!UF{w;?q?%r2TulW%V)*tY00j}7|)p&4$n6gqt8kE
zLVV3<4@(?l3a-G_d%)BNlW%Nqdz|&Ega}3mx>wA>nX5CES%_uI+!~rhjU{C%#knAc
zL;~Erjd3E6lZ5RvrZN_5N50K@YC;~s)$MIa5!&BE$ttQ=_u_k;Qvw}vbc=W|(}P(4
z!$vJ}enviH{rJPlNi0z2bhCKc*pSyag_=F?FWe{*GSTW!zK=4bCG#}BoeGM8ZgXrA
zSBrLiTLIh$E0UanG;<tfdK@0TmTc2~{9$8IXg^B|$-4~q+|XUV@)~25Qq(P0_nRn!
zP&eoA8I}##rn+_RNR(GoF~quIxm;CXkA)8>xMqwz_GdYaUcpgzRC&rkFgzyFQ`IbT
zpEgGYTLkSfUN}2Am%pQMx=dUTvdZ2KoicPz*$@wB<w{2+9n@%5ZBI5)=8^YLR#iv0
zA=(^J-sDuw^<EP$v0Sasv|{oor>k%I(T%PyJvwlZaG>TdYs+@2`F0l+nmyYV`mor7
zv4;xO?|k1bgpmrgZTX$GD?ZfsU^J5Zos4mg8vT8<YRf5OwNh10+^)E%8v|Q?Ehq;>
zuPn0FIot7-(th~&(#fnlrxJJ<_5fhv00xdW*ox26Eg(@a#NlJi2eO;$vTZ#BS4`76
zmxk6$G_@btP__@ew{#BUfI80_+s~4MwsWoI^qxk{rsLR=ysMYYtJPD<3E*88eV=H&
zP5t??r7e%ZOy^*Ow?cES;~1ZkO_1||NTq-LaY&R~nuUDslLr&^SEnBBM&xD@2}n|a
z=-NhFZQW5y$&&Bwy#FKbZrY^V-af0$P!C+?^4X=WDanGlNk`F?{o$;-57L2l;-mAQ
zK4bNhMkL`Xx3Xzz#5jn|+=ONmy}Qc-b*C+NjEIp>nbpc|RHES59*|E_%^1T=3#_)v
z*Q|eMa!liQG;Haluirq(u##xs`v9O(o<r!5(Qu)=4c&iDSimoWQ1LesCHQC{JBw<E
zZtJ)XuZa&^3WLN(zPWvQH__vAdoRUs;I?xR%=rDi;qsCm_W{WVAj9}sitaUnVIK8k
z(d`Nk@ZKFFy{a5dAM2G$$JOMJdsf{-$5*a$KPa+)HD|7sT!Xs7Z}g@+8go~bA}2gh
zGb>*3gMYA>59A{Z9%L5C@3?(<vU(o#Q-uCTdZ(RXWDCb$NN@wU!&mrb0xnO=OcN|a
zFj(~tG1%R+X7et{FuN)ISk!f8F%4E>QGc~l@dhpr!GI+P`AFki`>r|jJx{Z{d_=?9
zQskg9nJ^I?o-pOVr=R48PEytBM#hu(iCsH$S)<UPIifT9EE#9}@=>WjwaH0@B{GL^
zO}|`ZkT$OP>@aaVpnb0H{P=q+{AfrXS;IJZ8_wTo4>b>Az2dV{gHz51H4npW>3-e7
z{VX5|Cbvq+c2hITBR~mx;(qnVDSkpK3lx4fx=u7~(#0&n+#Q+>jvu$>AQ!6>l|}A_
zza1c*W&5%r<$QV%r%N&fW*h_~!`Pkepko+}_wM~kT^J&okcJ{Ot6oMpEd6NA^wn+C
z74^#&?SaeF$l>Z!s(hG-$vB<@4Np^&cKv#$huZPJQG`$1zI22Adfm51N$`AN)0S@4
z4vCI`ef{*tf!6$~HVQQMV4<UzU@b!e4<r;CPJEMkjKsF+1qZyE_UtZ*qMvGYwrj{g
zfGC5*tjVZpa*`5Je*7hZOxl?`kejAVEql@xslmOsb%vji;DRIuXLtO8wmp3iN^&O)
zOnswwX_6IcM&QN<HKW?Iz~ONWEuG?oT8;+P!s5pEM2Lnh!(hhiy3%!N@#zeu2_}w?
zq7tp~zTtt388X>RNVi4oTgI_DS4z1Z$fguYoCZa3c~&iBdkGT~>q-WqAw&LLPzR0#
zJ;<tyI9Mlb!OlTDY<%el)wTLcWntY`_-I{FeK=PKd`_L}^PL_cP>cd{h6MbF16Q!Y
z*@92=V?FO9U-7RS7f4a^>$bktu-XZR*-Je{+MNV$^WVN-*QQuNx}LV@NQJO&AnCOC
zS;#t*2D>M+K>bzy417SSDC%l@C9Rdf#Rj&vJ2@sQYL*T0cyz@BOy*;|(|SeXX2r~=
zO^ziGYlaynQqmX)rNBpwP?@W%vPiy8(<9`BlbxLrd^%`|PMehGwsuftj8{dKD{`x>
zP@Fe~>%m~s$?EiAh5hx$%{}3vQ|YcO-&w9p#oI2P#KZi+nTWzo`AW3Yuz!2yD=c8@
zv%1RmFkcQRgFbL3M5T%VU%)sC4gV%%-+^VsP9b=Yvhio-DHkZzoe9G9zA%7ZM|9+a
z6_JjqmP$^|lbl&>A7jYlmYz<jN_e3Ud@G&0(#BCXyi<kR46zxmHNg@%7Q(Qio+jG9
zn<2|>#}V3`P`#jl>;nzeFONfg7Byr)Tp~~o(QY(}v%Nhk;#ECpSMCZLJCPHCD0kTQ
zv9>6}ec6DE>(v8}$7DQno_dh4dT!^M3tuXx(SMy^nQQpQ&|7PJz|n86-Ijq?g3h|;
zGc93#ra(t%m{0>V^tZ1p$p)<@y-gAQp5>t*8&rd#k;{5Hl0c7;<Sr>cZ@T`Dviw~y
z4dM7ho1O8US>oN*7+K=2EB(9QHP#xO1yj_KH;hzmA55-R`1w-uiy7C{u|W6PH9Mu0
zk$g`l{5mojHH`iTAKFxSR88pXO|{n-hi!KzYM?L)<zBw_^su2)H{*sukk3l1h+=4l
zd&XGAghbt)9?CgR`+1=zhuR%)<1HHRMe$H^s^y_wWpR3SA3K?eVsYiyh0Pq+<wHfv
zVUcQFlLpIN#xf!scY3;G34#^%l5DOQDoHUlq_^Kmv~(|Orkl9_p)9s`V0U|MX(q72
zhe?(FqaVvh_s`j6=r|cBl$B1wudX|&_}S8QOgR4Rwx6pd(M)Aa6QR4%W_px;ULahu
z%5Alv&%lnTt@9(}gzzRYD3o9ukorY0MZ-Mqs7B%D8ulH{%I1;r#4ec+GIzvtiBSWt
z-Ia?^c=}qU$GlgZoQ3Ng-&E(aT=l+sOs7VEXdt_yS5fkYc<YN?YT-!<NkD5tAW@;+
z)3?l#A1Jx?ZBf%s6Dsm+GhgSPwZ_9^4^R0iygCc>Xx<v=Z{b#-9sjR!qWazA%ZnOg
z_W5wyhL0kNeCbPPS3$L^;CL4G=~mTCjJ^VdQM(`fO_mGBROuc=#O$3-J#W{ix;0t8
zJdV>Tt}gcr3e6HSpeW^fsr>SmbW|zq^~WfPxy2gMu=Y-0#T9V8h5U7Y!=sK5R8wQn
z2yph+DttC>k^fT-JZnf5nK86m!`0f+vE7(^YQA;drf)El@6G(PQ)b_)Jze;o+Fn&A
z!@_bR%<`1dTkenR<EM!1BP@FO=rHiK=!vXv^dntgGs8-aN|~{DzO6OqEIS5i>gDw^
z$jUO_pe#IihErDeS<~anN}as>4$bN|;$pcDIOT4>n~tfFvZA8F!<ovfx<4WA5bv*N
zDkuEyo0+t-xpAB}K^CalCj#$JN+9Q>4yd@-9^Fo^EB>yJ8zWu4=3PclR^1+Ht;z0a
z>sL~bC=`atiPnr=r)V~iDXO)f14!DDCZ(3WXn3>=j;FRX(|51mBRb0`j8wdO!cq6m
zM@p}LiPA=U5~ZFyIN4gq@S3^YJ@Ko_6^oBXb6?t?ZyfTsF7ND*aH`d@FT5*s7A!g)
zD9;s*zH3FFNME$_%+rt|W_#8xj!tm*+FDTE(7d-O%eauAM~a1^!jgI8(3T(g!iAPa
zN&@DUS6v+Lp1B`a&~&GZ$;T7X_a?}`8IvEDm79yMVmH>xLz9z^@bvDIB5vX@F+w*@
zKf(`oa&J9YFuuNY1r$0!S{L$_N}ZBD?dF@9r3W>Z3{?sfZvy%~vTcyhoW&}?+o0^L
z(|m#)$9B=w+wu49)Gr}VRx8Z#rbJwoC8YR<!_)JD%<>*zI3zG430Cnm;F(zJcLzTB
zy^;!w_vR-L%8BsP7f^J#1&tGn?@6z9!zU*yU2>U8bYguZRI(LcI_-*o-{(8;%iy^-
zERGL$KZRG1AM?vmPN|GPJFtb!Y>Ha2zWp5XS7#@{5?@i>CVywkmCy+`L(NQF$5C#@
zxuH$7%@@F^Xva1{=p&5R<!*skUZv+ZjAeXau%ZI$XZ?`1{l(~R$KK1R+IyKEF*kqm
z1y#hU9fyXRtMis6>uY+q2ll>9QR5PWjwmjD|Iv-Fm!ewj4%Tsu9!vgau9bHeZ)I(6
zMKh{fi&uvIHj^WFPTYE!G_rN9KJMvPL$`vW%k|vbZwVjLFSNwgTKLQ3uiOO3>kbZ4
zfqde3QMf!OS|>}KeyYelM~Yza-@f*77ZBvpR~(zi;wy}CgELnWCFFml7_wjLcN1XX
zmPT3Q7O+@zrxGPNBr(AoqFaJtStRwFcXmfqN8e1kUEv(Ku}56_?fjW@v-Yu>`1`!x
z`mI3e9`-BXK~=XZ9J_vFyW$arqQ-?KRarMp<eIVSr_iKN6$7fWQf7u#*9OAC!jlf1
ziY9t1i;Pg8OxOHmfn%>+aCZ3dDH%WS?(s{y8C{8%<6>iIqd4N}>xqU&=+EP}r%UIz
zTO7$0{+QjvZMe#!V%2iKH8$)b4&?j;Uds9j2X!$Jh}xt&Zi$%|x4b7a)P^J?$UpU#
zqx5*6s_5NUHN?Ak{Z6wPVyQ97!?jccsYjuPV=um31`m1%HFlB!S3!$YKmcz@#IB40
z&+qwAtj9^@+po_n*KDH_-xd)hNJ;UAXP-+ZICu=um_D{8MHmMd-#+#?@!h|Ba10Mv
zWN4*Zo;`nk-pWkhOMj$!?y*0+kvcOqWZpx3GNAjl)oZ(v?d};j3&9^39WV!9mvnrD
zPVUKh&_r@^pRP%FsUUX*-ppIg-XY`ni^ryBZ|6Jyv;ZCiOU6idfpzkrdO7>il*UoP
zdukJ$i>RA-opS3>Kj{l!c@{xZncwjB)LXdyFw+EiM||7?KOqsPYyCZhEML&XYe5XU
z0Ppupk3CJVpcug`-80|HZ8Sj=vo2<pRTIxhBft6QN~#Rsf@HzktiCanoDh|SfBJNz
zjMnzn_&xpnNsl)q+qq{*XK&l&0J3vtOcd-b_TDrzy#bH$LtE=*-}@@y!O9UgP=Q#v
zAmmGx2{I(SqVTEJ(2Hd7d=G6JuHEjKiAnDjmL0!j<~*3<P+Z{?!T7@&_vveV{k`D%
z`G>vUO2{`(Bh|2K1*8@`^q41+9cRT!%=SFxc@_<VbFFGOi^T_&?67ZQxmg6u<$^ZX
zmB$pGHOB}1NieMB=QA$p=<#QJ%lRI?5B-!vm|$|$JkTJ&mJQ2w3vpSkmiED|vu1``
zg9oX1JA*Pnl5vaqEU_}HQrEV{W~dhT4oW8V=0j_lpi8PaE6-sQ5wH<!oE1MZMDyIU
zT}X3(_5F`#K8`qcbrW}_9`mf6mCJ)-*vSx21!WFfPdNC|zR*Ql;$&w5mRqx-V!N;$
zJboYqLJ1VwGF-`Puo^GH5BzD8A5B?KH0<!4#1*-6cmsKMYqc`^Gn<B3ZKCJh+_(Pp
z_XwJlefF}^J2}=D)ax>PyN_e17G@&`MTz4mOLT#1oyCT7^I&g{l}p`9bG{XdxB%F&
zY8bR>Mm*f@WIh_4hj#UU#nf}8@VZuZhYbh9yPwrwS_Q($ik39f$=Xye6L7np_0HsF
z{it1l9Ufc$bTdpwy<19O>D=Reik*?$9b7~>Q)8b|Mwyx>Vw7eQN0%0ES@V&u2eD7u
zJ;UE#3m#l=96!37G$sVLx}hUo=OgASO)-GewX<F0);la5$V@-6>cBoIf9*23a<}4c
zM9ejfww;<DlKBT{W9K6Ht=0uvZc=kuyfOb{wE2I1ODD3((f-tLf?9po-7SGs4W<^r
zrdP>T>IZF{s3CX#Tbj|+7sn^kU4^xK2N3Z!&3v^sa(!eTc&^Z4RZk@L9c1o-7H2=x
zAccik^+zF4exxEQvM~wIOBd<8&tFjJQ>2p^ga>9ry+$pH0qzTfagStm5piSuJbV_g
z)L(Y1reO<@JB%57ks&PaN^J31&Mm%&4LDM5F55=3pp$<kR_N$G{xF0FQO;G>64s=8
zNAoq$iGAENR5h$+cWeG}n15zj|NED5U1R6brU{al;t6?!HonXi&K>Q5b$Feq5j%+a
zSow1NxKQEFk^$bw!oeDH%(O3278@fPui%qCS?5MkX<8niQwfHBodJ(GVsPFp7*L9}
z;CP-dw6(D%p9QY1uWZG_vV5r0%u@w(9suE@v!5<UBmGZnG`JT>o=hWb+zb<uydom_
z!%nsRWi?r<LaD9B4#~M{xI|gPuIp!_kj=--ngYrg!}H=UB6~q&v(z;MpU0Y67YC|g
zxjMoEZ6aMJO%2ov-xl1qK6k_mr7v#-Sy#o02Aw`9O;;#yee!L&@T{{F{kcX#QA3DP
z8esxGWbF-X^={^ATtDMFkzT5O6t40Rae61nwyZw9%qaWx>)d5|_@e8?bsn1Pp%&#S
z(wDF+RX*oEWVNV;z66^C)lKVd^WJq{G|*gVuagA)VYiJGN`J+7@9H!vON%uefc+KL
z6ns+A?}yWFI0Oh>Zi>@Bntx{MkWqC{Ur8fu(rVeNRy1MpPX8FQ_U-ZIJjbHJ)~hBr
z6kmMg;=;2?<Wqe{2MLtO5-bqJon>5zc>qFXoxjRebM1Lk<8___E0jzvY|*P`Ry%%=
zO6>e%m`W5R%hb6&azpv;M8{Gyc6HmBF`Gd<^Ow2G3MF2K<9@GPi!v9vznt9*$mwex
zlU;%6=>f9EdivfquE+FgI$Ux4OZE9H{DC<#W5@K9sgcp^>&_oPE+1R1v@)uxic^vY
zFGw2VK3bOXYaQ$N_b(ph9Vr$#jGiP>vY$Gn{^{sZx6wbg_sviAI^DknqUS&89!~1A
zn!gg=OS+_WR5UqDW0svTC%tx7F~{(yrbPznf2rbUW0HrB<ZFn&wfAvQ0~7Ql1;~j4
zj@U(}{?u?eB6c^{=Kkn@da9y3K6m`urVTn02fHwgfb1g9<w3eyd|Rqdkyo|2c|LX&
zk5dN&$;{vRR-6@fm$(OZ$q0tR_?ZHHYoF8CEL*LY?<@dD%)eP+AeHtvl!NwvekZ3d
zVPUoe*q*=AvH#>>E^-rp*Fs1C|4Bsyd8EH7=L0d&zuD-2Qg`<-kt?j<84XMj|2MZ?
zR3%)bSJ88AxPmc{fS1S+>r@CD&n>th;spDjuQ4S+f3xZ6><`xOJPi|&F9vq?E8&e!
zdSLQN7xQmK{(wF8s{cBvz0`Z<VW%md%BD>k?Y<#hN-X?9-ilY3kBt9cCAW;*6=c}>
zHI|=&A(V)g<@2$cuiKfBD{1lk^vAYO1Z2M5Auo*k;|y`a{<-vHCBSUel)4F3^{s`e
zyyOO386k0SYZ;+D=YJB{!#TJGTLmybtL^D^N`wb-5x(AJ)CV~`Mxq2T7R>ZlnFrn+
z%ni(TDtCu{Dx~yD`i{(@k}^!Ar?}75bZ}!WS(j#Rd>TGE5GVo}(XSIy&3Q0uS?|5e
zoQg2PYpZ_MOdJd?kv<<}VDJaM!IptTI`JvwzmE2@Xcxchex?z}!H}fm2yrYatPoyy
zt4k7H<G-d$BOgcW-QD<j`*r!JR06#O;y{4WPHg{FC^UEwnLE9W-PpNfH(F*Mz7-`&
zaG!jto-jEgES+vYBOFpo(Jw7{J8t9l5oJ&N`eA;1J<famX0Oh2Moo$RLUBo)EONmG
z^Ti@RcIBn19Fdxbx)NKZ^W%k?PL|_yHg*!o_&0?P7Q)BhRdKu4z^zt{!uNi2x){`y
z1=?g(5uPnbp!bEPG4G~~KJvxA*9q#eu^+|1v_fX2RRf>Ic&fD7UTau+y|nal+i14B
zA%zZy-Pfrj<41Y<yFyi@oiF5}Hh<m5fZ>ooeQwyEWi0vqH86EdWrkJmZQq)Px;LT0
z-D_aB6m__#`xB0zX*@J+W8WWuG^eQxH}Bs9w{DUADM<5k#^I@s{MZAYH^<=^RixmL
zlOzaexFi<!)v`%!&hvbxe-r-mo{TJaj(&x!TTtcUGo3S`I{)PewNY0BrpgrT!HRTw
zoBnjGUJ{|jE7u^5avdQ;#^NB?)jR#9TOB3)+w_Q#3_@m<)E`;hYXQ%fwYKXcU4oV^
zr(SSOj&5@4$Jo;Cl`7TOJ&kKJVh8Vy_FOUFkJl=Q?fAH3NUeE~J0~{leeIqx8K<r!
zk>*u@rFpGFCs;TqHs7lEjttf3Z@RatJ?}}3vg!JGP2lYV>2Vbw-ibL}ki{V$mc*~D
z3$So@-l{SX8&Fi}4uQE<5Xk5~4KFFVx~>TN@SQUcCsGyHPD-TiE!Uu@<A~1brWhO*
z?-${BtUa}qeuyORb>Vf;esAGG!++X`TiIm^=}5Tbp|CsOMvoY(1Ce3Y`W>BWkVYzx
zCJo^z-vlMIKx<`jpQ@LNb9gJh<)X_YS-VKAFSyhUaX{~^lgILD4}1U*j;7;wy?z*X
zd(H^X0xc<hFOEN)6fO|JH^m0Z_xmvs<EABi%>Lio%Ys#}(A7{NGMT-WC*@KI5|qRb
zwI-(EF2ycI+R7wj`<!V6dZLypc`-8Dj)P052ci4b5`lS!q=v_3uq#{hWp#^>IvVT(
zZ@q`bJr-QFB;!lvVo8dI>JZ*(xCJtFt(X5VF7$B)4b9w8*LM*hqQT|-*mguNSg(r1
z(~iob?hC@b62m`IL-S}MgvL>rDB(ITPo-s^ld;Rt@n*;V3|uhZZ0O7w)L+pR=%XO;
z(Ua*V?C_ac?z<IpHmYfaSNqp$7tVHS`1Zuh1bxC104;xqxJ++C-zoZNy!{|(7Laz^
znFu->24^@0Qe<ywbOduI&7(ZvX&aU^y29Ed-?FHZyV}voeG_7dEN_|;+bM>13vDmD
zW%Gjs!oi9FU8F|Tk&}sUT4HZb7<f;EwsTXIuJ((UlY(G>Tx)5>sVlOHiW!4*zw)%h
zx`cXtB-+{!M(rL?msN4xn#|5&iUeo>KxxN)&V5#sZ%SYa)>Vfowj6ByujCXcE9kK#
zUcLr7-E{1jzQ3|MXFhA~b1Z^WaI<8Ntq=QMjMgY8-pX9`(z68H2)8&H6~WS>%#=Z6
zQ*TgcB%=)SKWTkFnPQ-DphoM%Th7ngAxx9=g{l5=J~9SF#eB<Ssjj<Yz9&jPj`b0%
z=^`a0MwL-%Y2<fmzX=RP4Sq77n_GieLIM8&!;>pwQ1*{WKX$izn>B*wOz$b-Vx`}+
z`AudI9Od}WJi#y~7JR*fD9gjk8~V3?WdIRL_uU2+yTSwyXn@K*xy<NuY*-}4i}vVW
zb(+JcJ4IB7_mQNCqa@s0$OTU|D^|>>-*e{CDj7}6zZGIQmjTWF%R%3G2`rCM$UxN-
z+DgWl4S<%%Y#Npx2NatA_iG>}`P*&!|DoBxPqCb>wBS<zGD>j5I05zoQeo@V{JT>D
zglLNZQ+9>fzy{Hb={auZU#|mG73W(9V?94ole`63Gyha?ZHQ$A<esMuzXH@ZpsPRq
zsVyjnb(CM(RL8%Jo*ZqgpzFYp3&M<Ve!?4!Ucz$mE&&;9Mkohb+5do@l7qH;u0VEt
zXsUbe9xCaG*@jEjUGvdW+s~KeZ<<m{V^}|FOTNl?r|zvl`7D=7M?ECc?K&5uNzsw>
zb>hEU8ioLVi2feUSZVu$ZWUY6-fn5og6!kqu6$@MPu|(#<@rUHsd_z;DQ1YJzpPaE
z`gJAIk$s{0(Pz}cy2l2HB4=##AYWrw&WL05{{9?krI(t&f|blu2dO3edRL7K;UX6B
z3f67m#Q{Z`lOndsg9N35!~$ObGSSd>*h(=Ke^s3l(pPjXb9J9Efnvr7r@*MkgCK!w
zX4ayb397?dM^wez%>Z_f232O;2a(7CB*Fr}d4V?Lh=(J|5p*xMO+d#DT7`far4~N-
z2G;Un==LtzTCyCnNAU|vdjU^C{z}Zh9CG#uM1*~VrfjPLrt<Z*1>(~)@^|}@B;f41
zZ8_mq8OIdQs!yk-mlhL?bx?<){c1xo3gU#rl4)LjOUoYkdg9WIP<A>}nM-<p<YhGs
zV4zkn=%V@?h+rJ!@YvfJ%2r^p&Mcd)r;j%oj<H2UAJUoXO;i%J+Cj!pLBUt-#@K9U
zcV`ulHND>|6J6HgcV%9!jaTOGByQ!>^uI|kS+o~wW|lBju=z6N-Xtx&8bZ0qr4k@^
zJl2qDVJ}#3rd>@qRy-q<+!>#kWTi0b%ZU!@XDN|s#8&3$hjjn2p*_`0qvTI7TP8&`
zU;2FY@MyiUlwi|@(;F=sXl4t7oeG15D#~9Le#$TElQGp~;W?ho2tYw(4JK_2N%osn
zn_pe_R+n<e1JOzLS3H&<F{P<3&%&1{jkv?{mBgCNtxN8Oto<W5=PdHrt=+P>$%A~>
z3`^09^MNlr>5|L+B7Lk36F)qS*Q$;$gfy9<rq}qD9MZQOc!2aAuv;&JBe&Dy|IO-r
z7EdO{00Ayqxakp7tWd58=1rQlicbT7UK;c%+o79%b~5~?O?B}mQETFo?dGl7dgCKs
z!8j6<$TIT9S;{l@GFW(e@JV)_V6?D+Feub4=UFC1;ZakTBpwKLr4>1lZ4K)8O4*bt
zGgaN<NDg!ytj{UXWK#)Aw^<Ghic7cVjCkU@IL851=-81^vUy7LeXm4<8(OG|W5*?(
zE`&6|Uy;H<3LYAkn4tk_utak%wh?750@DoTWJweV<p{TT$_s(hS;(>Cb+tUw@Tyk<
z3;WI2crVNKK4S;+^QW<meaG%WYFU@IS(U-_`>vIzE?QJP>Ba9WIpA4xc->!Qd^t(V
zekk61bRDOwt$9J8JWG4X^pFKa!Dimy(-tncV{xLCZ}g&pP_GAETTcKaff@gZ0f15V
zMuW^_^qr}M2?gxy{%<R!Z{XN@1l#e{!&K5c=Gk%;^hJ&=K`6ctTLP;Dz3!w4;qR1u
zHB8WaSN}%(ep*CFuz^}eN+EGbjuJ^T&xkj#6*>Qyp;juZaWcUTn%GSR&~iJ~85zP1
z+nhtX@mQDOIp=?9k_0;}XHZ=u@}IJ6P9fCm$4O24(pD3=I*>N@Bk#j4P_mTLm8IA<
z%YGlAm~gB*)^2YW?{29*kGFAeC8NUw6*!B*-Bvq;!cRxf>AjzrHF(8Wdh@!F^XszL
zq_YlK=`_A4oH?Vkno^u(ff^GW>AYZ})4Tk9VjK;se-V-k)E@&|G^)uM4*to)yVv82
zEM2?&{F(?+!stG$RmCFC%7*?OR^Qy{`XBTA%=B&t83AHTUxg3ajb5?nb`KY<OHJgk
z(14z*jFI=oxZ-pbu$PthhNR(i4e762KNT#pMtx~><m#ugl0_bo@3^cAGtOU4sJV{D
zfZt6F07{Q}gSd~rD(;NX_l=I+AV{G9)-+DW?<SAjvgYKY?CJkn<8FJ0aJWH4W8XV7
zaPtOE0dACw^9dVN#%`koR`FIxN@=3P4hRwPkMb*7AT}7GmFIfpkMESJdO6|`KYDR?
z2M1|zoj4qQ@(UjuZ>5SbVJXb=sT^^Y1`@(1h3k8i9&i&{LZBPzVMERD#SV5q;8~pw
zJtKeCdKmxSjgsGk1?(<^G?2eDaIb4nUvlE5m6{yVAi1B%Ez;CP6~``()l~{C>|0kc
z8f#Vj`6nqthTw<^n+Kku=J@d6n{QM@%2s{UeOZzzkG)LqUwuQZt^`*={@cvvteCYJ
zbY7J>fwMBsJDBR+fUM~~ESF9UYMdRnn8%pcAo>1QwcvCbHrvqJ2WuASHctgTKai=N
z;87WI>lF23gI2;Hi^aby?j^d1tho|o(}^`!hU^hx!noLk7cDZ4vPflJqXvmq(Qmhh
zjvcD}cGvG40Nn;-uY34r^j=xm)-Ha2M>un$@73jeCb9lQoCZ-({yrhp>EQ1CfNE!)
z(ESaifv7}xvC0ZN8?uNT^ufpOnjOj_v-L;2MXn1FB^d1SXK@F*gW0NFNXQU^OiMSh
zdD@WXPn4OUSdCaJzv|srPPVfoO1N~hHYQ|pT|^&N9&`$ON~_1{BS)L-zPaeUX^>>#
zwomB~T!39kk29dUZHOADL}W_UND3WgKJ?`>dUq6fqv~kG?QvFz@DlUgUI*zE>s%8h
zZ`mDn<h=gq9`pW~kwdA(fc_rI4LXL;EAj3SQiN!zdIcXlkiC4Fn0_c0rFf=R_Uh7s
z=yYHZTH~Qr<h9)I4?MFS6_0FMI1Av;MCOImPhthf4jAX3h_qhE;mK>AS9EKbrT+YZ
zHo2GKcu~4*+uF;n@<}JNBT<5~99?(<;qB~_A4DTtYY(SgMs+8vKI*aeQ_D{9vAbQH
zEL7dL!&%{1dS^SGH5IQ3O19?oii>uzC1DWK)X=Mw=QDk0vVeC#RN^ka9-D)3-5Ul8
zztrkX`{3S_lve?Dc(C4g9lsP(DqGj^npcCjN2yj1B(1<Oc(?F;zssmYjR8m5LDLps
zoxKuMYY>39CNp`Jg;lr(sbUV&E3Fwdd4bH1*3V=rPF%z$29kE~f`xmd`Ha)$k;G+>
zkM5tl@iebo*?$}c%c8&mR}u{eIP1sx&p*&0AJzm@b8~``>~FnU(PkgewB#Pay@seh
zlE^KctdjdUE?ifzMK+~f3k#mPyleM9C+T_vjpVd=ajv_N{~)VJ#kT^WQh^llB{wK?
zM`L@wzVCnI^7O*oA>@lFIIEV2*y?IGeV*M<nRmwyjDh;mV&zwrQGnj{;Tw`r^0LdS
z5RR{Z&)kw6wXBX*Wc{4GcGk!P^*H?AOMvA&)oO;ZyI}zw;CKp?I)<ucrS&-k6Doa$
zEvoA5wd<YZgU!`(m{0md#7ru|*UA5_nJUj}vBS5a2OfFpBxRIVyK9YD3=4Xbi3WZj
z<(=5^R@kV~v<46p!x`(;h{jY&!Ug@#f^*+%M;rZY{SnP+=Y0XqFNo0Z{js<AuGwgN
zh-9gLl0vzuBnQkg43V?e6Mxdcz`(CoHT+?`;F${jT6T4i@7zD(119LQmQrIJ9}dRC
z#YisNR`#RQwQQ**kclG1jAKp;=rc5;VO<2$(Cu45unqV*1^+esfjW8gs+i_3przus
zXTrk+`s*?LfB}LDu>bFpV{9ycRV+-|6vhU|d=J#A|LGtD`YSNL1TdSP9{9g;wf`f8
zh@P4Z0ii~~1L)&LF#*S4Abc5J-HfS$|2;SO5;`9COBAo7&xhu--}zI_+kioVo>2^{
zIb~qtSnd&b<cb}=<=58OLXqhkYI<{LH+Q?-NbSg94n6lDCuEp`4f<gGC_MYs;ennJ
zsVLK=M;~h%wB>f1KELC>H;3pn-hL^h<QkwP&`V-!#sKpwKpOd2Viy~1l?<y6q7n&Y
ztW{$JDNSIS27d)k0ju1R9NqnK@)pJ#0@KE$9BKm#Z+<ZR?_pQQa0|$HTTC-uw+itS
z_BaidfWY19{~5Rw!$$q;1j*Nh^bst(efgjyYNv=}SWj%7IUla(PIc#2Zs3=Zn@~sQ
zMYAQ|xo0hx{C@K6Z!Bf0zBJanl!)pkB)e2}VoPi2AQraDB~xsh#t!sY3SAUkA4roS
zRFN+lK40cOPQop)6D~Jbk<K{?e!Do4k63I!sCI^o9?&L+;B|b{Y8uir5M^mxC}!R#
zkFFSWN)s%#v+G*O?k}n+9F|GP){#&P(u1??Q`arqC|Oqo9*k!32Ek9F;;T!_aRnl~
zO=fl30>XfJ;a|;5<0yUE%Diaw!Ez#wGG4L%dkSq3(F=+u6@6=8g+f9+vBH;qb=k8O
zmrWbo!0x-!@S;s4)1E8$X(T^B_9)|WhsKpl_e`4OZE}bKZZ)sxKxZpo)7XPIlPiWh
zA4s<eqbln0te?>jCtp#eAr^%5GuLN7Z`B*->ep^1(m7PBWCR<Mf`(rJ{UZSD$|C(s
zU?cRVHRyO9lB+c(36{H~aIk&51^(jFYuC<A$%hfBT_T{u#ei5(TsQDZvYPc=c@c*?
z1hRSk>8g_0QYNAK<<hxN*(}OjRny~lc1UrR<+VeFa{zNm_<DWoz6+h;X$LvpFL48w
z1RPTX&~`OeU<z)57Rh)OV@Q>I9pRp3hEt20X{l7p5AH&Zgk@Qz$yl}Y%4Bp%?oH|4
zULysT$If#4OSoOxg^`xAY->uvcLNjRJA#c|Nw|W)qq6c}=!pm>m0NzT|5nP#<NTZT
z(MT{1IE~uNRcc_JPU0kEWX=6`Gt_rl3k!isZEQuZ1(Q^wVSk6Nc@2S;EJgY*t<b(~
zt0)yQXnuDxwY?9=Fv_rpL9^{fjmC~P@>xU*>tQED<1hY4%drLFg%`rMx?~Gxi-vWR
zA&fI#FmeK2FU@)aS=`@P$8nX@iS#5OtJo<3ZOXR#=y7?@EKB$1#_bZ9Xh&oJr{j&N
zg;l?Y5&Vi{V9)^YxIo}}6UB^gd{E9PZhML_(=>cN32r|JTP$83x@RMHI}K`^%E%_p
z{B~_>d7yHyF3z`9hDugDk2}doLGp4(eYSVt8Y9$FJd@ySNj$a=*v+~8R~`W4K>-z^
z;o79GpaXi`m<s+@+S8{h;-?W{YI8&QikRf;6(b9R%ZA?ysB3}-@KN)h&&G%2IbR49
zCgf&`0TDXit8aev|E!r*Cg&H&*9-YH_kxbop10OA|LFO@s6~dD;()&M_wjDmp+r2A
z_>%Oo!cpa#?qCQ|Yv^SL*Q(<;(D6Oex$KW_rZJJjQ~alyMj%fgsWtxmN#AUfYC5)6
z-&=D>wkkTG{)#|0=w|c`RpLk7uQfNJi%(*>SpVJ#DL*6L%058?XA6(Ze0=#xdy}=J
zv{OOknIMr~`=^?`*pposg`C=>xQ(Z3?;}m;kKU-iu5q39GBEDJ;gRAUY3Wab8Rx;|
z?h?%{_A{~R;3-^#E`q*P2O1+?)}2GmPndOGzg3!8O8&TlNwS~|RZ01?0gZ7QFSz4<
z^>b49l3b^faNP1~&*bQ$Zna3J+v!qi!(H(;l>gxB<W3f`mWjje|8{MUj@|t1?T6k6
znpUDA9bHKZh=~i*|Iihw>U6tfd9JOA9B;DZq+bIB7#&H!V`JArF|1Ka=o7zY(2wuM
zN|ys##{s?A4&v?wiQBWzt0Xe4nBrfpvp8grJ7K``O(B(y|AEn!vdA@dqe6%j?M>`7
z(=*N%Fzt8OI`*<?jLO;2bVZ&$eS7)0ip98$fO7n;vw-MUdi?)a_zY-O<j4B&*JuU(
zx9%SuYWwZ@TqxZ?<+Erl{YO7z{azBIxiN<${ZpWbrq%B@Z$Kqtkma`m1#H+~$_u^D
zMP%=n8;&{R?}z@r#0l;_`^BdRF0yy_S0LZM6vadm*NlzKnhy6YlBDPqOW&~#_dW}e
z9G!xc1bTWZzL3Vkx~K)<O~0O!vNo*gv7i~VReg-<P`;pUfGLhLA8N3X8s%dBsg8#&
z^)W;3fJQ{Une<}Ws)_YJZPlh)8P9si+EWVnvA4c#5}b7gmGAfylD?zlv}hp7cmL4;
zXfYz#dacLDvFT{-#$O`^9oCd&hMLtw()A1>W4x?i%uCWq`I7@rdMX-6sfP%L<1^)e
zqJD;@-iYm^!nL=2md9a@=)@m}BtX>d_&V6C<vNr4{f|GWNpO|t5BgTsq*$P1fjB%*
z9+2}hDOWoTnA{ymr?_A5^S1HD)z+AF(Wx||;R(mrKmahu8*{H1;{!?335sFBPnBST
zni;P-;KBWKV5{mZ$Ax^mM7VZ!r4R~4&Ot0p{S`J4SH+}C4u)8u&8naB^fe?Yfl{jv
z455<_McwkC{;fLK+;lR;qMew?pn(|vupOO6pts}VPYv%IW1F-`G3CB&Qnq(&Bo!uW
znncOYoQBOFuI`!@yoaTR?fRZ9PN*Us)H+2Ud%eGnHq(C9zW9hi-9sVWY)uih8|oi=
z7*}<OY(Ch#=0`%R?7z^!C&!drGe@bj#Ukti$G&WExey6HO&Xa=++Gsdt+pFU_{?S_
zVm9`_4(sFcy~vkFuWSu(&RSc(hh8n%;-u>S!SuQ8b6!>V8(WU>Ox^0XqGqSn-1Bc5
z%aC3FkE3_ALw|}GRmPaFM(*tDWqw)c9jqX}H-ENFNzDG*!sw?^gCb4&<uNuT-Q*Qw
zZjnM|<phF6)v*2);;I@3#p-l*WbANq?-b#7`x`?(UkXIOLSjRJxy2&5^L6-?-Rxxy
z{V!TA8#QqSc=G#8#o1`)Y^a{%rkdZZ{$bMiy!b|GV1nI=MrEgO>GiZENFY0iVov$?
z>u2#raB5}6d_Til!s5zzQ|?K*R5G2m>O|VF-e`~!>-OfeiWyD4qgL{e_6u0@tgu>d
zy)2#O@~T+gamj87dhMR=ErzT&@KWXeN|C`i-?$>`YKBVF2#$A!E??N}lcP#rnSXR@
z?9G{Iq{@!!u6L+nn_D@yW(eT>($_GeYK4(lz?A^-;QT(Zo*_jbYdLCphE$iV16~U2
zIOyDo><vk$O()hE;L7k0wz(DqYe57D^+t}mhzNL=s%W2v=~fH@wOO~`9JJ>Nw!7>3
zP8|(<E(!DQ$(;=cE<}%bB6?d{jBmW)IeXvtZgO7J`0`gz(>DYAIT5;sIe8Hok~i{G
zC{Hb1t9ktlk+SqPAzwM8?wcImj8co1a|=^7KK4vlOb5khOIJ1bWd))HTFRG{A5#f#
z9ys)7<n0SF#7nua8k*7TJK77YHPxdpX2$Jx>&bBQ;lI}+MFmpg{_(MgnpJ1oF#by{
zHnpD|wbba6xbQh^4^BZZ$WSpT$MLI<IHzeCcyIwWH(UC%WuP8%MqQD0H@K_v>od!r
zO2or!QrRYowDAU^c)4N=b`1uac5F9RBE+DT%FwX9kz{Z-s%ue#tSBv({oZ^nV+F+i
zU^6?89^sx)^n$I*d#umPg>&1kRj)q{yYd@e+K6{?c9ff#f6=8T2j$L={m6XR?=?3Z
zdN9=v7yTh;aSO0GR!;->eB-M<Kr@l2qBdhxuZ{H-8N$lIzefgDpHvIBs%;)!l8l3P
z#b<=R4L$~EFTeW)66TcaAPQ~1gFozB(a*sK8mpHhj#QK+L+rd0kvy45FQ3!YCM)iP
zZ!ZAZ(&v>9vLY0>Z;Hji#&LNV*plOJJg98rNH&;Cj$J%%3o4B)S)ZQ&4?!tGD1Suk
z{Y{_*&GFq6ISLrLPYpYCNw2MVpe6LRz#37)G8gR{IXrO0P7Y{LsJ}V$2=6OR@l_nV
zhEZX{05)jqQjp|V`^gs{vy3CXS9dd0GGpe-3saNTMe-Oco4al(C^}XolHxI?;VAET
z+?vWadu$v<H6*^&t#GX|;OI)y%t7}&+G4tBwA|>OhaE~6o!EmkYx!d1{Ko^Wm@{Pk
z*6<UGmbaym&)V@v4fNlPf#++jy;tLewsdOz#LgcfiAnmRd*aWmLE=XCQX%hQZqljJ
zg4Q7J0nUPcTkflUoiQu>A8u;v2LR>XVrd*Rg*HO!j^ipIA$btp19u+ZbErn^dOAl1
z8_h?0+^#9_TNqsbRh+~^#=i>!q1ZC<0-W}7?e0<_>IrACL7K)@hEvOXe4u2o)9Bij
z2{L|dW0?smevdu+QXpF{aM1UTj_u1nS;^5?HZ@%39dUNUu4PTIa9Dx3Oa*8nIaUEV
z?jQ4cGa0aSeiyi$I}i`|gV`1~<aKQ&@*h=wpGqU+*X-O>kRnK^XNL-W;{4vva8?f<
zltXGz9d*C)^Vs8nZrvPypB4@SI?*T71T#D%)NT`@vOX(@q(T<8u$|l4mvOq%@Q2v}
zCD9&1#_tiJK|Ccj{ct%J<7fYN+8HPi0-*L-4U(bqU5$Cm<A(31X{7uUQp2d7K%f)(
zvC<He+M+&aj6_@ixbw-4d03)6cyJCj($5=|2U#yN&NEHe{V_VlB0eru*3|^CYXWw*
z6fg9+9S|!LHp`PUvR$$-n8e)$O#OfXrT5?dM>}vyc7(s`Sf8(%={UoS1lJC7>1&8n
ztY@#g8qz?Z{>!Kp(3a#gg7kdq6SW8Q;biCgF+ytsuDazE+B;>bPV1P=+fI>82!EAB
z0>Q&wD{mR(9>LD6Ro56e+ks&CR;kQ4*IFsg=KWsDYs4VzgUu(uPds%Kx|^%bDXq}v
zDhHu;?lw)|xmgMu_?(jr9=yRGe?)PNT^|DDWd{%DA>a!N-9Tp+dq6l)L$`OdVwgYi
zaWo#g@^UX|xp*%E#%n2QXkqR<SYDt8>*>$jzwW!Lr;GYh^(9_3msX5O&*y(SUW~&)
zJd=KeXTqUciW3hMv%6F!WrPHhv;92pK$5BlOus8{-MOHlRC7}EVxZ6)&=UmhRGpTk
z#kg?$Cmp5Fj!apcS>$ma-wGVPfn_mqrjF)EJ~9dOaOVu6%3`CmNXOyHinx|#9--w$
zy3GSkc3uF--xw`;JZVi+>pGp=Ryjy|?U=53FIzG;rmsILE{tk5u<4p%*LLTjQAR@-
z_QqUPr%5*1#~!#Amplj1EH5qw^=i7GW4M<g57t>*IHdmU{J37Pt=c61I7ZO_{BvcU
zj>91l4$sN#T`XVXKk-*1<Wc9dUi^e&?G+muLtUXq*MC6Ai1HmXT3*k55(#lCXMQE@
zQCxLektcVj3y^DW*~X3-dW3J*krr~VCbZH~e#NS4U&LtD-j9QQmGw&1^n-6zG8H}o
zT4^H7qeB7$cx9uZN<gEV-z80>r6^e3u@@h-zkPlavd=!3i7#KhBpNNHkJRDSm&EqH
zl&gzT?Lb@yDCp7Wi*Orzy?&!%yn>;EM<G0@Bzb2op8ozguT10N(U0%rXY+pheQ7-7
zN^!2-ZTHFivOL`QpcTX3cVyyGQ8hR#t!GF1^@SvJnO_X{#Kb28$KPG4gkO5g&heQ5
zRX(zoHJMXx^e(}&Co*sVRpOmMU^uR)rhRwobcMZuyGbD2?)n4s@lypcUKxfY!3vJH
zbZ#itM%xKaG^T0(BolwQ4IeIaI+nddQhB`WEUuUkS&Mh<yshXd6L~7-H6z;YbIwes
z8s{gpoO*V{WYwuJT)N}`;q1NRsr=*r|IR^Xh>!?T_KGMwp<$N29m$^A+bP*3$qFfj
z>|<x2$X?mU&fa8iey?-r{qFtwetzHE?f3hq+pXg|=Xzb&>$+agb$>oy>EUavUY|+k
zk5pVXkL5)xl9X-<v~{XPlI1kFRNDcnKtc@(UOXr|2|WgagOeVR7CgqmIR6+4DYPql
z+U~h430xo~$a)IF&>{G#x({$H{>V3+h8X{p)CuMOD)9@Qy2Kz2fp$f}*WpRz=P*rR
z|Hc|XXyJ_T0nr5HABiT)Xmsdt#@Jy5v4GS0XRUyolVAaVwxk4pGJ3c^VurSI!((sX
zyx#+#z%hO}K>0jr^5->f@ix5zC;x{Mtl~HqeZ=9JM}`IBnST$pJjXepQF1kcO%i;1
z7U9HF9M2m>wpaS3WJuU|*%qW4BF3W*<q0$oIhOCW<yIhWdpPBIEZ4R~!sD)ts--o!
z&Q>qp_ik(I;H+27#gGH1BbK;^+sZXWo~dU&QKrum;#%F!8FG|A*4-{jJ9YK2_QkI8
z&4Y-oUKVV5>T45-364sx74_Vfi34h#X!4DMmgMd4aqAY(bc#*uw<BowZm>wy?nQxF
zJ7WxyB!O_hx+;%}ek1jOF)o<)u%)au33r`%bY!ybbfXf1=B^Yc{-<s^mjyK$q}A*X
z7o032Vst+A50-5ZgJqJWjVRAD7nXJa0mg`JvzUDo%ak<!_%;(*wx0$ah(u`?Z(52M
zTG|qzy7Yq&pz7ymU+pSDw<A_T3izKu(+}$d0bI;EK8X=F8IeSRFe_OrXYe$93omsj
zYJ|=lTn!AzS>o^CU6$nhYd#atBPmD3zAZd{cvL(@o3S6})VG6cFjB<qmRZzom>^I@
z;(mE*^A}gT#5LF~#nkKrkG2?6d%}C}BRBHSf9lfmTq=bJ9Yxw*9TLH@N=ja-rHNXd
zM0h|%Xw?nE>4#n44%qeX_sP%C@0s0R`NaV19va(c08z}JiAGZw?Pi{XyXx$W8P+O_
zJ^kRv5!Q^V5vcX?E}J!}equ#aTLImvAJJD-N<dfh_3lT4w9h8S)n{{LnViW>(@<R|
zlj|ZySK1d_Z;%Xb`pO@rF(?bO-Qs@c%4H=!w2IXz7PtQak0roGk519^HbE>|QNXo9
z!7ao}K@nlBj{J6ROYbXE&F8FcAKZ$I!~zY+k{<@NMMhv}U1;|+Pg(_uDPek3lhS-Q
z!A$st0KcI{)r3@6BZtomQ~uGb(DDIKXQ8jR1Xe@d)!tR!7*EMON?HBVwxES<RbO=<
zr5<#8g?<IW8wm0W)dIM!g<-bNY+s`6iJN-Dp0oQD6(NH%aS63HKUHz3@Uep)3cpC%
znE1kjri1T{_(8+6a!&-C`|StIVj4Qnmo`_P=oT;<grEXcoyV<ZwCrQpj}xEj7t_tF
za9U8yJ<AH9YZZs2QX#A(VnRy#G;bJPeH|ZvWwLx({YO5l3^KLpA++y&%%t>Wq6IW{
z-;HMB-IPm9wgq`Carg2E&Z^O;ZWW)V%VBaKQ0}87_NHPp+VQCZ&*XfZ?%IcL_Lg`Z
z35v<{ptBEWE}7Rw-X|^$^*3_1Mx$kHxLanU9?97)*Bl6n!ZJ83y@I{n3YK_k7ccRx
z851V1jaq9xw;|9JX3H&9Si1H>R3xCWwy}oP<I)I!vZHAC!EX8hZd~80V#@eHMzqfJ
z;Fa(Cj6;#y(dufv4HY#GUz;P`-niM>@V&|jn8NL&zKQxo+~rgm`;;{Wb>g<J7F^iN
zL1Nk{0xq#1JF8p;WHJ*xW+%Dk>G>Xy3M#m?80v`2r^WFJl+DWT*~HqIks}-@n=7@t
zE1SN5i=-=<&Ty<<m$YB)P_&4uH}$k^nYL9d@MI*%gbsfe?NurSC62NHd}5;u)qf+e
z<-s@c?N24^hPu@UE3kM!Lk@vUj>i+l@PXqv4Q2s8p$At#>N7K$KPg;yx&2TpMT$#J
z=j~uylghN6#-!$>`*N==K(MsHU$TUF?lAYghvBE-vrp-D`n4Cu50&&vl5Y(CV)0r#
zD8s!e9o>h%vJyf~pR{6O3bu*V<zJjz)@s<TeYN)I-{-u@$ku&ho6$S=QxB;;EIYkN
zE+by|^Ygs>J4+gc<9j^QDkVfN^^TGPk>y*)Ww$YP^0S1FHMV@OYb*C<!E84#odpxa
z%h>Wo)A=ng(%T<M4=0rjRGIxyfV8mm;&{A1mk4;}GSiAGHZ&x0o1I5cgHV~XoRTg>
z<DDq$6X&++ViIU{d5qLAi<M7p9~PN}26<*Is9Z|@*(!p`Xvj?|j+JwbNuFlN?QuhB
zR#cA>eiKt41&eJQZVh}nsI6&Qb}IjvpW;yQ2_%bidM(VG?+CrpRP!2sL1J!naQpTA
z0e!7W_5tU&90lLK98!S2fx_4sC1Y?6)&_ItdR!S$$eAaJEHk##W++jwKXMXQZ~VPu
zkMz%(j)SN0%Gu`@um`d|HR=KUNS6S_A??PXOvLMoQ5S*tV13YZA&*NJE5xVftGIW8
zm}*!~zvgQ$7u00Oej^f|UYzs<)b{;FqQsXxpKMxmGv8H@EUsiNf}4>yWqSx~m4k6N
z<xExtIT1fDdNJp1kesiEERKBQ92Ycy<kfuWV*CPQKR{dqN=h1dnmT5y7XvF;w-vPW
zdqJa|kTjW}mzHkKP}hL2;A##$t|*t#l^d2K`^srQ>*G^J#9&quFjhLU_lTPL@ii6p
zmD4kI-<&YOW^|GMbnkh;N+Me)YG3JbTMXp%Ur7_bFfrv_oSfk7l?1=w!tV7on$F2{
zU*kA~5S1clmQ)g#1r;0y4~*liT*{z7@A|0kkYnS!Aq%lEFCcLcsn@8mNoDj`RM<ZQ
zFY?>Ye;{n}xMe2-ow=sJ6Ne)|<W+g71<^U`QyUbyrDnO6^6ZPdK!#3U?vWh}M8$YA
z={0*nKb6}(WGdaDuP+IdIfko8lBn*EYWhpp<HEUNB{J%$oJ~D2mh{a}G}x{5&IvQp
z1>T(VE&51L7FhR%5gaQ#&7!V1GuPXNE^m-SQ_E9Jj-LtwOZF%CcEAKXP%oHeL^qXj
z_A-rGq3)Q0#Gm!U=D;EDG?f>XDN3qxQHxS1vbH-ooRzPc$+~lzDI{*d97sUtkCh}5
zIVIt>!QZsJJCBiFuaTVe1#s)t5cr;IN>}M-wb+f!Ax3vHNI4s9<3i;%*iA)dW-OJ-
z3;Zb=Up7}m;ib+3bpJ+=J`TjO12P#QZ;9e$7Ho)PKj5^Md<@wQ1>tb%FTNpFrsr4b
zw#qkyEK)^3WZ7f^LAkZTE}>3>b>0tTh|&NWC}oJ9RY>@gkH25^sd#rk=bK2aD#Ti2
zfVDUX!7M<(OZ!nF{!eg{#1aN)sNmSoc&PfukK(Pbo_zZjnM}5Tt`VMr>-h}*RdV*y
zqL3cy6(8pKx!lX5n8C0@zkh`rbUF0Iq<HRn;Bc03ZKyY9(?%U6yeIh1)0;ip!XT3-
z1#XqZ56vi+li)2aNW8~4kP96eFIq0$(01{|?qFe(_&Klx?Nh4f0`GE<D$er}!E51a
zq<Wbzzv|$wN5k80Z>l0|&P#Vvs4fW>Hd9)SG+5B%$Ie^aS-Bys_qFupzqT=Hjh44`
zg~Z81lH~T6`^y~=2Pa7zVyKBo<{}QKe2o!Ar~JX)s9zzYkwK{qm*aDSy$!zG(T{M#
zT7-M&T1+Mf>q{%cM4*B@c2dY1vlQYR!$l)m8OG-dnEh7qyb_4i8dR9xPCi?L7KegZ
zaaEO)cPPEb86?O@wegRgGk<`_$Qc@Uc37GE!B2;Ak0H8iGv(|dB-orK#+JhlKE%|<
zbD)}ziCN**x1q&6o|A)vkF?b5OLsp;G%qPljmXQ9$v$ACUNpk<BIS*F-!)21g32J_
z^1cqcd70v^m-Leel%GoasE7VOPyHM>oN9roxe(_`iDW9Jqwoy@>w^o{eVhDGW4x@~
zE*Wc1H`1W5MGpCNz2EqRdv1HGwDY>9gbvq+2Da6EqM;9$ui|1%K|Wl@^rC*M$FKT>
zt7D_hzOmhg<M)Gg>!<wDci)pRSs@(zp>-TU)dZ_KlwH*4Z}oMig+q&lsO1vB3`Q_}
zRj0=;H~7Yai#ttw8zf*Ar>&ahZ3-+MKF;RO?J>HdqII(*!<FrWz4|LApTRUIF*aDy
z%l&A=ll14bProkos~tETFidv|jJrelRl=$q<8lJ)1+CAA8Vs}7+}r{eQRBGx2q_x^
zXl_66V7Nl$lbkO^Iphc%|LwNOhWD>-m{8Gh9+lt^_mqut)pU;hbbxdZ{Z{BydcGp*
zGIm?AZI%lnCvvZxZ2#b#;3G6zbgJC(n+izF@DT}pC@6Zz5vksyll`1dLe08PH@J3)
zog#-vif2Pu=V4+(W^9xwUTkLO@)eqVk06(ewc2`hJ8jEbxaDtNbC4t{k1#B<sn2E(
z$qAd4(<V)E2GD*h>*u2%Fc^45y)Q))2~Wu?{2hN(wqJ&mcc<q9B(f-8`;u`&=tPFG
zoyW!3$BMn8CHCaS<}Lc(I*r+_Qt4N1d)=8~{bWiswqI=ysQQoR1}ER8sJTCUE~iH~
zJTv5*WUDU8NhLmN%E49x`BSbro}fiMpXR8HG17A!<8p1tN_qUWCNqBM`$Ry4OOls=
zq`Fj#k&+R!)|EnGBIWvsB(=8g^?@6QzD%~;i0zArONL}?5p9CTS6UxgttN%m{!(1&
z5f_mC@cM9%#_h!a1MT$IUemr<Wt4lcOBLb26{TOfU}d`bVdILQ!5+tU*5wHj=A)L3
z{P{RT=9BkhJKJ8=W6#sjd_AV13JSri7ZGX+{?DomwQ{S5#g6S9opVU-yXO5Wgoe-{
z`ae2})fXY<<1%B2tp1_uX#>L~m>Od0DPO<&;X;)7Db{l47qj4Us*B!XTW-rgCVV)L
z6ZI~k*y||EKJBkD@&v>Eu8gsKVlyU^>*5J~(PUvTpQLrfTvhQJ+vTr(md_Jnl#qrx
zwh#XB9~KkD&b#s8;pRL+qchO@G92)`XpH?&<qQ*C|9=RA5r;;^{{&uV=KLRtroStE
z|91lC?<Rx)F_>+(1eMzc=-B<=Xx{^OaJQVEC*<1}0XWCMtPaY<JH{sDzt~Lmxe^9+
zMe~1Y-vf>ZF=~|@6sUf?yO+ueUFGfwk6vz(L>7t`f{d3#Nq9g82~%$xeW6D8P;JXR
z`wP(F_J<leu!nS;=tLWnZ}GBB$i-X#@aM5Q9G*L#G;T_YS7`jL{pux6S1L)d>&M|5
zwxQ@t97)_6uOG$hNZ`eiE%O#wPuo>m7i)YG?ct*wsU~<JOi>=J@a5(VApzCL$)R|B
z{)qi;Cx!!8Eb&S*e`C_WyPv$EsRfU@Zahn|_KK4>)=8GTar;p+<4~uZl^`wWdU{o5
z^}JeCZZfK;B%8ZVX#GI}d@EpY+Ys+d+^75pi^-O5Dy2cf_N&cQe0p$JDZz|tgki;q
zoaAM6|K2}W2Pm|gW?z(BADX6Uhwc>b$@Oqd*N(AWq8KHKV784u9Hflv5~lm5Cft!d
z=vSQ`@;vWS-+E30J;{)+@DT%S+AA`=neO@mm8FZljogez-t^bUrT8k74mr1?xM2m{
zEpc{hQ`v<@;kOg7<_LSs68)!nP!N*&n(1xOS4RDt+t-7u8yPtV(u!%D2v(^eA+`;*
z)?r!$+_>_WJ_nV3vCk|^5XX=G`hqp_3vZGDt#MhTF+tTl+4q9dpj(C6KfWEhLW=R?
zTE*lix297%+%dq_pTc?xo~GbuyV&P^Zo!LnS$?n9P44noIQOaJaC(GZ)LBWrqXIJM
ze%Y+AxoFNs%7;Otl}gmGN{qN<^5_fQ^c3<~)jX^h-q_RVnAh}2pd5#9>5qA~x>4Ty
z3+h7Mwvi-?U)#(vDyv*Q==Z((s2|%ZOE7ns0aj%_-{MDHas~GGcJogva`v2}9q~|x
z<6>2{xaRL=^*P#unskOEZC@7#iY;^{MlVV5XCbw~+Jh+vp7w<*58S&PcO$LVsb1BS
z`F^uix<#Jz#cVsjQB)U*)=kWE$+M-X-OCjrxA-5bA2$+{T;aD&3(o#dDPRdz-;o~#
z3Lk4TFKnWBss4Vz5{>6{45cDVHkM=ck?YaYH-wWGY9HBHt^$SYfbGJ;BFlK7bN9}A
znWtcJWYC&Cf&Nx>)e=rCu%#bBetWb?U2*v9%f`Q5u36t$<MgX$UFxD#YilG<f$%0>
z)t{`D;FdOjBV2r!0MzMhbHhD=079=tNY$d}<FAo;sB#=DI@{ntW0vl$SN~abLAx3~
zBTi!1>&nH!n7O&Irb1j}V-<5K^Pq3lc}UB9$L04!E4GqZkBr16N-}fttCJXgA<n`k
zvs{5ncqq}){g1Q8cx4duHJ|1Ewxghwf(*equ^-Ju4we}0FA|T*Bxql|CqNJjs%Ag)
z|F8fNOfFwvYD($E&)L@xe<Da;$zU*1<CiK8o$|~NGnSA^-5FznZMaGSXxQuu2^8Ht
zh*{XdB3tzcsg1Ln;5=<XsR}ah>Pf{#y~%-1;S((Y0X83^YwF4l_2SlCEt_G66eRZd
zW?X)H*&^F5S7q9>lR8RMf&q5qs-t%J)|t|Va`D>V9l9+g41=n0z5VsZsc+<+kBo!K
zWID-COjqR#bsiMS(A<|bBbWc|aeQLHQ+ck%dTFHHO<%39m=sTlr?p&DPJf?Kehrpp
zoCCX7&K0=kkgLXS`~=&IpL<qYD=M;8RoqJm_?GjC6r5jE`K>oroWxmQt4?7_ds9TM
zedh}7cKsZng$8~TJKEd>|7rpDD230f6Z6)kPVL&~Qp7@yvSlZtci3Oc+)>Uv{KciU
zsI}xb=QTFuhMff~Z{Y6O;?-uEk7&-RR9@Uyz4+RuA}6;p9R7D3-zvLQl4YH35vk`B
z=FcH@Q@DQ9Zz+n1DtooeT2=kM9ZH!Ec@wgKRLBy3+8>qvEh-ZINr?reYcTUu|7)zR
z<4JSI)<dLX>8}7FL$PT*x3d<Vzv&i>clqyUKZiX~+ieUt{>zR%tN3c~ah~dUZFfZD
za`w7q`p|s&_8N9W)adljQQAHx+75xly_@azi(+zie@_R?yHC|Wwp;E=PX3`)Fv;NG
z{h|QFC+A)Gjs+Y8TZTWcang$si<Aq0WvmbNgkaT)@DyQ&tN;iwZ?{iT)L&!4aG?zj
zL8yD4R&*_}XuoMrS=ZeL;EVs&^oNlJ`KNy8qXE3czn=6{hW39)bRg%d(K+q2eI8Cn
z?~U~bz=r&{0sXIf<p0sW?(uK?`srxEMV#IQjcK?Sa&OGw&-H>&FM>lbt$Slg12Txn
z6>Q5ZAcNlcr)!-Ql)B*NPOnTJVf}URIf%y^<qxBi8caO^_YAGQi`3_WWh!4jMIA>O
zVcH+K6IQQp?VP_pZPegXcV5}Mj-I{ySK$s2=SGLj9tH5L=aJXXpEe7OQSmZyAIYfH
zh)PgWVJikUT=A+uubwbLLLqSBk*Cq)nDfDB1q)E(e27#Jdx0)rU@z@l;-!ukzXmG?
z6k4d{9gbE@CK#UqQzjjzHUPBJ=`kY$1;!`Hszm`3Le1w{*I@<$^aP*AcpslqfJ@wv
zTFkXTx8ZQLWS3o~`GiAuXsUzeqrHyU{gecQ6bY}a@e!U}@hAsVpG`&aiao8a{DkMi
zi9kY~Bv<?kdEX)fED1=cKP_^<s{N&#CJE$i0+_c*g+%~@&On!8q;$`f-osvqbh}n=
z`Dv~t&F9vD`hi{L^o{L^?ddeT=Ur*eZXefR0G++CyNpAGb=q>3hRx~vKpv4Vkq?h*
z^H<LjYGe0geCED$-Ab6x+h#aGuxk3LpYJnaH8ebH24vS+fb6=Kx}{lKC?^e#!%)wX
zY6peKoCC6IKk-cpZqo6=T3kE3a&(-6#8-EJ9u<k;ataj=m9fU`Hd9)Aaru}Rz(YNE
z@(n&;el`X?6u%CsuWM{%ai<nDq+9Y~AL}hO<jcxecb*LI&%Vq+72@*JP8AYUZZKWV
zO$n+8S~pFEnM!%tJl4KH{Yb<M%C#s&5VC`?`v!TwuJ35Ev(yusFL*ADUlJyaqE;}w
z5-_(h7aDEc%BLUG&mOgcSgS}SKH;zuBr;MIOU(>VjOTm&hog1Pg&U&%Nzlyq4n8m?
zE9uM(abVNFE&@@RkNmw#FPZWMVSrY3zsWvre^gUMj)=zU8$^q`r$@;e=Ki{ybd%Ls
z{7Vu2^jBZ@z+%DOU@=eWNa1N|#Bb;2?>`vSMF&j1v+Zw^#P~1CE@-+R<pn#23F>{m
zfx+6am!ACdn1sUjbm3C%&}b=L`UA=zh15Wy;Ro~5n!{dqmgxMNo^}dv{|oq$nYAy<
z>js6KbI)<&BB%em0#=7gcxh;Ez|4!f&UgLevqhVv@jpTlb7AwjPd$ey4<b{n1H-1n
zRU=wenXu1ZlgCK$o2R?Kc<3U#lJe&6N5X?R`Aw)0;d-chm(We{m%`X@UXS9>e~n{h
zOQZjgqE<iS$9MT`$*&4+j5J{Kt7;_5Qv@I!gE1}w!TY-iZUL@v=J;m^JA>lu#?lfP
zg$hzcfCDn{?5%Qxgf#cy$3BD#K0rDL1&bU$b9o#pQ%A%#yTuLL*F-)QiE+6El=+N|
zLt`hWd8o#}af1B9b}ymk9+O)$g^V*qBnlAIzCb4gou~I=g5D=O1ug+bppgQ`{;n~~
zWyLF)2@;ZR#clTlYL@y%{iyK<j@O7T$TWU>)Lbo0j<9>1`&P+03EotJv&L^NS$NR>
z{pH>~?fa0T4O7SgsZikT5oT2YXOKh663ORRor?7w{SVf*cNl2lUv4)gmcXdf@2M7l
z)gnWDl)Bd065ST$HRQ^zf^B_?S4GZYm;;uS>}W0#44+nc<>O;~)v*+>ffdFaMe?K+
z?*R)8bZKDLE>)y5(do)bi@*gs)VAT#Q6PagQNTQ7pPlaM;l9~l3iqo(bYQ64uWuvR
ziQez3i0aq1y_)9~>`gDpu%sD^f^~Dk*jMh#PfvtrFr)@}0-sF#2e%UiVi%crSby9Z
z2hUz(h@8qMN8CDHs_c;~qzG!vs>KM~A&kAKCH4orHIRg5l{A^$hY*rX3#S9}b}jCG
z`F<oIZ;jl0o^vakP59Pt7w09aCp~~h)B7(yEntH110KNATJz`$&XUy7zUG|cwUpy=
zR@mN0vTGY$POV>X?-VRx?kI?-fdLSL*>Yie+6S`4zZ|yO+n0?FXjpo`JqRkyk?_hf
z*m-^6VC%%gB9wTfLU+M*BA{>9R~E~-7i~OF8!W(rJp#B{WbgIda36eiF+20Uv{h|C
z2vX)jC;A|CR7mkJa%+G_ZpUOI&jjSr$gQZHd=%eFw9hpd_%1+hNzPSC?%wzZmJqA7
zJlgF?iu|fsS7Pe}U!II;l||1O)~*f{dhI|zjw7T9OP|4iOzqj@Pc;Kd$>0c5hzDBU
z27Mr?x%}Iga`!Y=hhxTh?gWs_^cVhg*r10FhlAuHu&qCNPVoZheQI~`Uv!ZX*dkJ3
zX+e06*-iv~>}kM$>WCa-3Bjl`Z85PjS}_J3d=9AUy!-UvkA+1e$LL=G*TI1PHi*g3
zZr5ed?r;td1vb_B@9#gsxrja(<6~nCKKP<@8r*GGZ|CH7$9R^&{)NoZpObCXKf8qX
z!njxF#(xLvmFX{s6;)NaOZnKw4|047;Tsc-HdkILv-26J*{;_Cx8>}-ps_#^T1;dW
zKsdJ9Ny91W-yO`6=@frl$*I)zvaoY#vzP8Qx1f_r^o{oT(TS+|^#%XF%O|erpS27$
zc5_tcR(eu?SguH2<~>SNEntSevT_OFN}%sI5Zj{Qb<%393JPMWx+5Nc;Hiv!IS2??
zZO-BX!g%hH5hj?0&T#EfrLBdnY?9ZYZ#~<+e~bAjBj}9CYv>chagMS4xsjar$Zal2
zff9Z!=j8KyUq$cc4rS_SM`Ftd;@&@~O0N{>9~;=zOf#cIlye{IK(~MPpr;S?pQWx|
z<ZatOkD0VFGG4D3?Fz#-8hKdx@KNq1grLw6*7KAG(|KzZ52=?^`}UCXa@$}#FdNkc
z@N5kG4{j18q&t6z^&4*el&hUbdIQN+p4uZJp||-l6wfa4x*5J(2jwT7#l2_CoTgCb
zc46Awf=W?4HnH&Kr7QL6QHxhqT<7h)#;5nNgH~RzCbl-{iGF8=X^+xs`P3*P+ihP~
z-K^7?#dMD8zr}J^!XrAtG-RPHaayeyt;#~2t^obpf_KGS+^%~212aXrBcUX@lN`(I
zCN=r2ieZa}Bi`k@hu>X<#N<L>_A*4Gf|tKps}vc4>Q2gd>kCAW(sJL_wfbjSZQ0@_
zf{&12MkZVr_QjKgR%^P)f2|lr#5di-F71u{0+FGbi_d9J%^Xd3Niiz1gN(l_?l~8f
zM4-{|rEA*OBzDfrBA^N1<!-QdMt#T-$?fc45BuXt5(f_1$EZ5v4NIkOI`Zv&NEICY
z?)lVVRG%5rVnD88(nS|)wahZo%nmcXeNDmSioLM$Ue~sYt_NaVJ*Dp+`XxfOFu^3m
z1&(pR3n2uP&_UJ&m-kHZ77@!3u{32zFWB9<t0qCZ<*O=$DAqireap_$%VqLR<$cr@
zM*SPbPc1bhkroY7WvEfh?3hn|ls6rUBnvCLbmx>gKlji)(SlmLF|oI+=L!%@7VEdz
zlvk$bP)IKzRI?40OGL}|4V%~258efDP)BS`NqbprRD96W-B)tiJ~GaKXrMjh73kbt
z9>TONOzlCEZ6$WlSB0x`a7#vK$BUIpJj{w`IKo3OA71o%P~ocqbxB9lt-7KB>x&b=
z2{EBUE-3=J^*z7%)Tq&5b7r|FUNpZ-OQ%X<;Abjc*I%E8=a<2;#+4JafqRqvV%v{Y
zjZto+j3=U*ZMN~n6pGW+#}V-KZ<oTu&us`LlLg$gS}(ZCmt4WtveEhE8Eq<lM_8Bn
zyZYYRr-plNDVc%3+4M1nbp=7L+0XF?OI@w*JQ}c$iLYPeY&Q0M4QV39k}sI@Ai2nW
zA;<jDoxICghDn3w_Er%TUVz#9FmZ=WC37#pvKgx-(JwGT!`#2CD1GITu1<o+m=oWY
z{;H4Qb&VWE(P}DdSe0i2kLMMw-1qgfuDZcgGx3P9+n=y+sdShmrnyofc8f#w@Gy4v
z6WlA`27Udsh@|VVq1T**b_Tk2%R#c-xItZu*_^M8TkF=QeO)V*GEKCe-hImXZN>7p
zRJ3k#Hp*9=6d{hAb>r&5H45|YtyWygWHDS$`dJ5;9O)WIMe%L{zL`O@eFE}nGI_N+
zN3*J$=n8djJ1>TZ8juKc#V&zZdxTgAB%Y;Vrr*92<ctzhbR*}4Rk8~%eYT$^*Kj~;
zvpB4pm}|V_(Im=CwFzFImq~o|TrhuSCX)|opS!L=I{(`_yqJ$HY1ZrggdVc1UxBMb
z6#@t&QUqwV2GJhKBqi<B@($$o>xBgF8d85qd79ZWS=Qdsu&O5DZ{bmnjY=j=J=Ewq
zAA`dgA59zD9@17cu1m!`aJ5h0<YY*qoz7JODZPA6^dl$sn_}x_Q*%;;SV5Z_k9jd`
zJC4-{S`n(*Y6h5P=(Ch|$D<zS#9o@uMy$UdBA3Rq({r5!67s476TDEpUlU><^ig=+
za)QfA%nwvKl}!J1?qx}18^y^oj{{cdPgy1@2CF#e@d@LJ()PV+T*#2o6*tMMWpU-5
z<|tNwan`l|r5pP%x$dbl84q26kZT0j$hoK>g;(dUE50i_>9cGSfLJOxm6)n<crd_B
zG@^TaHpskKVH;BkQU0Q+m*1$1B;;E+!`W@fqjx0rGhU*E<2-DAb5&fPAay<7->t@Z
zPCuX;k*|#yJmT9LvAIWHl%1<?0G=3Lx8oyV0!R`4(`XxY4)of&6UVNq_f0!dm9G`K
z`->ZJg<lkK`Kh2~lNM%wQO5<TN6G8J32R0vzaGzk2RZFX3lJ$e(T@Q=@qiS^hmk|t
zVZoq!|4Tj?YrEf$0gMsl3uU&jpHMaH3Qu8=w(v;h@w!Ra$qhUH-4}c0o9*n*39ITZ
z=8LRtY$qH`V-K`ZB9&t?zx{pr`_F05U>8U?+G3wUbsitE`aU2$0Af#p(EqwU?G`X!
zPVG~8^n4p1qLN(lS_G%{LhVL4UThL}YiNuRVeEpDXbFy0EUk#??KZ0Z9HYo?dH)cU
zS31R)!u`j{p7HFP2e`Mf<w1WPZ~jKSZ3w(nJa&*Ub`{4e0X%u?=y&O?JtUJ61_Uul
zz`y!mRF-St;U~&oTkAz61&tfS1<bH*I!NSR+_U@h%Mj2xs1Kw5;3<vl(K-rMO?a{&
z4|V2;3M#c*Lv)-nZhd>l=wICSjmC>j)pR&@V#gHJ3c&^hiw~SNu$S`T3M!x(^B?GF
zO9-4+5P-rq*M^O~sFMs5Co;PW2^ETW<5;&S6@!Z25m~VSxfywn9@VOsGvq7p;S^z_
zPE{c0TMlUc>LsV)J9VEpw(16$30+Fw{s$DsIT~?eL#9JY)X#4EWmGqSbi(laRXokx
z`9q*7W%MNqA0=9cx#t)efZrrCNZIAuqF$*bucq8=c|#71%cE4aSB5vYNK0(CmbCQ_
zqE($ix5DjaMp)Hq`flBIm<PoVr;r;D=tvQj=C|m^l6K^g+e!{%+n_3{)E)ufqN2Jd
zZ*e=aaw?f<OI6r_U|yxH+%N{)YUK#jfL||V5hPowkve&B@th6?N$<yu@!miHD+b9_
z`YEd=UZ#Url0TcCqwk>`d*#E}kp6VT?er?0xY`>}ebm*xx;7{vnZ1pZ#6MiwyQdlS
zF7gg>ZI^7|#nQdAyoAs$5!?RisZq+arQu&HftwZ94s;95?ZKO0_H94E2VtfpR$N5n
z#bImKPLF5D40Bk$4eGYZkC6Tmi6frz1>dDFycp0HUV90@pmOMdBhTIhn$&3aw+w(s
zeU_bd=7iN~KRGt-m4V19A-9x!M~pod-ZavqIG?UXwFC^@3@o_A*7DTdvrA1sAT7M2
zK<*;qoBZvCxA3~r1Vx#-?geq~_3WKg%DO;y*kK%8W`JDZy?m2oXBmgH$D}6!N-0qw
z>wa-8YTi#VCXV~Y!b|f#`FZV{Je}e`aGMp{OW_JsG5Y?K3eHMNxHCVL>3<A=Xra_j
zp>g2C1vk1FzNK=D0Fd3{hTNVk(rmGBZSH+&VqK&HY7r9vrX4?VB{?@H^`~pEe2-z~
z+n37gFpEXv1sr)B551k^sJWAUi<^{%ixjo9iDpHHPkfVUVuI~@x~+}7Kac3d1gh#H
zI-t>Gwnc=d5FMGSDkjKKyiHlAnArwm-PKX-(^cm2X!wOl2e3-imFE4dp0_oam9r*|
zFJp$OoZfLZ+}5k2FJW1312M9#Smmm(jNYRMml@5O1gY}v;rL?>929|e0#}Hfn#1^P
zgHJEXx;MF=Cvt8+PfN#}y?1b#duWIJz5DyNgM5#lsf`U)hZ3Apwnc-HZztxRY;Vj$
zDP_&3QmRGRYa+HfuM(oz>%0x8*>4*ZbUrP#e6sw?dyxRS)BlrDGk&lrK4FDeUWRHX
zq$MDLw~Lo*&sf91Y8ZdW7F#%qV_CSfq0)d9@jSR5_hwR<)$)UUH=U|m#?0B;;n+*>
zx=&KsxC4UrD;-uTz^1K1r%A};Pqc`JH^((O$G=~!7`VB)zN!8|{xOO^*<^iTT-mQX
z(SM^QugLp1dsjfe@C7WZ{(%!+?FG4pQGud<7SoDvuHVW&7sRU^|9W1MW=1z4es}Np
zlIR`3e_vs+svmF#o<pwUgTy7K3l*d7g|1JYKjo$WM>g~ijf{Dg&q6O?8_@9;$lJol
z$U&ot03pU+phGSq_}Jak*zI&a{#4|Q4Dm4`7v`HFq(U<`|4_m}F%+G0{dAg``jg^4
zn@~(~HxOfzfRr%eF#G4)N!j~{K2spM{7(nwZ{}wkxnE&#@quUXt0M&NcMXw@ad~*L
zmpX!cvW2}N%A}!aGWi$i1|&QgbKM<E?0heC;dJ1LF|l*0<z4}u$XGJ4&L0Ey+`*|#
z;md?HV3dszj|jNd`06qL{O}})+L8Qc0~3W>SZ(HPQTnb1!OIy9eN;%LaDV0Y_%u*G
zys(;4YgDnZS{9LO?%DBl>31_G6rG(0S>SURS(l557`#}WViEQ7!5>bQ`jl(m0L<()
zFlKIQL%dFKJahLjKlZ3`e}M*?8cO<H)BN^C@i)0j?vPbeD=p&I4(^aaT+`;v2<w3r
z>LLEy>o>wy$9GRp0yeO0Pc}FcRI5}();t{>S)09?S({7A%axNTYkix$ZuFFCwgpUc
zj3(K=w3wBjnZfXZ_Mlt>O={ZHYQAj~WT@6)Jl92bvhFOaD-0=c;X>*4-MX4ARIQB6
zNopRkZxT7>o2&ofn{@-dMd*CU5Gj?H`T-){j=vUyy%c8)QU>RInkj!|=-4k4+S68`
zp9Qdh|EN(Op*UB*Ea(#g4}0LPflMB$x0T%eejVb_U=e}Sx+6krONesGSvzH&k9i?F
zTXP1cscICb$z42D31zgQLT)*(Mk0lB^^%~e+EKmm;(>2&j+Tl@Q_+<d2fVKp|3ROt
zufZDrpwEKYuQtm%eq4DaYr2-#0A=1*s&TR+0Xk?hBLP(GV-1EoP-kaNFEMYs@kb`L
zYKwCG0*Ma|zWMsX6>O`wB!Rr|IcRb8vfqBb$#g4k6BMl&0E%RJh^5f_v@qKg#^gc4
zX=yL65(exc=6e)DT=d+_loF21zk1v=#~E3Q9r>KJkoTD4t_;|{2@23jEN5rQi*FRG
z<F^*%uI|>7DsR_a|EM6**yBUMm~wx7>Yjgp%}k#+{oR$Oo*ij3+EFLBJ8L7XFxehD
zf3u;U+Om#5ZkWx@fogFj=2ysIsiw)+g6w5Uq6119VXF_J*J0Ln-0}yWY0i-Dy*vCZ
zQEdfUI97K!hxOAYZq?DmD`gPdnC(%b+GhHuKiX%w8GNBV|5lM+ziiN8pV?Zy18P$2
z-oMfQGlvNiQb-Y_-ji2s7V*Z^pFJLW5Ps{)cs&C1lmsb0C!>UB32QF9iG}a?D80Vs
z%B6<}mxI3gC-e4^&bAfwoNwPWW+$*U-`~?x)Y)0TGsvJ(x|3w7K4p3F;7v1kMK-J4
zigMjaYHUpQgZ)b(+Vy1Ai&`WmN$0u=QN@iNO19Z~vh~8WRJR4{U52s)jh~=VBsA#F
z-4IkS(u*y>wISHU*0dU})62|zHFZc#%d@g>{m?(!_ItEw-c|+u)NA+FB0&X_2(F`E
zNYk2**4Xw|Si!su+WiG6(%Tn$YFSDOH;6HB|3NA|s0`~S_w($XVorMpE%97=?U$BR
zqb1{jh@4+m*=&h7_Mz5KdlST?GZ(sJ(-Q3P1gZSFqDwF@0OjgT91#%VcWs-s%v5?F
z)rCQ$sVQzq+jsr8QftY+BeMhJiCBKbC6~z_YotFeq&nRw+9-PG_6p9D$3t&e;zi%9
z3k+Z@I2EFlO9v8)Rk9Jq?$e+ADj30xDj>^5)Nte*N?pW9-yUDXnzrtCETJu)u62CR
zrt;aN{he*Cqf|URg+^ng?fr@ZasAcJST2nenrM=@9zM>>nT`#iwzKwoE#}d-&loW&
z8_*>vyvkQ`7@!x4DJoq=*y3x3K+~_>U2`*ET6~L|W&+vzpE`TIIb&Wfh_)I;)D;5Z
z6FV)W)k!Nyq~hP0^q9??eAxi)jN<D>@sVlG<2m(tZ$qQ;deJ?erZxkHlQTbk(<MJz
zH{MeT5%Xj6+<lN({9jC(<NrS<E&0D<(yQc%(!Rqhi$6(x25-cZ0t*7f7et_`7NRCp
zMDcwURa{O5yhPB{LHmJer0Oga<4VVnmBFovWcc)br|%z_?&3nDOIE0Jc?eJo31eZ+
zA#J@cFSX?Onf7wX(!FCXpII;Mz~*$}2|)G^OT~-zKd>(}Xl>$N*|?PY`?{=^JgwTU
zTxGOaU^@4-6q=DeG$gERlC-uOnK8?Mv=iW0|2H(flGWSw?zuf)UdH}6Ec&kcZJz%?
z({37QWlaWLD>3)Jes{_hZTz#s1AxnkO!}d{9uHf{Xt1+%&Zptni?n>JR%{@Uj&j-h
z!vatrYZIe>7KxG}E}1-9aZ<&(DPt8{_Sjz^xLhj;>2lVti2j3|`y2Nm<cl_p{6ztR
z*QES4zJ4En>Cx1|yPy&RAE+EYybjA)Hth+=N7<!y1tjtW>st?EH(GQRQ>9RnS~He9
zDY01Ib_Bt;Q^M`Mc1VUG>By>_YB2%InYWpn|7K;iQk;(lB?kVsqC(L3gI&_@UB^C6
zlq+#_4&CzzzdI$9XWR8Q+k_O+e(f#mQp-fyaCG}jzMBS4YnGQD(g?z##+cRp0Efci
zWv|K6b#y#R_Vn?GM@WmV7+JmPmxrcM6HwKe`-Ja%1-q3~Tpl%>rd`~fUY}0vd#5xh
zn>9@j^lFYPrjYb@eQr-Wj`CT6I?t00&RR2rMiKPrNA{G{i?4-NZ2uCx$~RrCtz<;s
z5eIMLo?_k)$wOO$ZGA{&Kh9D^80Ss23k0^K?9kBPe)!;m#h$n_*q40)i=_Z=UY;9M
z4II|7GFcDPw2Y#CWj^J~E4|sMe(!GpNY7tWdJr|R7&3efrb4p({X58J{smVb{sUKE
zL(}&AKQBOMI{v`b4gV9aW<bN$R{>nDVtZ6)g&85(i?oUx_Es$L)bzf@Lsj)IRpG^!
zkwN6P8gJ7G5)XpFkLE4kM1IS>D$I7CyjOX8|7UgAkP}2M_jAyX!c6-*7kt!kEe?cG
zhqU%p-Mv6TQQX!Mur(eNZ%YFwYzXk>Nf|Q!t>1QYPcds!2w3$2X3g+l%$npra-q(3
z77ZaTwF$wzF22U<*B<c21LFki%``kt?@JkL(;KZXIWzEiEu<%5Ss)l1)jLA&0tErG
z{_!W(a!FrJnkSnU>YH1jl(}3*LF#V;p2xu3#B@m!Kow8NGZgAaQutv#zMX~1W<gGb
zv;*6!lm}P-f)FgNz<UsTP6)TPU58Wz5^p;v1IcuII^>>nhFsg=$G!)8CYTn#6HSUA
zBgog-OSor6im{BBX61tc9yn!{`#&TpejG^|)EZa9<F@TRWRdHo#-jwKQJ?LTy3;}D
ztkdEi-^0%NpH7e#lAG##rTWWFKS2IrW&9=F&pIHjc(&bggn~@;L+IgM(=kF#32G4Z
zep68a;quTc(cG7F+7!|w!f(KbRi8kFho*ZzJ}vpARt#GdSN8xxzDDhHp3eDuZ4?-b
zTn-n&61l|ti0qUd(BJqU5VqWl(Dl0ru#>l`Qzg7EEgb~8MIP9y_*HXaac1tJdGi@_
zI}}7aoo&$KEI|HR3FcTQ40Sx0LC(-|<7r;b?)mhpyf|L1hzQpA<#*W6*~m`|t`^ev
z388w(=rtkOQDQS7yrTx&ldw`t)L&MQu;=NMA@=;~2x4=3#W!_#M~fc>?&UO3T!6I9
z<_oNpN(6-RZGz0R5-Gw07646s1jUqz5VKU#*5fq&eTvQbeC>6(VX7uRjH@QvZyyWG
zHfhpJ&GADV=2ZuW#(^jJsjdW@^Ze&~8R4w#WaW13y&fHMCv}%caDLzOl8!58SP*P<
zJfHafi^`C<RJ_1ZD9V^#hfaoCU1<F!`bi-}#2#*yTDq37bc8W$9Sm5+0iC4oXQ=HT
zb9cV!A@@b1a5#lSe)ElB-5y=t-Bzdjkw8p%TX~9)8N|g^pBi*Xt=+HR6^@}!x&+%O
zXLK@+QZ%~iwXcg5WHCyQR2Av^vKk*e;4K<R4LA)A;#gWuOtmZ!UI~OK_g_=W8Pv9u
z^e(K+ilyF+qHxFzj+tP4AaiFu%}cvK5vtDd)wc9^(v^m5{u$nSMG_?>%G@Jtx;!wG
zjLsPDZi-G+Y8!klKu+dPDjhda`RA6v*A$w>fmnV5eS_W4-f^(`E@EfJfAZRxa#N@w
zD+pmZ<FfTJT(%LK%TAd~yR-ALd^JpA!wu|U`1)tgt7CDv0wxTsWPwH>TlJr$^vfVO
z!#}gro|R+7N)SuUyi>02eaboV+FZ6p^=^l%MHCKf#I~8L->QfzTNkaaIoantRbQ7!
z>grkdquz|jRfJsbTVSuUwaJx0`8n#k?Y>($uNAMEm}|o`|8d#=_`0dk6tcH6dav=g
znYj69(iShiX0t4z&wx^9t`2F4lpZOsR(ZP2llmss9PRTZRO552s%;J&w+-Wqm!?bn
zhMPs-4X&wYgLx6D{#3SXpnLGyGF&BEeg0Y<my?@aye)}$l_pM}?yhT6_7^-{uwFAm
z4n+4ws@k3AG39koQ;mlTW_hOU*k^^Tl;f<%7G08+cXfI$qIvlHaKs~N{L*ppe27?B
z+%xl^3s!IJFT440yRDKP*GEu!XdVDTDc+#nMw58KGC*vHE7cGDB3@AyY2<LbvwmPZ
zwMFA@_pZMoY>Np^Y-?1Z%Pi3CeLPeIeBKIHY2$Skhi@nPrATmF{z}WX<k=(lP$gR9
zVLmd{5ESEYos#zzE8OH8#o*h>>KH6%$?uy3wQ(CdS!nSv2I%%ujWVtOvr$Br29Hbl
zSiH(%OO8t8qcpqNiaVz)x9u-mYKSEySO5FzX756<F>Osck4~ECE%%L+zPI-@u;lhr
zjB~no|AD$~TOf;{VfNFKt-xr2nyw$*FBlg$rBbV}8eUkQa!o}cB&LJ?6x!AYLLyi7
ziC%6Ar)o`~R-wBITYi82wej;EpZ|?{j;FA?@Al70tAk?tBYr7j%1#_WJgTS7Z_$q-
zHWiN%6N>9IVeoD-fOo6o$m>7Eq1k52Z#)g<&l;MyE4cy}oE<~1qD|SqwO$G}(&;uR
z4fcQPy$FpdcoZorYPYWq3!SoHgdLjWq6@)@10c+5ix++U+^MsHo)S<LuAGx>UC4Ox
z2zpw@{!>R*BYCQydl?n%g9fIEfx80E%mB-6h8#S}w4&9DR^O#MO(bBF6%Y?SY);YN
za#w@Z@qP4iBk(XLx4wo9%+y`vN;_nTNe@il;F28sgu#EVq39xl`+PK$etr|xSuyU<
zxcG3bh+c*@Mx~r)ERG*S92E6Dalp5K)9i9E!PxLpJ9$pS6<=(58lSC6<BKu+=sf=6
z`Qt8H#3bwGee`n&1kN;&J;ir0mF`^?CRp6&tO$L87v{oHtDG<!kRyR$!6j~=B`?pi
zF(@TWpW!(Gfyp2pQQDpSl|&>Gal|nV4_dY-833u4xcnG7V`EFAmK3H+@BLF>!Ip$4
zEfX7{g}=jRG3gs=<mffnpjAu0RWjX-w5NGN80xogSQ5>MPX*_mLjgXue#m1xslm<f
zlqBzT%<`=t<=HztagrbO+~x-v{i`O$*|a$&ZQH@`0<`Os4>ZOfrajeIyJQ}^_p%0O
zZg<<HM*d5c*VRVxQMgj>D?{oZfZ+X;H>y-ZI#On&yvi!f=861jCFhtv#r#P1nTUH(
z+6CN@;U1ujP?@o=aw&elxHsj_gJV$2KIR=0Cwg&<Uv=9|&(U;LRb1w3smnBO9QWOK
z*JyeTP`slnDGWq^?<G>HfRrb?l75N5ODmmnveNpPY)f|U_t>Rig4KYBk+<c%twZF^
zuaf*`FLKCq9<T1J`=&`?>83H*P%9YoJ_%pbZEWguK5o!{?Vv#W?AtvxQ3utpo&;#>
zJb_&gX`&a+KmK$wJHe9P*5d!9&OPGcY7G~gq*X8GUiKiXGkA6}dPzm+^)tVn5O`h5
z<alv?mQ@TEb8x4$p7LH+*)33>?z#I;Q8`xU!h^V+Jo)dp^%z|RlNc{pbKK;X(1&x~
zV|F0vcJ*?bFZl2u)R+>|VseR?Uy)hqd1Y+To5!O>b24r1gBft+@S9ItMlP8G>MsL9
zQI}_o1$&$R1ZnS}BVZ?zo5H&7E0~+fMww!ft8i6Wyg^-YeDR@`u+5cRTk#oDLJSg&
zc4g2ZSr~9IO++gfV{KLsj<;a)pt+MKvyJ06UaYOozWt}#?DMfxetesCuYxU?D@m9F
zeYn)rQtc5rd706I(GN6T_%j9v)x#DW;wMb~DenA*j{--XBZ}))gqFRquBm*T>C-Q*
z(HWGMRGkDGb75R*gE*~3vy0M;Swxk3Y3JTkU+3_77JwTTSEN$sT=RdY&fEDmvk{+~
zhW4E0d0=jG$z+L2TjSSDigrXG1+{yBQRfmS{pCeN%y%TrIFC?-vGhRyh74g|VVRxq
z?FmlAUrh`i|Dnze7C52I4o@UMZweA<vQKhnsn~<<_KrNgh8OJt5U8`MH|u-vsx*?0
z65&?C#u%L_UqJTsFMfNJ1@=fnnm{<^sz+K8PiH4hq&Z1*b7~j1d?Bva1!%Oud{3fH
zc@<6`bJ*VDa84ET;i&X^tR+XZpS(&6esfE*qlMHF>u*%}|3aMu(p()U&%ao(b2_vX
zbm^95zKm6CBbw%WyU_$>frI2%C7AzTNb}L_uxzNOV!6ElVTLHFRi@I=pv99PQxDdr
zIbqoY#SiiwIgFAB`^r}wBSG47(L#;rCQ(seMSr?|)m*4-mJ*((#Hcz&^_N7y_&N;I
z{U-<Qu}3K#Pk@j!po^n*VH8f6f0E3qT_b1kij8imu$6-ISqaWf@0B9i6wY9{b^Ww1
zN2dMTxaKsTw0IoOtHp)q5_F?We^j>P)<pz+!W(mw`NY5BJilVQ$-DS$@a5NyQY{iR
z?)@kG%>&}bW=JaP9j(Di5mW`1rS@oeUB505?}0@WeZ>t+v5-pA%2f}Ma5#n44r;oT
z?*8I+G39|G4GX;__L|PH{;i^&|88ZaXFTVSy_-$>lBfBZV_xjxM}%&Ea`dMXVZt!5
z;hHUX|8*k&f~Z&x^J}VO@pvCh8~8TovEvt8Xa@-?Ho{g6w2J8PQEXI)qy_M}DxxFt
zQRQfH67v6S+cT<$^Mqsd02aBaPh2-!IVcg$?&&H_R$8g%&E+KG)i3_x*SD^6+QIl*
z_g9mpsr(Z41Fn^(`0Ze+{Uelk^onmY2IZ~AYUX)nyv`K6-p|61oT2x{T!ER|z3@k}
zWSbwMlU)c}=l-p8a-czTgevZ<EnbZMI@58{xyWnkU3dR3k6?@aWnjy_u`n>zxf9L*
z3nKn&wHbni?$4S!GePKNJi3yLvEipr#-ElH-gCcpurYrE13wd9`ImI(J%@hu&sM0@
z`o(`m9uJ)^B7Ucd(zXtwfv11k(mZU5QCE)rO>bGEiwXZo!)({%#j0ODOVy9C!RSvI
zI4v;_LRCB#bJQsq4zlsr(4GhbOyU|;a8JXmf#5XJe1^hdFI^Ra)m2YjIeAZx!JR?Z
z9x&J#PlgN1-0)Gu`;mY&#w|G8L=A(ZHwjJM7<hFWZ>M3)w{-h$Bz`#_g@38o&x>9h
z5%ZB<<smLy{CyhsVqDcYpCip~kyB?A7f`(X6I}+kZnSO~J(v9a>YIBg`SIw7sE6Nj
z7b~?tVd9+A6ZyX5X`(|90KFpzl-a0z7N=E74EKa@RO`9rT}(`YhoWJGJvfe%0yrL+
zZs1@jBC87ae$zq9?QcYyQ;!D+WP`~=U(?YPEkf#~8G8Tf=}+n%*Qy1*oRUa!SkF8Y
zY3_)H|F5ihoJuKrd$q{=mi_VG0LL2ltJq8Yw1O-z>vlZFyzlrd3K60-b{P`arSP;E
zb*p?%0%8W;qHs^B_tnH_;C1BtxqOB87C7h5`JAgZ#+KJ-6#_z<XlD>L0;R-en^7I0
z*FwtvXsSP_qF9nI={8Z$V%QzA<}fK<xTdEV9W@Vj(=amsB;(zYB)xJ&I=AnqV%&9E
z7M<{L9nyo1a50~(y}MD@J5#CU)QhTpWM@g}`>aFE36tB?_JVCwRD8gy0;1(^A=v&)
zpHrj~4|N2n@@sK`DtBOp5bjU(f4v8&^1FU;^;_|*@<J`_fGHQeclZ$OrRIIOfW0*3
z*PDjwiz$}Otier6w<MoXzjj9*J1fy=LFiVV#g=*hr_lRRSk6ZW>3I=uM#&c{8#=R}
zTk+L5Kig}{!?}ohiHD^8Vaf#a^~v7A#moq}`b4NnBu7v;CyaY9cnMpcqI_@n;;l!i
zKi{S|9FQ6ZH~8GgAH>O;h8GnJOApzbUx+NeC|sfr$!w4pYq|4n%5rUlcFSHue1Att
zK%BDu+kKo+XtW3Zkr&05tap7r`bENCN~cAPRy)$KCliTbylgs<XA0421o!*ecQ3-^
zU5kcHm_Rz6f18k2ispEXI@>EJ@WN;hebg{`ROgvx_N|XSaAYs-gA^&(v3X0z<?hmC
zU%$k_k%JU0YLe$}x=xqqlWsb+HZVn|<Yj?S1H|jhAa^#)wdmdb$pjZ2m`uUN7-1Rg
zKd-}ts^0Zv;c05z6#wzA@A4=1UcAV?ue1rml!!`e*K2CSu9q)yzkg=|RS%DI=PosV
z%9FA?Z6vO><IPoYxw2&@>~&eQA%Ry=bkd)zivw3zU@yEixGet+b1q=R$q--V6X8ME
zVGh_<F<%j#kDFFLl3omn;<sY8_(m8jPKiL}NEg`i$^pUCp9L)uIhwbmwKQ6~hmMa_
zf?oSsziGmGaEg!DV&YpkT#O15d30ZDpvEwh@hs#a!H>=S^ciT3Flr1kU-l6tMWEO*
za?O-<p{Bv}h6mzxOb|i^d%@`7Al)Rvy8QEyc=zqzK2^?+wa@sPJKhusO_$G($#Sm;
zVv4k<5Q#fyuc=rZR^Ren+Iz6tgL9aWV@QouDSgG`^~>oRN^XL;!EWl$<9`9R8`Wp3
zc(9)SahzRw{Ck!O$WGl#;)FS0LI9ZjdQ;2;4kf7IR+gn3F_n~qAcaAwb@@&v-0O#4
zSdt7<^@>i#tw;iYRsf8m*9I|ihzM!67?V6EqyojoShyc_Wqz+7^sKxbkNw7D7e*FI
z-v)%ou8A!2hbSUA$93InVuB<FHg&o6+MlW<x@VRFw!8I!cJe{q3$O+Af>2a53GSfo
z9<Psy($Rqe^4-@*R%{nr>*Y3{khUnDEnc66V9NB;WrK2InBWk5=^BJTh3tO&u&nW@
zZ`P}hs^sBaTDdDY@=f89vToY+N$I7T68K5mw^DKG)3^dVTjcu%i@O*2O|1sjiDtEs
z^&eX1yJ|nw`X)F~@8^aeA2GuWgxI5TvO-xOw5~gRJX>6GL5q&5Yf~P|(<6QDH1P94
z5LMEh&oe35f3wa{(>CvJYLLD6XoaP#?0B=(TkqJCMS^5hY|bsJ#7CSqo;&g6t3+Pb
zi`i(O69_VXcf<iXRn?2&DelA$-46gZ2gLgm060SLm$p{mX4w&l1KtBX6qXLDOXroA
zHn|T~L>M!fOTnu}Ryw6bg(%q$)x^xj2oG#TrE2O8&iyqh%-Zh-cGM0q4GL13nLX(D
z@VL);8VQ3Si_Jg^Pkv+b><VO&IcYB0^wohoTYr8k5lhfDdIeh^lOq9Rs)QefF;HS`
zqRRuMYSR2xdc1?V48f`G__K8=iUY?gaZ>l_y!1bj{28JigO5t1BcK=jeRfJkfCP9$
zHtGj|2mT(XpVSh?Is`fCeY?+w+dQ%iP_V?K+q+zofc(}`@E!Gzb0^x^r-(2b7ymT^
zoyiW9tI9o2%H=WUx(TGA#Bi<Zs?lK#+7cf=gYc_gl_+dSc%I*F!TIxWp8lm^d$*)b
z8{qjqYYxaBT4?P*U&GvK0Jt%;jMQL0JOd_35x4PC!UQot{(EFRcGjy3RZo|;eZT)^
zC{`OGnUcB0hiHv}f3W$=8&LHRIR5`V(v}KQOqjPM^X$f-HZ{x?>GQy5379pa`M?eT
z1B!soR(mAhc!%>YT#X2`AfNeE9u8;T(NY*RHE|=HQzfxGoXhIS&f7=H*2RhJ{P9<9
z+1X*=$)lO%<M9FaeTzi9$^VD4HxGxpjsC}*u|&2I%HCpMBV<o12}$;Skc2_@?9*Zo
zMV72l$UewAmdTp^K^P`v&t7)M^1H{<^L)O)>-v1J?|)sI_r2fuIp=lGd7bFit?5M`
zUL`rvNv<Wd=qRy=x`d!<0No)I04OjIt~UNC<{(-u2U+zp;w?R%2J^*m2)$L?-PAGh
zsf`kTiu=ik6>M|zXe<b;^?K!ykY`n(6DGTDNh+5Sd;7<=G?z(XrMcS{QszuGc39cb
zYT=vCs~<Q_1N6lYF^#_=DZQ73`u)-oL~Ip3ckBjl?W;m)Cz=nk5wnZohtxR>j}N2Z
z09fcwEzHF_JZb6wi+<jHw!=6{re+reSkilJ_r{W8CW_Z5`zmKELlC59``!@Eo8^F(
z<^C&taODv-2Y8(ZNHFe1<F1~oTPyMn<Ly&VTBQjW)>qvxmX@idbQ-L4kztIrAY_^6
z@H+GnNyaTS2!QBa8EUJ}^L>b>RR0{IE>VN3or^tSAikb__1alo7w2<GuRGVN^h|~i
zt}}a&8R+r|{Ro;bnyCCy>M|z^iCSfew#ZdwCBa<#<^dmALhEb#sGvKi-Ku33j1xFv
z>dQNai*fFl*gXuP%*6c28e8*4StuH7?(_1u1Kn!6_>|%e>%pC8k;A25WMZ%}AJ2}#
z*hVS7W<Cqwa@=x|8hhOL-TDV>xxW4oi(A?XUv;DV(25`9veav7=3$OU@6QwQWsgt%
zblQ4S?AY#zFt2ua)jM0ylSn3RR+>luoMhl<tN*LgdcDp&I>y{4BbQb_tDX;~U39G+
z5-+s0p}NJX{+7>xt^h7yXw7uFY|TI$qLLEZ5vh&NP`ICYo(R6*RPM4bqS=#?F{KJh
zd$@}GPH82Au<)#uj=7h(?$(^oTy;)|PZyZ%A$B@X$ZvJ8kq8M-C+K}Bk$z$7)Jye*
z?G+8hmf-lnDA7pxt^;pfp#aAL?=JhjHeVyBoa)c(=3Ln|_iPs`cQ;+Dbkq&!D@9}e
ziFs{7Ytg_Lo6S8l(vQ1yUd7Et$kMuaaN7NnxX@VK9?YlTCAT~7F01)Qj)a<9sd&cc
zU?0+3(j!%%iriSBboPAT)coe`&y6Awj(1nyhX;t<nyW>wA9iB4#{rdVjqZf5Aj25R
zfO%V7<h1(cL|r@nsQ@Xjz^DNQ5;}<5GxY)_w7tgXhPIe{e-ZJsMqj$N-%bD*P>#L-
zmXJSLy@5-03Uim7fnxYh<_a&dT!Uv8ZFTzF!G~=~{sT)^2bt6)Z);HTE$*HAOn)9Z
zNZcA4ye?QfB5~9BzR=37<sYJnoY5)k4u*%6;vPYoy(XrLRI@9p9v1@4Zm~YCG0+uq
zdc7JaxZ9iYnKbUcyRfUnimStzWp#~ATZL&KA)Im2B?MG_a(I3Bbb`$4pIc@l-h20%
zLEZL(i~=KC<n^bzGgeh>f6@~<Cla8K7sf)=_3KwI{G}OeBUBv_b2FmDRejPGvlk(W
z<H@(gt*<>Sec2aXk!AS{#f(gEcwJfPQ%Qc)biTpuVu3LTM>P?974=GRqI8`l_P~OY
z5dIB<lD(;`p3)W1|Dc($gwe018|{5DgE=>b@#TEH+eUoj*D}c`L$h;zO};J_=jFed
zh3b^XY0(PTc47M)L)OGQi&}c$5FJiN0Y4d`i@ZrD;+FjKU?wgF(*-{SVQIex-Q47*
zAkJ;h(Z6O!X&tD@7gRvnxE#SzgdGSgdk=~}i8%Dzw&{yiXoQb^HUltoRZdZ?(DDr#
z2H~<~o>%!Zt4;GNNm|?7@fYW9d?KC>j=eQ4GBLHuX!FyS?VtnmsM}vNT)IVp6)p~%
zBBNecM7?Ur%d%!@EV83l+msrG3|{%}E>*7kA+B^Zm;hpEO#WNBaB$zgq@UU2FE4<;
z;LVuPBx1>A^K-~;CQU1Lsvki`c@L)bLHz%=Nr!2LG1{OqHhEczxzv6X_U8-)*EOif
zoMZJj{;q&lxH!<Vr)Z?~+l%u=?Hem1G9nUILRpm<Ia*;?q$XSiH@^0JcRVYqdOCTT
z5DqL%;dl0-CfzCYA%h#LB`Q!i=T}b4Dh<)K@H1L+JbMY|qEoQEu7vyvVMDCjWp5!^
zO@u&acZGe(k1s@yqN`;$yfg@OGDcCrLCQM$hiCHoKYL7?w$^K-H^D<Z?Iq?n6_2pn
z`w})9cRj>GPIpWdy}#OYMtV<PahD8%e^l|d8y`_F87}DIHH(8s+;tiQKg@-nzgy#Y
zNG;bF>3Rp!YZcvVc!79+jUDF0g;N<Mjnntsxp(QY>KmHE0Mkd<D6AkUrh_^=Rku&w
zd{xU-=us}ayu@OfUgc(%TtQp=s)Sr_&TNm|?HZxFw=++Q*KIx(S5TT$3lDVZORW#G
z&uF@Aj;%;!#3%Fgi3$Qfa&T~rXob7UFk4}y0%iJ2Ag=B&>*|6PN!(mLHL5QT3yn!*
zlZyEhs<QeJ`dby<Pf$&Id#uf7)RYD(+mi<H#+SUmwo^?Oo1K>{F2N*}egzb7%bCA(
zO;fe0d}HP?soz^{_iCznLncQ9-NXOdv03)jmz>vgMDT(zZWROFf$Guum1U@#+_$lF
zfP7^%ZqV;Xf2XrPIsm__Ad+IY=~WE&E6~XP^YVNoT=+_&=S0sI5!BDI5)1-ugzsOT
z^V~twy7NHkdFcbbf7%jqzX+XvtWjKzXu%QYvZbm|U9c@EqH^MZ{P8j)6Vv8TOt?>^
zdgvERC+Cuod%VpK1z_jvn|6&4G_6Ag;OV_?_>zhDSSX658^s_|^IJZxx9RgVS2{`J
zP#~(_*P>3jK@fH*!ww0)fM3iC#1Q0HCYCFr&Ec)@w$vzgL4N8wY0dOat~ue;`~@TG
zvwOXs?+9XK6f=<nJduev+@TpubV#39gPiwgBCZIYF-*T={4Jldhfz#IHs_IEld}T4
z$I;yTd-RgcDE6g5P`b0`aG_C5Tq%3<6e5Y@Vf@7>?(YbI{rL34gl5TBO=RmjGt#A?
zA)Q&+F<DBt_UafriggnDKbEhWC|CAd_B&>Y*lc!IFlA4>l4~aVIir_hX43CxE9Dm+
z3BBaX;0;>8DSlN;;d@?DGV@&Ke0q$Igz=vm5aS*8R7j)N&O8XgVU}HN-W2(wg+4PQ
zsqB3X>o^A_w4RyGqrcI+H2=XPTIAUZ8|~ZezKR1nVkTb(X0*?)vNvnKhKl=H7~I$U
zQobiwo}+yh=Vd9Vt*`)s;Mt5DsSa^AVBE38fbP=;vO?xrNjO#76+=*j?a@l73UKx%
z{4m!&Zv}_BuQgE-6||Z!c=G)y^}NpXt=%o!|6`gKV>$ZK+t6@iCXm4$x4Fcanm4d$
zbHNkqz?ob9e(su^(3+gsVyN@CotKsTFwa&NCi9zp<5~yINR!iha%!ajKgfQAa|RMV
zJo7qe_#n*Mb@3zN+<tZ`8AvZ$>f4Q$rbqtq%^e%C<!;>efuIOF<ag`ksSZ}ZJFp*0
z$DcxN5W|}ui@Wks>zwd+p&XPw&JGj#qP9-^U3P#7tij*7Qr5YV>2-Ik_*Ub{&Ez*&
z!5KulvjgYM9;QYZXRfGH*d7gGpcYj8R7pLd7#%wPNzVDPCN;97e7%M`qt|P8u}7BE
zV-v-DYx|}Pt2uM%b=#ppG(A^3AJv^2Q1_>trzOi;!<!xiO{6mjM~4u#e(`%SV|7g>
zsZ!`U`dNMSphKb*)8w-d>xrq|uwcz4%O3$1={Nzv2M(_BM70#ImBm4UdAYf=B*Bu>
zExbk<m@bw_5auozhvjF@fmUsjYTT_Mjq+a!fTp}lOVO-`7O6dn?jWij3_TZ*S6aST
z&zG@p`2X6|=NF_fa-~j`lhKJF;TXJ~K;kn>VoSHS;&fJc@JF$Mmh^T1fTj$u>$k}r
zOwS3|Ci*|qGWGsAA}}!E&R<@`q~U(nEu}P`v6p@L**|gH;yxCW{d5WNnPC6rsX|29
z=G+3GJ3p*<4?_gM_vX-(dU)i4^6N#Wm$z&;FVY{_e4X@TBR6bG53Q>It_@$VFeYXy
zzebABF|~*RZvTuD^F5eytl&3)wzBd)&8x<l?GA>0vfdR@qQ*ks1Ng87hQktddJjH&
zWz8%`_?|^d(SPhpNY;jrwtH%$H@I%61gkQoCjoGLm^^yK|9h5+SMG}^QrlS(3dzKh
ziROZ`B0d%_i>WAX-4IviGnl6Zoi$DjAx~d#epCxdq@BbYHm?sek^z2sAL<r|O{>Zd
zwe~UL+Ed=RmSmV@(pf%xZ+F<<bM<x3nhkTRFYJ}nml$=`+31WOT!NKM_KKAhSCkS1
z%l+Jd!gf;{zmdm`lTSkoHHRr~jyh|o`%F<T7f23h;ti)GNE(o*lp!d-rgf-KQTx&P
zkTe{i+RjPL&*&2_Mbx5~y{Ag8YBLVCSMd7c-MKf=HfpHqp`SvE3sXDEZ7bW-Iy~6!
zzJ!`@-`G0KYMl11C6(~_YwA&S{RR_B-2L0oyw7x3eC>X5Jwgm-(KN{WtNQb_kJ;_m
z-h_?rw92xaI^3^*{zKyn$3mDJ&Du^^=f|^w^!!=-$|Qy?fnv|}92D22+bJtgffuJI
zHLI7|VL5I(@VXt-+WF;Ab$7+hCTmf53ddH~{nhtb1$_4TxWvm255i%5KPdDQMMS<&
za$ohUbnO3*ub-$*px~i8u%y5Pe{5s}6?m5zFromc;s2mg#{)wreuZOQ<%BYc_|$GP
z$TX(9h5qzN7H{(&1O5PIe$9;h-OO}?ryn%|@OS!sH;ey~p@32U22t7fKMuQ;gy0Yx
zRt$$`v;7@(h@aWXk1rlU_zs;A+mm1aC43oSgv{@f9Z{74JmHuc!GaR=)AX1I<}cK5
zM~z%CUARejn8~S28W)pEHY2UPR}E3#hP^BZG?WRCIiaDDb_V_D{Ta<^IJR)?{tMXu
zeDw_3H-i}uTop=Ux2~_vJ&H^MF%g$w+7(5JJ@nyMpe)%TG0bIHso!jaEfIg%>7(JH
zBu?j&>QW0I(otN3Ih;c-H^e8?B998f`4ae962b@acwxt^F#rvU=DxeHDaBPAg0N0;
zDtLGBI?J?mTYIOsnQ>%qWlmGleM4z^vOXb2GOHDoQk1f;%4IY0xyzM1pn#UEH`6qT
z-7rYc=wULAY=0!9|AfIa)Q?>8<3D?WB6SVa={3HS8eW+-olR$n`Knj<J_UpdTYpcP
zeK&Tt+Vf%^oqnn|3knJ{RYFGjPUlADaUPB97CM<4$$l5qyM6@WOQ6tvdN+6tUsEya
zsHP&@&{mQ3RhBEgSu{0GJvT#lljVbdsN6kms3>h&G?gyV7fU@=98n+>^N$j!F17ti
zBN|#+RVw9nc60|WeP#Z9;y13|;U#5_JJr+1VP<fVT8m8;a1BA=NgFlNq{Qu*2IcfZ
zut3n)H|@$wGk|^fw6lRW%?Ey%LgdXGe64CfsGmely?UA0|JBp?6R5B#?+Yp{t|-La
z|CbqtN#Cl*2+rWE(~|Qk{4$8atFNdhwL@0_?$v$P_3ih^Fcy*tqp(kl7D0B=U%Xm}
zbeUZi^xdEv7Yu%h*(62DUASy`_BqH0f-6+T5r_xraQ(YD!U;yoiH`v}3^&JLav0d7
zbE*GiFfYq{OUdc=43X-!L2T_@NhG(w-)p>YK@eSU=5cO2Q5hYH^a*%s*a>M<RI|G3
z6BceyzJ0dBkJrw&m<)X4Yz<{T45);<NkYYKbc9Y$itI(0oNaI-5q}`y;uZ)R&tYM6
z;aOmI+3vj|o*hx}MvE?Q_6FMbOX=5VHK5X>xyq%z?K6Sjyy>-x_?s%6LSovOnABv1
zHxhRCug~6<4}fbHPB&Za@LLA^Un}LdIt|S*@K>UjK713JC1FvID4+qyx7QJ(+4mG=
z%#VHk^!PTq((~0t&o51wxNp&fn(fN^8Z<~?H6HT9(3We3y`*yqPxU{qPmS#BPb~P}
z(@&uG3tjf9xWJygBJk`7zHM{fB@_Pl)}TY%_aI#rFGd#h(EZAVcOZPkrA2jz@l42O
z!uC%-J|Ov+1}O<GRnht(!Hs%pF3gwi;!%AB@(bG0!J#@d`RW|uAQrhXEvN!>hgvw6
z>Rmd4!)4Rq^B|jJRy6Blfrm9v%Wvav?G3d3BqGlu$d(5A2zDHm#CleEQzK0Qg-E}Z
zU!}OL$xNyTkCrPFLp;8BPg|7=yUD{!s`sQQ#K^LHl7`Wdxv<rzW!UL9TF!?zf_g&F
zmCQW<vQV>9jH?9(sHr#Fy`y)LA|#<lJ~`Qk0lqAy=R2VrJSRAG?wN5O|5PXV-Hcel
zdm6tp*Dv=6$ul6&Vt3ldcvH?Waw-?O8h+?35x$ugE092oE6rYHZ-;JZ+nQk>(kl+|
z2DR*s&xqKjsavRk$b|kdV7sY?6>aOC)tE*Yo<j;9FK7)YHT|L_*-r8p4F!llX)HgV
zz8dnJ?RaUe*pyMal3x<2qDY2oj{rErl9QlpV_QQC{C*X$RiScb?%Yt5n{i<nT#2)^
zw?ep@E{`0PtMhJ5$=&Dnc^{#HuDqH^swYz+kw*E?c@4sLsek)5X21h3AfX;qqmv5O
z7L&d=1b;MET)-~h-`o*gjPU2rjcTQm-dF7~-c#OU1WBw>Zs+bS&Vml5V#WCZuX_6(
zI=0J?z3Gqzlg<|@H~&~$kk5;14-021gKi%|a6?4=40BJdxicr-<ix`!_@H;_Zk0Q1
zZ$eHvjBonkL(mST|3FOYKs~#TF>5M^d~thXzWYXBe9ENnrMv{zJkzo!Lq=cAEWXCG
zZPxcD*5BcJQU;ozHqFRIMyPLp+&w4$`p51n6`ttz_cAHKkPhW1j^~(MCS^lnOKE6Z
zFS&hp{$Q8j5Y5Koldr*Pz66ukL_boVjFexFc-qn<0;)Iui$ncf_Mya#=|AlJuD(`~
zIB7XNaO_7u;rhLU&R<zyWk|~G8lCO}#DMsj98s@;c)&Eo9@cLkf~Ro7bEqB5_+t@z
zXxSm;g+OfDv1)ecUbqM<l_wzfHft64E!N5Z<D-9;hcNyvME<u*1%9eF5Zvf(y?;@d
zLrv#jH4ivfw*VAddjQHj_+5q4hrc~`OM_0zx?8=LFOBeRt3k+WZ4SU+4vdZ=VIaB7
z)obgP6T1i@WW@9X`s!qQyfvV<=&tiI*)HB&z`EC?T>DOlhCU587xH|V203X8rnFyu
z%;*V*_f&T`C!jXOkAuKV2kmwMFykP+1_K<Bpf}pa+K0q(qTBK&ay+o@G1GHne;FWw
zM}gV?#)5^ZcD<m(%_>0{o7X8YCiX)O=n%PQw!1-&qO{!UTa_en^PnBqhRlnz14V4|
zuzh@e7{p8H8g*82#C8?+pK;CxMF>vFaNsA{Td+Mx#~p;>V^gOJqPfpMU0Qs|l@z6Z
zjf^_N!96drx3*CK`<S&uu2_UxhEr<reue1DKLQ@ZKQd40z4n{se8fY%@dmLMTWz}r
z?(bhX&z%rHOTDQVLD|ewWxH#u(<vVQRVdWs^Lv%RP|J$4z|c6$?WC6huFozF7vQEJ
z>l<x5+>jrhdZe@AS~j`vT;RN+i>u{%lBYWKYAXoQIGW#eumc6L%6~_!dj?bVjf+Ut
z&g1QYu@P(COK3);`LgjMiiu&{ibOAl2N#6M`u@lelrh?9de2(H;SlEqB=MY&y7@Wb
zRZt>&U}uMM4-^bP(Hl3^Aet8(mP50iTx@UTZgVeG2dp@P=KkenfuJH#;#pqP#^D6g
zw(39bcdiS$N)`d4BqjTn_2lI2=jYv+n`8sC2$eYDgV#7~KC%JK$**}I9Ke%3t_B5i
zYt>!TYrbV()~$Vxko~7Vg%?Kj2c5*bIjvpx>na3yo8$Vv&@B}7V8HD17|Zrux&~+b
zDLIM0@i9dYWqVq`H*zxi%t}nTVG+=`_g$-P)olmR<WNaVtK+s{B?W<{p39DBkrf0!
z5eVbjs*Q)OUIwO2>(L(@Jwyf?&7!?5Digef19zGpsW-1d`|Z|jUzU5Q<g5F~jAk`m
zeCd$hDpHNO5ETuaow(8We&A?=V+?Mj6WW9mmS*#g#_&gk9yVKV#Z1%_`-0xzFEhQQ
z%auKn+ivW)9j%qxUTGFgrfywK_#sMQ`2(%tVCr<;+p*tU%D=9h(VP3S==M%LsgzuZ
zd0{nfMfss<#gKsE^K00V#_Wf^mMXa4HdNO2hPxHflTWh<<j?4pBj5t3b$!HhmuxcY
zhlYP~D!~)%2bLbPMA?5&m5;q&GpKO8M<$wVNqp0oNrwjMy>wj}wP4SAUnvohI=}Of
zJ2oJ$65jmjYb*#mdHLqjeZ!<K@0wLZr-Q~YSy?_%H8eU_CwL1RyH%@1wBTm}1@{z0
z0plS=!Ub25rgMocqkr-nnWuK>m5k4Kc<RPbJ;76m#oR3QupQW4+tMq0PoBS<l&$!3
z>$((kiGYgklQc0EzKvg2C7aCUZA7>3HJ&b6H~vE1s9D0QV>gejxzps7pnx`bwEQzW
zB7kFPD`M^*Wt4^Ct$UvYH#Ks8qzE{y^}L(0Hq3azs2doa|20`xf3TIgEo<IP@KG44
zjfVQ%5M=htrGqQjnLod_W4=%i*OV7#S`qQ*W@{A+Rdb#u+en|BfNs>b)E>U(cvDgm
zCPX7#L1!5pWA5{sD4hd2VlK?l_X`7xK!=eu!@D`ZkO8H*Av4R`z&-G{9u`O6W$7ch
zHP%U}+Qfd3``sHX>BO9wNTahi`NKg^gRzI-I1;7YxW+GkTCtJeD6F`4En%_yS#)@`
z7gfu}IwH&^4v(LbL3mg(M~+peYG@X@^k{f;%V6aeXEg7}@XJ9G3NylH@eonzdvo23
z>X=HoTo(%7(X@R@LrKB&#8+LDnyeqL-beQ^&scvSga2W?sjOfqqt=`vp4rnlSZsJn
zg$m2UAhEGlg=l=DOYYfn?w}QWw$}?J`GU9oFLEtJhfHLSawp!oBwTZ=X548oM)=(_
zQTwukJ?eA2nvaQD+lT`Epq?A%L#Zd%Ie8FL^dMGJZfd@+nmmt_d8*IX2t7|zt`hRo
zMz48M_A?`elR(I{&F>jN-l6Lw!!OC!-(n>%X-G{Twe!^SyHtdzR0y~Dm!tub3(n|#
zs`-bMn3xRqD_&~GIU+;`Yfzmw-=MFFcKe;*9=)v$Q0cM{&XfJZJ{KLD;OXf`Hh#eJ
zyMg`|KE>?t_)%g&82dD_GOx`)m#8;xp!=DF2Kg2#)O?I%$~a27Q9mB7C#yhXuv7I~
z(rQcn?m0e=r9%wbsddHK-YPdkEJVGiI@(q|O<l)6OB3>&t~Z*gMTxdqy=T_!OuC(G
zN5u~*-0&nPG^RsNm;v4lU9Vp#x4r&ePME80Mr&6Oi0oOQrc1EROmYZb@**Lq^>x%#
zSHFXv%r}a91s(-_b*&==L4Z*8-TG2;;=2&)rS*kfJcMsU6P-0%)3F5CTZ%yhOV#8R
z+>`fsBS(Ym*O{*osbC?5+wvV;;jGz?t1cmOtetyl7F^1KOh~NW9~YKvRM2Lu`eAkN
zoYG+U8CKRan05U4`YN8z+ZNFBGzkQm9ZVV#b$4p;&QcPpF6tv%!V64)eD4(sMkMW{
zCQT0ty@^j`Bj6EHiO34umiJN%O6M~wESRx0eRY}P9VU1Awxx~dnv4)jauCXOT~rVh
zydZ2RH>><JAqtV^L*yq>8=B&7cD|J#7!0m3cx6#O*H+KSWhI+9(CM&i^6OJf;XfTA
zfNgNTo{>;B_`x%g-L3^nDfjA<FE_BHdOY7RzD^{}HU7wp)$1Z^Uo?GrEo7cSVtvi_
z5{!+39Bv6znUhzB4$uzQMGS?Ce#v&V%QO-+8PNJff3Dqi!Kj0rG2ZQYdWq0RjSM%;
z?ExW3i3C}hNf8TB&Op(4!KJBufNS-gu6Hu74y*V!DkIsbGStPguK+<w<tm_e1rgd`
zrt>!|`7=Nj&i2#`M5?Y4yn2FX;^w*5n!x+#BM*I?@(p6~_OD*GPz?xK@}9?qun~Ii
zG`o+5UWCS&>l^A%xKksCzI*tw!zz4JU2Qrc#S)ibrAY(BK*DOERe3&h`v}22TP}BG
zY8ewQyg;<P%#k}EGY|E#bE?eDbzQBTPI_jkC#Ox3I};gk22)}dMvWY{%SLn<vnio_
zHg0xTJ)swV&pK=w)`QI>!Kgu)ygaAq8%_fq=I=UHTmI4}y*FiNnYl+EC<$}TvUR#p
zC3kw^+Eza|EKMdMTc`R-=w1#qhT->iRpxpCVsRp>`}EMnr*;KO%&hkZhEn!y{IL3;
zmbg0YFe7{4(PgyyTYZ&Yw>G9C#YCGKw?O89tb8B+_>vhp=Wz)XRfLExzPHks5|S*e
zzFY;Kn>l=3$iGpfwaw1xxq6hUp&;tPP%5APfP9c-gQ3=p*b;K~edI5CnxUN9`I<|&
z^#4%@dB+cp1QS4Q7B7w3Czre=BdSRP8Eq1=x3}`oHg2&`_eV*WgL^<Xz{F*hGHT}3
z<NAK+&;FZ9J6e!Z2_6$rr^PtoBX5wI;fG&y=aWhG_++zy-CDaS5?fR2=IE>rsF`jb
z4(^!Eqc#)Krxuh)gBr1^aKR>b{UFTEPc^i8tKXFXO3&oBt?j?nUjJj*49&pOhAnDg
zFGr*a{=zC|!dYJ0M2tJNvBUDGt?1f5cl~m*xUjQRj-+8_F4%$T31IrwJ1fKKmR$Kx
z)s_q$%xdVne!#w@1~;LS2c|ht)Uf#IfLVB$7^q#Kk@ZOPnb2g1;Ll6ewpUx)7$i2=
zJ|VJ}fkFGz>Lz}?1X~OM(XzzQoDseE{{A;{i-sODJ*obdFY^NOjvk^*xwC`x4ZmxC
z8&u>|-VS;wiF&8)u0=Xw1yU~`>qv^;WjUkwEb)tAj!zO*xFO~iW0khSd&}B#jG~O2
zvq-f=TS@bCp^u1k2rALk^;usp@`v18oS6@(W0@HLp|m;RRqTl1x<dOV8F*$uzH8RJ
z(dm)N#G+E7?u>hz);ek$*$=ixmb#3{db84V!kP>tJ->xXc+8JyB%AQS4g&ECHqf#U
z)rCz^-6L=%{gSzEL&0|<(;a~z<3*XW{_Gc?_MS$sE+^Tx&950SKBe+$?CpZ~M~keT
zmV{N*p@eews-r$j=5c-)HWn0*%;Qe|M^oU2>jM+v*PFZ9U4c{mSxA`Q_G;C%b@A%=
zPqtqCrx)gs_Gd8PU2RQY=vS!7cE-NXRw^xuO!$?2_aA#@CYUGX<~oonJ7NHbJu#UU
z_MkE17u_1i?fww5)R~T5)Z`WT$53Hor99)u^U;tBay6mo)KQ~6`+_KTyOG#vZv%|`
z;+*)Ghf^|}{eJug6mq({xRUUSZtDe)v1Qx%NFM*5w$t06#YIH%Wm4!jU?CrKYOdvO
zBeO_qqm93YKE5r28lO()u5+~0yN&)~31LEo>(a3HalWQcLX=n(eN4waMipI1SIJRn
z44W`C?>m&}xd?yL^0TKk#}2AkpdTbzGyZD~?wLbSuXIeJ(+g{~dLMX>CduxyNZWdL
zDhKK~&1K0Ol&u=Ec6Y}cwyK=&qS$23NagmsuJ7dSRW%n{A5V#z=dJtk*(ycOdj`4m
z%V3`1Hs8#GeRNFkgLFoRg=j;k=CZE&nE@veCDhKrlplzT{m)g;LQp7(II`wHucc?G
z_g{yY`AyOpc@qP5@vzPw-Yh|mnxbtQ-8NnHpKe9{PQUZbL=9M+z@R=-!Q|D@Y0vEX
zJ2^Oh3USbVJ*&f?r#Hd&j6%fzTJ-5BC#BvFPf{6(IDPZM?EP<be*e-e@T(S{edl`z
zLVL^7|7C=yC4y_~z!QWcwd>?*2%N_P$mYfVn-H@~1n$>VSi9#5FTlTpIn*&uDg^!?
zv_MCUJ)n3Xeo}`I9-is_SS!KnCjYT3f$ezW-S~eCxCh?_{cHW=8$X5+GH;_3LzO&d
zmSu`ACPnFnv&zS4PGpu_z1ch%cJF6g4>7Br9tY3H$&h|;&LCzjsmJ8a^_OIvHVZ8s
z2jJFQ*Q-QE_ceW**_SzA%l#fUQ|2>ubp-kfV5UEmyT3P;(EAz?&6e6y2TDFw2p$6Y
zYgj4~wV(N;gAeX<ILNB8c(X}!hikGd(6Sg&J$c;qp;iAgB^V*=IH?HTK#iG*R33&g
z{%s`Tt_Mh+o10~qCDFr`yPuczyel&uf@ra@?OyrqEJ^W1YHR4{OpMoM+LhWR$+7N=
z4G0SfX0U`M9AJ9Kw*MCJrt~yj;pS_jZ?Lm<XmW2;UWhS4@xpjNnF(0d8q*4MjBBL1
z#f1;zBPT++y2nOElAViR#>A=R-k%Kboe|5tXYiI7)-&euX8q^w_A^sGPv(F2=6Ld0
zT#k|(5`P~^7a#9UYL9i<eHJzRS+TasVY^}P^_DliCKcK8r|uX>e|K$9i^~cCZa6x}
zX!&G<jL5r$(!WBVep{I?%A(=q#qh%x)0YTySu878Ud%RF-M(JO179qQIOng4*)9F7
zD4eb>n_&Nv{B%NUv(39S*4!Nx>z50R(Vg`AZB`hce?+Pu`pmwuYvGETcwN5J>m9?f
zoi>U($6x&KI>cUvd8%meYOb@R)V9jjThH-?Mnl7Nd7fSgMMR4OzU<Ez`!n5*t*<1O
zsrhh1LLnEexIFIFBL#7-(*_ZSjOtSFL4`6FBT54lW3XAd<L~bNl^hpN*Z#YW)Os^t
z9AasxMv5$1K$L^%)sCRo2V!H?uqojvt27g%BBi%NO~swS4nI=Ne^bpMh^Ed~?mTo&
z_^D)lInACml8*P_>?j?_m*QW%FpWrWo(0y%=IN*UPVtHmS`N=rHK>l|{dan?>Oyub
zc`StO41vsEcQs06*mW)7oSWAqctP1{y==XB`dA{>rYnWkcWfvzzVxOOZXySn#7+G3
z_+qd}Ai(|@NnD=B1yEG*Ug=8Hd<;X(ZYCybZmqu05Bpd{uq7lPlBEb~Q^-kY?Js55
zS=IFNeNXMdH_3|=PMZA!65yWVuxYoGir72Dh#|II4;hGZpAB5U{1H(iIF99HN)@!S
zqyl8oM<zeQPx3T8hx+qZyYY?cNfTLvK^yh7!FPF)-&F-|gW&Yz0GPJL5v@O$5t!0w
zv#^)~bn~aF+)Ec<OC>#F3K7HifepP7q5{nbe+&qHyTcz^(|9MH3B%)EM{3<~bwHrb
z^-neST^hs2!61sEQT#1DtnQN32lfWLkpnX-?Z)&Qk&9cAZjlZhF6PQwkjUZ3>!x14
zLcF4MYGEofA&*^iuGqD}LqtBdeR}eYAJ#|<VR{T<a(|hSnuKy&AcX75WOhUswRieD
zCr>IgD@a4I0d8G{xfL?cls2HH{+=zOWo0iA00pBF2Jgdx3xyshx5c!0R<UQrIZ->=
zgU4Pr&R>7Uas)D2l=36@#UMFsq<Xa-!1ummf{r)V)_3z=zXV&?gz)J?Y(b{yh`=Xr
zURc}GL@Xg7czi$r@*HkJK~!5TO6~jredzOa`d~X#icM0zSPqyEEXeOs{~uCl%npg0
zk8!miEH(+DO+|y;xlF1zZHkpH0##z^NzVg_3IhC?ABY!LJ`?9kl3<(^C&b+velaWq
z7RRAV^DGEzYPz@DmUR3wgb%Pg3q0=+g_h>g!m(zi1pPIaV2#C$NM9jXv-@N|ac=9X
z1oRI2)MtE?>=0=eg?5~wD%n|VqhH9HQh#58erV!~V31wEs|8$?YEBNYe^BBiNHCsv
zuI@1ojIcLGPRlYNH)_bn-z07Ef;JyrEh&jsN|1290t417A&47BFe3MS(D7Fpkd4m*
zDpH!t;V2TlvL~&cY)G3~X8BPw+wM1&yXPP|F%?Y%gz&{3)(!{B+GoEz_@Fu+w;lSt
z*^m`t2TtP^h{ch&)rh|BvHt%oW~oTUovT`fvrYLFK3BDk*00K+G3e=28_w7d=nl-_
z%JxOsu6V0V6y?pksY12F=I^kXyf{y3^<=Kb8?eXeHm9Cp8LxMIJ=^U>FwH>3pR71g
zS~#T?O`gpZP%1-$`NI;N(Vy?{V0?Wl+hF1K-=krJejH!%6_$*+y^2}iN<g(K9ayip
zttKGEY%lLPcKA&P%cqknEqGnMbJbHHon2yS{;a};jUrZ;2tI3ny^|VNmb8^m+C0Yc
z9`%a97`}YV>mq)=81cuB2KhrbP3>G%sf!_PxRhi=oPAyNmq*M!vH^-rI~WGJ>dIk$
z4}1Di0RiribJ0EqOgq+oi#_iEDFo_TOGJpx=96+j_5*e})~s?^uUov$tWlH=%gNHj
z3k!6AG-97%DL1n5kN>N`lR0ps(9=SCK3R$?^!%I<NHwjX=<4C|0Fz-aH(TZ`CNnfj
zmcSN1q4qLidf&dYZ(@&i^zAHxz1-6(u)8TY#9%-I?}rhR$L3vbxz0SqTnCa{NzVhs
zUJORKz^BK^Ek0qUaT$p9!(W1fvEUp`p&TOkJwGh0tp0!exB${*d|9b{m*4|2{^)>>
z_Aw^zcW=~ldAZy6pI?IiJO$A_x=;Azp~L%XgErCwoZjp(8#GW%@HYkYc{~sV(1i~F
zd>2iE9~zYN=n~-@`i=m8x;KdJK1zU%BS5qblo*WsKmP*}JUDe1|L4z;%lOHX#2sxE
zez)G>KYl<U?p*h$44-Ns2BQ(i-|{=4ACmJwxgJ2l_<ly@LoAF4$&UsHegy`18FsjO
zCksUm`Z&IYI3z->Z?VO@EPERR(e9f`hG`n(8@qwNa=6q#8Ih&WHkk4Rhc?+%<VlS*
zyq8Ef8in_=;Y?6se0N7X(oVRbLYR9-vGxwS@&y98C<s*#$3m3{@dADWeeW#}DE&n+
zisP01Np%-Z|AL)jCVM$&o*&k6Hm786jQL*eoNu{S{i4hJ<Z8<GiX|M%)U(XYb0v|t
zIG|=R;kxzpyc9*B?42~Gcx7~F@8iDW!j3l?VJN!*4<T2dgqjec;qjE-SMq_`!KYm%
zDU7Mh49iTdj44qU;-xxG*B6~k2CiR9yzhEpXG}yW%E;vODQ~KyX{IqERneRZyquLO
z%IN9F0Aoi|GO7u_+jJ?_bjCkKszx?4Ggzkkf*n8d-lw||!*9p<Hkrx(_K*tOnX&-Q
zVI5pytnxoE&eJunUu)pPI$sYG3{Ob3_FSRYy*V;|Ywru;AI36iOKibBM_D~3)4)vm
zGIG_r6<d|I5<@A@`oxf*YdYlgDUvw+w!K04jL|f-ycsg=CEB}Ag88Ia&w)`bVN{VP
zGB6u9<^Fn)>{MphPR4ukX{#SKSwrlq35el<G+TSK1>uOK_9vcWRcu%~Wn!Fl%lO)(
zJ|g4zsw{_j*h7W4bI%ZexQ95I(JueEMmfk!+-;{q{o2_WqBmwqz7P)8NeO&<cYW8>
zlJpY40^xUXIuFm7DL>5ECA~$J656knl_dhnnc(Y9k>_&A3Rz-Id@|x2m-ZRCR}mLr
z4=wEnZsG(UJEn)>rD1s!8ibiDyso6hpM>hoj5HBqQ;$|v!7~HLrOPY1VZN5xcjM{+
z`Jq5(Z203Rq=$#@JO1p@APeY`7sY;l4hPJ|<(L@ufD**&MwGDH*M})46dREN#+mUs
zAEc=W7iOf~oRV#|3gHV~AMR;me9vUp^+bJ8;-OD?C7>#@ccG@$D&%yzou4ffSHIL#
z*d)OrY0L@Bblu?Lw!JoXc)Rc`{(xX(9jYVbGfV}gpZNIc@%zH|I&mWP*s~&_7Pm{L
zRG)z?J<@Jr?L)R=x2{}i7>@1cJ8k~-N5%Kl67HXtWYIXE+;z^Rt5lui$w0kXfz$bD
zexMmz&g8v@v!9%KDDhpiZzzJuvXwA52<oPa77vcEO3yC}yV-h<FF)WhEpoaL;qT~k
z2Gw8qwJuF+c=}dOe!_RsE39T^*D>R2IS5NEmGMu{>kA(d#?w~Q!GhLAkB2)2Zi1)c
ztT2A{fRqNY$EHhJC8QWhfq|UfSWuw$b$l#!C&WNn*TR1VX_o}#bV9(V$UHbamoU^X
z^UB;c^4Qzxo}K!&nIyy%R>=J{mSrOmnK$#j-79fGBtR`2TtCL7f5d=G_X9Dw)A(uB
zl#-3xEj^$n%nhN!vGYaA8{gMVA0U7v6y>e{sJtY8tqSz;>9Gcy^ZolX)s^~wD}`qH
z;`Z@jYHg=9Rkr@Ye!O3LZZz@xbBm?=LI$Kw*<O#ouREr@Dj*$u_gzEA-AqxRZBb^I
z+C)+a0fgYn(JM!R(IvxtAE>@7sCl|;cIZJH9c{MDe1R7v;Y@DlY`^h<;7ByzH&v#Z
z5Q&j9A+%PrX^Sqd;^MD!rej#Jm|sr{Tbema!&AJPG9|cJj2Q;#rvVe-+tyOk%g9}%
z=0Sa_dOcT%E!LbKxdmrZL|L90kikD!QAZ~dK>F-gjAaL&CuIv>805%pO%TaV4RvoF
zBGWTgv((IT_$f)b99wWx=(VrC?b{(LVzt($07o?+x!1Bu4>cPfNcP*gtJUzk>(q3T
z_T5Kk{|d%#kfG{L96EmZPgHOGdDJ`mrHvvnM~C)UFdSaJ+AIp6V(B0iksM9!q+Tc*
z+a`_5uXpGZ*XZRpO%fWAc-^rzcx^ypzer}(;ovvYq0e>L!c*@0m<Nk{a>NfYs$`S>
zJvM~UO$zX!Bm92L!Kl97`?!B)<Qc}9+kF!Y7-rD&0w?S1#{ugz`lh|758Y_0=lpwc
zrv(tecU?(^sn@^hs*MZW9x$ZB?FwJAVEMZ~Ht3oMXcNKZ%EbL!BYv1%z`ON;07yOj
z<{d;M_MDMmRyXi+5JK=B=mP%{9eCaCul6P^5l1Aaiw-EA&p>%E?^~Z{=sMO@z$e~-
zQ+jiU?w7GF!LbM?Isdx?D(+%jK8cz>Fe-2zXu-=waINu;ZW%#rQ9FNpW(;Dx5J$=(
zzL9K%>+nQMX}<F|`LPH*7PI)Dd;s75E2JTQ(rUY3LmMnXfCBsRA^|~P(^{Lo<0qQ>
z{Uu(^QGlDr4g@SZc79;~%pJVAB|4tv&*6P-?E~otwXmaRkH+;(2)8w_O@Qz9BVH^s
zf>BjT9C-dT6}kXgKUNT^g@0B9U)q7JIQZ|s_ZvjK*gQeyFXpIM6EERR-D^21Z8j7G
z<*rse6%<;8Gsdfl!PTkS%FVnsmb%?dEC&u+l{S*QCNz_Nb$j_7><w*p6e}&S7R;{L
zYyuSIWb`-(qFmnA_e->Nxjb!`_J{XhbZYfp<@d|a4b+XXI9Taq6^XH|w%3VSrF$mZ
zQTjSz135aHauKGezv1AaInlf`Zn$RXa@8lhpbE9PV>T@BISOr<cCj%reT7$L?tDEu
z%z)oq#9|8$6163i>zIh(kr{KbM7f5tmf!9dQb}(!5W=Op{nXL>fX;nimlh~IS;r?R
z9kH%(Z)djXi%oOaHDm_&(6v1-5<O|vHM<9e<Dd!COk0cgGMhmp^Q6g{%Cs$zyNEM^
zZnUCsl29G6W(V5;ZXm{w3)WGdCqr&a-8}6qgpyZ6&++Hk`e~!Hk(j3@udjz=2P{{c
zElvEMBdY5%Nig{YAVl#<3sZn@gc0U;B=KSNaB%H`k@oD^SOgFa*`97)KP1lRwa?Gt
zhO6KV77yQCcaVrESfQ@vhPf{{hEgr3d}ggu2h|(5QC}F41Du0on0>tsE2kgz6A?LC
z@unWm@pD-SF)GUGw+L-Ie1G^6qenqL%AzjI##MgarpA_?tEJUX#^)Le?IP2|eB_Cg
zhp%($+csZS(|FxzdA`}Ra#Co=x_IfKT5#_>soQ;7p~A|JGRbmsvhpC|uyH-e**5sP
zaV;&<ll-)ifRfwncs^>IIkT9F{^G)f%pZ1OMuu!Xl`8aJwkWJ&Sl=+oo#_sAeLKN?
z$<0FgHSRH|>)VmaXR2*p3?nVWq~vX0*V($)l1;|LD?JCjD(sR-F%S41OvD707%5%1
z9|S)8(pyt+c+OqYZ8Z>u(^}s6y)}_t=_EZo%ibH@{|9>|(MSsGyIu3G%S`{p^;%S5
zb>=WbeKn$FqNv_%&#0ciLz*a;6WkJ@dgG<ez9@u=vRh-V&_23oQf|H61^szufm=>b
zXCtgwsBdi9%(o=;zE;;n%udcq`77k06nxDAkVb#V0g0b|`4i2)-Xb|>BeO0h9g*JY
zSKtG$E;FkLhxo9T=Ig84AX%P%d7XhR5xUT}reg<mfxrr8{j0SXakP3b>$Zc2JnAj;
z*N5jf*hb=5+WQx;8k!6W)yF#xS3Ys;&>he8Jlw}2A1;3D@m*pG?A5YZoHIsZ4CANX
zSkbzTvJrx<x_#x&DG9V(U-4`Owzho1(UC+T6eutf)X06LAio>AQ69gxy1#$0h5VYc
zzn+*WcUkfIzG5@~oT-b({puA1XVubXGf7d;>hqpj%fCWc=$4(kRF+kLM;`lQ9x86?
zNp&?hxR)-cw0+-|3#KARf56*wdpE9@M#6A+-V#El(>-u?!{)I=TzG8)hlQ$xS|MLy
zLU?gP$77%6aIW7s&>6w=Zybn>&&aN3R=Z8zS0DE>{!~3MXr*tpY%25Jt&%_&{#Cxz
zM_O7(%rDzwM~lkq*@`1k7_&L2w#+#s`#o2ADyhW!`)JBh&DH&Jtmj$e?|ngs&7rO$
zpNgHlA+mukcM$C(TQ#18>Yoxlw!46Xpr7SZxVW4N%{!MQY}b3`sC>Vicd1$({1kgm
z-OPQD?V~gVIIlXK6D$v$+A!?cldX(jYn+GD=dTo-m+*Elx$6jM{Lnx@p3R<!`yAZH
z`5qzGNJCN04Qpgpru$Ph$B{bMd&|N*QQOjWHI+O8(YU$v3>rZQ$H;xSeSK(HT69uh
zlm4tL$}-)MLeFz1aI$iEB`X7NUmM89rYoA`7Ih!@9MQ-#<39D2QW_%dt?n<8Z~6lH
z5<#)5P^xc|;Qqiv4V~d7q+2TpQ`|(O^IZoh1XCc#=GHO;a{MgE8Y<_HOA<;jOXazq
z_7YC-+$v4E%X3+N-32cQw&X=urPH~Ie!6`%XiRv92@@0NYB16LP`_a^y~zAW50vZa
zg^bkARtsW@;8&X}7jt&$EtK1vEJTV0<L3eM#Q^q(71!@4q~;sRLJkJBMY+Q?4V=9L
z`c?6+OCJ&1q1BUAQDuvpzb7YbVpu2_{{frjY5T`dCNK%XQj<9c?|q5LOEsw|(abWn
z{#*_o%tf{uHS~VLGHVaYllWL9`J^FAY_obilM?!{4Og;w85Dx4GTWA}eU8u_w!I4!
zIe~W<Sj7zBby6i`d8B$#whEH-4dpun)rfQ-`fioT<OM?l`a%QiU{4dn7uWNmZ3Uan
zb0(inq}uJcU8(1VDHQ~(%brDE^or_z(RkYUEY^G3nyuOWIxQ03)NVG8LyguKN7%mR
zyOW?I*nwh1mi*4EmJT#RhmUF+D()?T`grHsu>CbowUsX&`wnpHf<XtHeu`MS;jx3f
zU9w}_c_T~Z>`ZfGQ2-n>boa{KLaBjDw=RoNHtJb$l?ig0DEHe8CY?chG+i#pffjkr
z|550|c&fOwdobXx)Zy;zYEs#DG*;1tE9q7%pr@y)ZyR>3XiXd63RjsB_tEcy%bdS2
z_53uzUGIpL?Vra2{R90_z1d^aE3l%LN^keW&f-glUV*GtSs7gUbQ6p5s0=+)Q0TjK
zqM{(Ic{!`&^HL@Iv?jmupxij9#j`H=Cwl~F3MV^IgD5%8!rM>xa?vRXyDS(J$X^|#
z(0omiHa|Y0MEcIb4Rn)t_`;mW{H3is5EW9x>GOa39uE{P-$##+>J#jE4w?(W8bQIT
zkvz{q-4ZX`q4bjGrNza8NkMhm2>b)!);+W%=h|^Ua6?l2$MB!zC+bAGqr=&DWr0>~
zx^p(Q*L<oNkm3b&C*xgQ`~^x}doe}kQK~QNlzHp+p=gk~#JM<AwIkdEuh8se+WlHh
zKCfM2k{8kDYX2bF*PO&pHT1iP>=`GK4ExnRxQRL;f6%Z@^FLHL!L^AmMLDx0+_0AO
zoBNS8NVjhxy_Ib`OV`>o%Z9@%jK6ajzR=5~I7lYJRCe)-&GSuEmyBDdZ)VgmAot}U
zAdO5f24I<>O66xCiN`VEG<!TF58A2E?kT$h+cTq5m&@1M)!`@JcnIyUjzh52W)AHF
zQb=@<8QY~AC5e|Kc~ZHe2Roxt*t@jCH}Hz{DN+nzD{CuPp{<ljeP7@lMe~F8yV&i5
zVBKXiHIqsm-%GIW0{e(vhnf{%3kr<)#4jIGZPDf2gx+|&-G`g!!krc=<zt2;b04W)
zH|Ny^)NCs?Qat^+VQulX*u5s~ixvwCz0D8A{A8czw9#`o8A0zWgN)5~q~n)_6{bV#
zMZPsdWBL$NYP2)5GTY@b#ml{bmLYtt%LcvTTwVb3b>*V!!{SyMk>80YrvMmm8-{y<
z1db&<2!jWba8yLO9oS9^%V~%$Eh<mShB?$28naZHxU<~hyLt;<njXHVW##hAQ$DB7
zkPz;cySU$-mE}1!*n_QZ^_mli(ac57wH9LB&nQP~w$}rf%b?V>?rm|`sCD7l3?`>x
zGEBcM5|c9chp=DUb&nTj7ZaqW?W8uH<?h~X67ToQ9f!I2wExpfgxI!PSf<5~<*}A#
zvDd2_d1MNKxlT`|2TRDzeJLYQ?D?abfufS$ev^&Pdu<XBud~nXwsmn=PT{p>=MKP}
z0gUJfMB{CQ;STaKnMH+MZIijr$o<_S@l?IJh9M<DxO)G~@b8>jl$uV}LGL_}<fl=c
zBGLn;#pTv+o1X=046H7c+7u=s1VYblLQ8`TD;4{OY-FP)*H^0(Vhv4Mi1_2%JwJ{u
zw1;yce>}()EW;tR6R^1(db#6~IH#17Wc~;iC>t3D{%XD%yhu?IwtBgCdj03=SC<$d
z^Dz=1E2NKJRlzo&<{cak(T93`HH+e|vq$Xnk}i7ontkV$Cv5wFBK&-}Q{49m@8Pk&
zT{SV-?0s}Ev`&uhRG7BgY{Km;jSnb{eQOIkY%8}TrH$e8XOV@Az20`lWfS?o_>CMk
zwP`a)rooxdI{i%d)8k;<2iMee{gcm*Eg6RzyI61h9?&w?dY6M(AGGu;Zo%9~$J`F`
zf`oc8?lk_a#PA>)LrRP%F}kkOwN&m<oyN`=S#TTo$APpYmqUG@G^?UB+&LMo#BkUL
zeZz&s{MA_rB`#COf#?s)i%+>=e>By&L`Ig!{xnC27v=9bE=CMeC>q*Bb=-P$riN&)
z$R91ixYp`>W+J$%CV$}7n1UaK{Gv#E20vM$Q(h?u$kw&PS8Xd0JQ#VS`OPNUOFE2?
zjftIQ4MgJ{E0#bIrWhA}M`diG)TBceff*+^*e_eL^4kWEu&739?TTq-N8KEisZ8g=
z7lqY`4*Y)h^ZOh;jQk>}DxJSU1yaJT4Nd8rMX@R9AqM1m2?%zF!rm}q-B@!=AV*cb
zWYg8HH&F?Km7)$`-(zL<Gt$RxiL(_8D71IY9t--#olE_wHG3HuEPnh89>hBGn?hi}
zKAzaJd!TxjF?p9Rb{IL3ylxhq|E1a2_OtJ2$JW@OMM8ct!3c_lo^+QoTLQT*BduAv
zuR>&cS4TnVr=XFkj%)pA`7#81a~DB+=fldpx><IZHTAd&dU}6hLbzR4d3w`)wp`Bk
z4%P@nqkZ}6Lh#G}GgTOriVG>T5N}>h?JO1OS(Y%2VyI*<J<Z3oEKS&?CIT_6bZMU+
zmK~|DkFfQ%m|1@1F;{5!@G|afgynL_7&CA_9V8oU4ve@fB+9og)RMn;FuZu4f}hZ|
zajkaA@&JSl{Jm-^2>*P?`Uet1CLNUO_8-=y`kcn37pHu=##%Nza8D~28!NYSRbE;v
zb&Peivgy`8sMg|g`L(*aMwp#CQg&eLMk|l)So+EO(J`9#Bo@Gp1fI<`=jeV4B`f3W
zx7?(K^U<Aeqv{-MT+Xr@CF!saT(<>V)wFmMS!ojwqNI;dQGn425R#kTVwI+-70&lr
z)X`OcrWlA8n&9?ZmJN)ZT@k-hz=v70V8}Ar5R&HtX7vF75vspObj~oPu4vm67@nrs
zjub9f{k#MO_X42wCpZEo<;K~9!ub`s3#ObfZMa^y$-W6>K0-|j4}>2J-?1XYt7Q(O
zTjH@E5mncwuu@+R0Qj(5^bOz036Q^FI<Dj1czt@2X*7e;4mU5WUTH1g;pd*MhTUM3
z3)EeT6L#D4KeD{>g5~`0O_Ti-Tpxf3e-ZUVSehM79>8woh!ont#xUM&0FIDj-4b9O
zf4vvLH-JYefS=&d`EV?{&YzO!I!3W<j@%LQ&ySrGptl?N4#6++9Uaef3rCAgWm^f<
z9@Wif2V*>TM&LqBV{Yp&dFS$b>7M-;BcaCkcLeqWIrEYzm+uT-=A6h)zo%x0DDrV5
zUK9S7nqu4ai{1O%fv?n@AUWA>6BYPz9063)V2cWuGDGr<?%GkH3R#+p7GB(5?`4=e
zUz;dCKTW-O&3p*1T3`Q9p(#<WU|n2Vav6WNdC~<io+BLp4<k}J>4hRu8duoVc{Z(B
zo5Yj|d$E8_b3Jj{Zhp1vJ078q^hmc0J$K$G%#=z||LX_40@EB3`)>E1+*VaiyWvit
zrF4T!Zn#afOm>7@G+{2KwXVENsO7q2ergh%TXBN^E0VvfhmS+x*O}ml^=Z-4v*|i#
zi&Z~}wk*8%p@0FBK%Qgx0@+d??-<_Ad6g;Q3ar<n><RJTZG+PzuX1SdWE;@a5;w-%
zmPP7t{4u!2Pl}1Rr*qVj$6+F4UFR+S_5IL;;LddGp!?CppKicA%XTbh$BNEfJ)>80
zMyHl!;7!*M&jIvr;|tv^Rgt#@Qgy2NC0{4F6mB<_`<rN>#XVGt`G;jL84ErF=jZs4
z@qg}p<JBKG#54`n$^4K*Hi+4E1)e=Rr03hRFh^DhaC{vfn`BPdA3&juj`S)iE?}WS
zdMcxL&}R=0k?zA?_>Pb*faHKXJb);177c%zfNYzpA%<gY(Dv9LhiKoi?-3|1LO8)7
zkLCI*w(&<#7Sn741%tAN?<9y#oi{u@Mn}gJGwg#7keuNae2?&N?r@4Kcx)1_CwQ-9
z<aBP5E;})B=f);DDmNJQz4+_+jv><<)Nz###qh$$avU)xcl%2kES1sO)(QFfFVY(C
z6(Q{m2Nugmf(Eq({`K5RLsWA8O;*t*Sz}1LmjW!(pj_TBzET-gp=-d`TKEu;M4TLL
zAKGw1-rlDG$w?3Hif!~1DtN5_y8H|#J-oHAFZBI-%TT3_?L2<nj_+iVV9@#lS??0Y
zxw&Z5gkDay{qig-^;7>IK}9A{^#9%Oh`*?(pc#0dCGZqUKytAC(OmdHoxp60XnWs3
zhY0MQTKpS>Sq4D{zV}a&9(tD^5F9=;Tcle54<5}^yNMv1$rtaNIfNt8>K_i@p~HPV
z4mFsrqdCHZ!8>&P(i{V<1V3j8|AU_%dMc0fYW!4=p9W_$QoKhLKz=0W@$l`*l?Jcx
zZ)fQLAF4gVh5s*o{~q9iojT?1aN^_>J_USi_(20C&kzK+AmqKCr{ViTvw`I}b?ltP
zyKPS$?V6u11^6c(C%u8jqr9h1hD&hj_#A+z6J)8JJjW+)Rf1Fh$^`OLC!qA-ukj5X
zZ6N}T0*C>y4gk0Y4dLPIm-v{2QzwuA-><<hkG-;BO->y@`{3(CRb-VOj0X(mWK_rF
z$8Q7}%HgVl22Y*5_eXO&LazUg>ff*bmpL7d6hG)=p#AUH|J$671o8jtoDN+Dr%sID
zzhC1Q=dV}%)X~F_UlF|gIzFMNz_Nlq8Nq%ZOK)%m@KW&5e@=Yr=<v`S9)}|b;2rd-
zQ^$u1{P*$KP~ubnA9L>+59jy94QCh8A`*fiAq~-^can&Rp6G2^1i>QO>TIfnAc^R~
zFQSB1Rxhh;l!%@vYgtPWz4x-pb15nRcE5Y>&;2GZWY4+InKNf*&dhgajspAulO8+r
zARMvD{!`>Po7n#uy+6^RJ_L^9*e{uR44CL3R{#IUAt46M0p`UFh8$eSK|bL0j<|0-
zYM%rLtb%b?1y**jGmI9nF%00p2c$o6GyY-<U?2PYI{Mv#sQ8;IEgsYd_Q<h6Z2pI#
z4ygCvX#$Y!NHP4)w+9!0AN=s2yhQRB;r@{Q;3)S6(C-8KeY~K*F3~Tkb9e=A{CA22
zTRc=k0DXS1?SQBM$L;$+k!j3;?SC&ASpQ#l`CxJXC!+t&v`4!F&hLLy95{f#$Z>Gg
z`(OMcQ~s44`?leqBR$yqlixf7aK~Q*|3j1<(d-8B#XmGV_~OC9BSHR0iX2^;{V)D6
zVju9|?}3N6g%Y?nzYqP-!2ghkM<)X8@Bazn|414!E>RL<gvgi<Dm0eO6URKyFFF&L
z0jAm)e<v{MlRej>sI7d7ql<b>ftvAl8w=>L&62r&=-Pg~^!Sg6QU>cb!yQY;?kH;@
zgY%b!9r#C>dzYuLYQ7`7np0d6cx(Jp7y~u!F@dQ{Pt%hWMNwl!YCyOBI<<xI?{gx#
zF+mJH&Vtb2#}zohptq2_wQ)=92!{u-V%4Q%4xa5R7r`b=sH%jinlH%-tZurFXs7;?
z*%T8G{4<7EjzIn@>_JFIA`IulZPsVWS9?MckDaa{6zcT|Dhw{BPByyWy9-*|c2;x)
zWwey@VMg_G?muaN9iyLfO>nJ0zIM9wmazgcTf)-U>?h19QL;PCW0~rUuqGW42K3>^
z#<r(o*$A0FirzS$3SB|1wVqDu_|&M-S;i6wmNQIgbQwUU03sZib}-uHTRiy(Lj_)a
z8z>OxdDX0MS)BB<OU}mz&Cr{FEZ^4xT0~_SL33`02>!hc^P4kWa$Y$Jdu+rpzl@I?
z{XktT9rAjXsjYE7sFjJq&Xl?yEYGlACuQ6c)vZ5XXjBxdca}NDxuUAHS2FuXKULc>
z;)7I=Qn5STFV6fy6q21N{obODbwtwRjXZ%Si{GApJm(xz%Mil0ir22Y03CPiwyJbD
zox$o~SnS?PZA}{~6-6SRRWd~vB~`Vp0Ox<8tbX7-6edi)G}qi4``mO3lmS>~>z1XI
zf*uUtu({Q;8Ab5KS53hT1Yy|wTHVAaq=$lCLJeboEc$xa`{qPWeI1B^9>JhjXQyH_
zzxS-upzLW<J|~07Wf6MEzH2b^cCGrz(9S_6ab*#O9)35NmK+|In4_wEhQ_%!%OObe
zWjo_1j(xpQrAHHE-iqOb&fdUGncAl%)%!eXD51h#a<i!AWbTyyUV#*H7c-4X$X1K5
zwl1*eg6aiqmyD7gYKDbYIutdcH?e%Yoo48yiJEf_5cheLU+8f?p46csro~>?t1qH8
ziqI~DWWVBd$emS2`;wY14MNm~opmGei9pZ@QW&02&knQElRty%5sxQ>eO;sc;Yq!3
zE$t)j0$z4WTJ4!isI|JX|IC}7ZU-78iy`x_20Lw;Z-4aVfrg9o?wdG(MY%wZMQpB~
z$SUq0cxHJc(ek+7iicaTYW9|T&%h<<>=PDLA!ZRS8@%Wke;!C$T%-8mxo=_|g6j~?
zLBW`)FO1RFsZdd*JTEO0h!b!RUVv(qUvSF6xeKiWg<oLsQz$jFTC9deg4UTo4ENZX
zp|uLkr>cWpmg6*<t;*hB0GgeswUlQ?Z@;$FT{PSuc?Pxkhz@*cWdb`}kbB8X(=e)>
zOgRvNy#n{`4c2m^p+f?w)~%NarApSh@w4$7O<N7%wfhACf*McPq%U{4O@JXb#_GNz
zVL>+KBL?h5Hpb~?ZWc9yWO=HsGJA4%UJF?kGP429NZr&|o`H82L&uaoOZuD!F-8ET
zy1C-dlVveS&k|d3f2`Auw&UWx&D)+m_rDwB8J9cj-zsUC3z+2K$yR-?K%?P3s#S#J
zXCM*+gjsef+(>H}IBMqM`;w&ynqOkQidfX=#iddf^K87_=u@UgXAVUFGUGBT2wW^)
zAlQQsnO*Bqn0~x*zd#1at<q7r^;?APFh{97%oK#ZXbz1*`=AH)dFbNb<~8#`HQscf
z8o=-jJa+<5-&Q`ecBhjFd#gP?ib<jwuHQ;-t}B1%mu0fR^{q=$p-cH$MjF?AVOqIw
zPR8_<20?xc_O%cl#9&gg)6y<3!)6P_h<+J>+nu^r-}Q~Irm0-~rFAd{qxSghvP@T#
zNQz(ULulEWV$XlM$zP&!{Fe<;>Sq^1%uw;0iuj;*{FiRTM7vBEb1r^NlKHhLM6>h6
zLxp0hKSEx>d|)WxQ?@+mubGY=`D6ag;Q56S+&5@{|Mb^~4j%&)XZJBSf7wR+&xQjD
zvu`W>r`hx0Kh%ZzE_lfQ|5Y6yA{73^L_CT(T!#Lq#e!3NziV%r4A|iZU|Il2b`N|T
zb7(Ce!d(IL<7g-QHvZA>_R&Je4(|p+fdk}_iI3QH(p%0W$;@02uasx?^S9QIz6wxl
z|MyQwXYf>pCbGm(eWqDrcxn=9&eefH;c?q1?YS*ebYy>?e?SjfhUWoyG19>72iJ9@
z*&YLwzE@^s4=}_8$gx}oas>{3e;YtEyh=J!J4pk7bBHa-;kluK9_{$uExq;HR2HZ7
z=9L+bPwgIqgF78)n$C!E-CN=-j)Qe7wRSt_rgXZQ2;bDf@I-Mn4wLDuWn9uw$-p<$
z=kNznb{$S>R;+0~LDF*ZWAapnA}16|Vg>9*yuf0|euOLSyFPy8W`OXNxGQ(+Z>@_^
z;wo?`UIB|C3%}G)!v!VDAtujz@Vi}wwH4ArPP+9OmulapYFzGctIfXSJE^sqr6bK)
z4I5@@u%5AdVO}(TP2;S`%fv{tq_p#WCOE*)tM}d`!LF~9qw*H!*BkK)bnqr7pW{Wu
z#iEilYBP^hD4V4ZYTr_oFr3}7;Ou0|C(rF7UMp*`u4;(%es3@J*U>OH69J)VA{YrZ
zxQn5!HVJ$g*=czMF+(GXl)TTM;xeg?#pIlb@;+G6VyEZ-=vio3v1{;Gyx!)G&q(0N
zDIz`14jKL_cdTmq(5HZ5*CPQ$sX)25iwu<^I|-799wl8RytC=1oxwBFCTar!PE*pg
z^xYdtVc8&)FE#~fkOtdn)Ly69tI#Qr@)WyrjtMG!(p!i|;QNoqpDXA*D2~qvF$W+(
z`)U?2Mgh1sZe0!YybJMBn#wS^R1;5EH(c(dVAobelXgbKR`WgQ6Z@&NZa^$LDP2}F
zWQ5b38mV3*yJ~s2HN{xbOZ=({`YPe4)#B>32fW}SZqVE4bZoo3hLA}*CHcO0=74dl
zJ|ODNtv-jI1T!jTq}UW762vXyT{G40q-r;Irx-;nc0qW+zE`2mI2hJ@`NF+vr}*Zj
z`?CL7rw--N27E=|)MO;%n^TDAz76BHaRZV3@(cqUZbD_qN|LUJ3BC$#AcfJR8vUnu
z@K>)Geh5Rd$7x{V8o<SE(ki-{g*n0?bStGHM6mM;XnG00`9UD-q~M9!is6R|+-G7_
z*)AQ@WZysa=&?T#QV%fNE&;%!3|6gM%hxeApEi6-NFU6aRxmWx7JCG*gQHrdd&2dA
zP<6U)w+G8}HBP98@!r|ymYSu80H?~+*vlu={n8A>qug7`fI|Mi<O<5UhisA2w>JIE
z0bmpwF=6@}FzUubj58fS*PK6vdvW=sqqfc~hiK9)Ad_8u`qVl@gAJI`m-#tK6B#T~
zc3VmVFPi5V;AcU>Y9o>=z6QYT0Ns9wl=931#j}(tvj<m+tfD6R1S0h{0_#lx`~*(-
zGsAo#13z+tXz9c<xDKf>G7xF+sAqTtNeCy{$hBJGb%692)Z4sPCoV=g<jM1sXsE9u
z-$^8vRY<uNZxgK5pm-S&pMS(w0^*s;InPy7a(HI>{rjB`Jy2Q2*U29d8b$gg(pcAo
zHW#mIKfMz!9?*(dSDt<<iRGpSr-H<`Me){IM=of(O{J|HCv<YRb=F;1@BDgo)hU_p
z&LRm|vX}pU9z$I-Cx_p*OzG+g4aeab<;TlUR_oz!X%zT*RGAiJuNRobkNGK#w5OE~
zDEK0s1lj7Pb($Iu@%x9bWt20J`$E2=_NFJDt*@sgPKVzOjrg2ywkxJb^Mgbe$fVd;
z3@9ejtT^hjOfBrk+!!(X3W1{G3($@GAO}-<686-4hn_+#lU878Ju7cXlB24*$aK@|
z{V&OzU;t2;*m1v~Og~l>uk71e01kO{DMwJMJU7;Zp8=gnaklC@W@^h%4&=30O>D2$
zHp<v{USbC05IgmEDg1H}JMLsOeovDEpZ|iK0}il*9D;+WfPw-DC_#4U<~nc*9Yh>{
zI}r2nQMP;~;Jx1UovkPSvqT9~?vwtd=WmJ7%;ats_*c)ZNEZ?e3s;4g3td*HvUZRi
zUKx1HnSuW373{oMGs@;ckTu#~p~7e|Y2?F6^lTbeM-m=6-lGZqI=H^<9vE!*Q98-O
zyVhJXmPamDKEe8DfI$xdqb8X_`0xc%kMA%?R<WY1+UDfUX&n7I4<j&p+B9bow3LRM
zmp>*X&7|k{$b^~)Y@apXFsdvj$hONaG{Cb1DQV+-FO+*oK%~Pg@IxX^9vhw1!ybJu
zUY*q@nd}N|2}{&lVri2RDTTzLh)?|;L^s(k0xRo4{ABy|6MA1Ca3@|T3tQ@>yM{l}
z%vvQAySW@=*BN0qvT2^P_^H!Z==l?h@se$aZE3l)@slt6chZ7}ej-=jMUiBWm!w@h
zl!btmR$-1A_E>EP+CXHh$GzUX{>FS)F!|o73=guM4n-)OW!>#|-O&S3MjF$(r%>r!
z4;ujh;BCSx2gpP|JRPjRV@Q^zW!Zh-cPjZ+Xl!6Z>zCS`4xuh$d&FT}Y~KTca{y!E
zBBPAHq9G;~H!yMRp5S8dFQouxvL^UL`M}h}Q1j;+Q~5IrSE1k2%D2R`-}45}WDS)G
zo$U0fSlF{T>*+#>pq{fEaNX#2cT?|ro?;)H%%1j9Cfa)45VPe`I~0qMQ+Q<Anat_v
z9vh_<HC>=2WpWQL*}dj1OOLupd=PR4x>y$AU!)o6*dYDIpq9(<Wb3LnQvpw6x>3kj
zmwGsmE_j#-1Td$wLyb%59{PS0Lr$N>^p*#RRkQ4?Scv8cqqMH-S##1{O5D%mqkhc9
z0-WG`UoonXxW&wT4d+|l@zoPi)j7_RT^k$aGt<DD<Q~bYwcJ|ln@!E5WreW&v4xY(
zXm5L6fG&0#<)cbp2@R@vExm799%qbzd`we%Q&m-U_uX&0?K*;F45DQsCxvAwCT|x3
zNdimaAYKWQ2L>RdXWzGKDPix2c7d&7ej9mgqkJMpl5iPO)-riR6G=06^E&;Y4cnZj
zeX>CBjHu;1n8d{E##fE91oY?M=1rSnG@XIqj)`O$J!-*DOMrnI!&uLg&t1OKW!c)}
z-c`R8TkOne|C=To<YY7bU*eLJdpWoj+Tvqh#XbP4k~Oykyi?k+U~f(xwl%(q3$sYe
zhlvA4z;0X(d}l=$YMD;fNwzJiA@-Exg`QDVZADtn%vv~`p*oCsw|KnJC$GQvZbSuC
zI?Mh}eErCS<|P&;Lq@b}YH7+GT>8AHRHaPD_!m*9sPB5=nE<xqyxO7}$kz+(_DNT8
zzPHqOS)ibqad9CGTpYkgOUCEdRGX~k-&bhTk|pQiAQ8qxgkO!=9n};UE6B2R`-)F?
z`0bdzj!C32)S2s3t*iMY`+=us)xE&%v3dR&bBR|GAqP*hOkIZXXx8o2^NR<vOg`Xv
zR?%7-l2OQAdCh`AcUvK~%P%gSr1{V_D^Sn+mUPz;oHO~klx>Xj(TJr?5X3CX)7I43
z7UtZ%08m|G$V(5ymV|lF&2NNt4Ezz&lH=^<f@_?+6%NKiuod=BT-sR{)`^ALpUoc@
zER8<<sDV{_^V?@nfxCfu>{F<y{<+O$87&l@=LV-_1B&Eq2|%(1nSOp}%kls8hHAaA
zk2I@IU`h~(aj}PIK7ETw=!~l`lN#Lp{@pSY*Lb;jkwS60R{Kj=j-cugu2^kUH`>_n
z>D{b;C!?Zn?elQv{Hm(3#c$zOU~FJMLQejX)Du(Etlc-OueF>_Hgz%B_K^<=h(Pb-
z&phv~WCk5(r04M0)}|%uF7@}UI9}@yW7_ujHa)I#X#MOf9~c8Fb#9_UiA8~SmOZ%Q
zE^kgZx`m|V*jps>*s%-8RBqkS<*>U~%+`hQ7;1L#v6tll0KO;RP#b2_qN8G+VBt;Z
zg>)czDqiwbHp|G@q2=E9WaFMoZt3y`p#%ZsCgJ4`LpHKj8lJvVC+82o_b}MjEiUld
z25B;#__T~~RtypwZXqA;A<@%04LP+OoPCM+x<kN>>TsJ{=BgXbWYmwsnJJ*YG=%a`
ziX8yv_Mow-mj0?qYV%oIP#bQ<8}ZhNpZRX)OP>qSWtKV~(}{5M@1LS`)>q-|s8fCJ
z4zfkQ?x;AAY?HFDcU^KhFJ9b=ootDl6N_)`YQRTkqi2}ZSg~oWDh3T281dlF_&E}+
z+-Xz;*EK=7=|Jzu?P$^OPlyQrTNusyUHSXXo+@ye36nelrEIr*&2uL;{?K#g0(6AV
z&Q#E7_FjU@_1GSkdg@(|f@Yp$1#Q6N-A5zQ$rFsVT|Z$)3Nzc)Ptf!XU(<Ipvi`@s
zsUbLs(l9TJ<~<qAFg%dgp*iaE7<vXvqGIbFS~5PRgMW)A&GI+GG;IdX(t~^#N%Kiz
zenKD<Pq!@ukOXV{Ix=8%kR^TjTO`rsb`t&rd*Fkb4+lD2AraB-KS<lVH?7va-pv|l
zCB7r*$a?aAImwhsAiIHGok^hYx_^Yii-zv>N{w*_=C4-+?qTMlN%S`_m7F50e`WuE
zIjwoio(`4GszfxzjHU2pUGI;&5Y<k`#~(QD88Wn`{7kpD{5i_({sY-}cOy6TkqABH
z!!G1Qu^@4}Wr5}*{@eC7LK08+PRscE6&|1QOF|Hmu8RzM!@O;SYU%2j954gCP`C6*
z*Yp>9yF<A$FKUX=BgUQ+95)Y1yITaLIQHw9ronq=feoA-#g`;(8F+S@>&Q$<!0>u@
zYiqOBmFX`fil)<UzP;dY-Di@QFo@HkseoYG)+L6f^6PCCJk@6U2%#~y0O(R9mJLXW
zjgjhJlnw;6Nc_A4<HQ;m&Jtcy+ob);KX)76{c5eMkdI6iUx-8`XrbYgLGjG<@Um&2
zQbI*3U)<UV<dk3#Ijz=(E8#;5IVo@!4Zr0a-*g^%2xge(gQrBACRg7amcypRyxEgZ
zyXMiMs92!of+~Zi1L}Pr<6gC<QyVG};wF$lPQ{O4*pD4boLKu4xRTO6=o~2@EHG!x
zVL=(pXg(cf7Oc@{8<<X}sQ)U8pR$ErP7RYOxl+7bJOSEK1UbNKzVAsID-}2MgLsSA
zGwiV60XVa;49=T*yq5l|XVP`{!8r@TkXa-cjtnwCjnbXOjyCEyRW;SK1PRN`TbaL}
zdy{thAU=u+Oh2B*a_Pgm;db&a*?dOww-eP@ppbhN<#vF{FA%)jNt#8&)l;H$ViN&)
z8r?PI249y=Z&mbjRaclZj&%dsY@DXEFtTt`zPaRA?LaA;S^FFyDe-;+&&lvLMxAVB
zVOoB;+QyccKJc!qWZPTCAx27@hwqZW%k_HnbaL5Gql6;9r50^}q?e>J1ZX-b(4`Z&
zIqC!vq{dmA65>hu2tiWaXh?p}IgcVu^KmIt;{xM%&B67<gWTYw4B$1em615Uyhefw
z_bzeOc`eomGf=|^t^NX}kXKuEU!lNpf<xMWYUZIc=FSRM&y(?)MhRAqu>&OqXS5!R
zQyW%1>hakL;CBU4GZ;aN>ST$^z9GHI<(AXXYUFudO#rIdTz-L#<>5KcUK^9WuO?n6
zCLO)10VIWE&sv+j{G-Xi%r~go@~Tvc+=TY>873V+put;jcJOL|y&wfH`@O<2k7wt_
z>I}FaehU^Xq$!=%2vIs@^?vdhGfXC-qbALsjh02CBv#3x+CoQ;0ag3Hdu!nlLeEo6
zbe<lCs><sMCIPI2fYYxn(K*iR(O9EwE#N_@eW#P3X>0^YUvMy3F~V3niL^0IDwa9a
zys1k`Xm#G3fC{PgVDwaKlFQ~Q*k-ho0ng?q@=1B9CynGuG%P<m@V+B1zD#D1NXB<=
z<*dRZ2XqdPpF7yI+tgxtxVRW&-lGZ>YXi*K?1IF0ARm&y7n(O$+A8YMk(u9bnQMt2
zG}yD6RDQd)Qxe1@_RBWmqcA)lJ;kqbuQTieJkxQ`_~Dt0WbqOXU-H67#^jl1CC!F0
zIc?DwG~2%fp{1ssOl9t$SbUaO*)<~DdCH+Q_@_Z<frp<ZY>)%$B6o>^VI|`eH$5BY
zQ#m70(3B)>t_}}P1a`lbZS7rpTDQk+4a`WBEolvA%pFW$3wDe)t|DhvOVj0Ij&*)o
z5qM^dnMwPsMCwhAYVn)lp5t)=IYcLi)^z~6x}uR#F8xJ@DV&wy5<OeI8os$5{9&q@
zU!b41os>_Z%NL~P{25ntQO<OrLzxS}S>8Jy_%t-1aY2g|wkuns66z=vy$IAmu;W<H
zXbo;zf?stUa1N-VUG~}N8SN~sb56Oz>T?hqS_jEc;7Z{??=%$@=6(w2B_kS=N8Q#e
zE)YdO7$*yE9+?6v0*KodOp|t`zOe71NilK0+|?3L3WxcHBUYWwsVTwmOf1jGEnH&m
zz^ZEaoU8u@XbHPXui<-`B!wYby^0E#gH|qgaTZN=lcJ>r-K!2Ptd3s{=iq3XzvVHT
zZ-ngB0jZs6;JkcMQ+j4ec5Y2_@WOOMegJC6Wkx%n66f@z5<$q1Z5TZt_z+CH#SACn
z6(ripV4Jd0@to1EZXnhUjmYJ(py(_nf4)$B+mPvf&#0=ofw;glvY<mBCd&L2N_ba!
z%(Xa1=$4M6`8jDeah1y8LOmbTFhxT9NHS-UP&QB86GW@q^D{7?{FAJjBq0;_dK>83
z9;XWyiB4zBjb=KAR$WGh<iPrNwU2=LI?GISKKYx}O%JtUKC4XOD-oke#`r>@Ei$QH
zWbD4xtRW-QgiDmrnZh=G5+^wD`ns1D#Ocs;q~TaPlBO)*lrK-lB4|c@syxB){?TE>
z+DrT%(l0junJ1gs)(6Qzh~6LbcVc&%_ft?<nhXfS`3V|Jv53~BhN4#ak!c{Spn}Iy
zM}U{ofZL%&66P774;TOHLa7q(K4I;D>F{}Jj{z{)@t3m%IBwtgM?j<G6IMXQ82^wI
z|B@BUy=>2<IF&3lOPWP+EZ39`{66Y9F>M`pQ3DPCKCz~P1>z{)bY2mNXVhCCcE4u3
zHB=beWd{3A*IUS)h$b&t-C}6-@Nc`qYf5kMp=Yual-DsS-qng<zel5&$RbvIH$h=?
z$;*d)F6?I{y(COGbltwh0JY++PLgTBQ;^f?*c&igmsVm~GM_>4_m@fd1=T<iIbLWm
zGDNDWy_#Gsl}Pkii`{w~czVV5&fCaPz~PhUD1FiaV)(jj?J9J3%1GrWwida5uv(dm
zKODhpLYe6PQMr|QXEXWj$7l~?N2Y`h+kEtz<EJh9U(V<?0$G-!x^;gxj<+~8dGA%U
z>`Qwr&2;_y=dgZF3|1o^cF#)3la>?~kuKeKjqfJ5LI)EktU&W4gltB*s?%<+<-tCT
z?Z8R6-MtP93D%32@(7?u<<Xoe_$KP08~HvP@+3{*RWsR44u`)8;gYv0(Gw{4(wWN1
zrWN2dPlxKGyR|J3QX?$LOE)`K%#&+jjvRu!nM4FX7z?11zq+M__QL!6-}QMk#XK7Y
zi=QKf0r8K!nEawA?SS|vgB9lmfyE!xJR0PMjs^wJSdmu^-vZ`2aOv#hGk@^v(ALTC
zb{a%i7z}r)$qU@>=YSGI05>%g3O<K6qye^QN;WeJBrBRceP!a`2NXW*`!)g;f7yT|
z<##X3M_H}Uq1W{x>to2C57Pq-g+-7CiKAG@j0h<#2ZTO<yoE4c+o;FQ?0c6)KNmk2
z{}2|h4>6G#9oC#3VL{m^6ng>n%w-diz*EZOfjO<83w@Z@k11oeBWHae2dFvjc$n2a
zYZe`A<X(BJ4}gGk)Te_#s1b5z*<y2Y0GDu{TlKj>@R6MDcnUl(x{aP0D@agyUx5;;
zqAvq&sM-q2H@*f+NUH67Z9jp0qY)k<6DzUhg=IS_GVWr{JGE0?5+5Oa)1Un@*tVAz
z**{P%cp&XP%PcLH26%lx(>aS=_3CQ?>obk+I@w@Gk|Hv5OhZ8Io2wE#r;bojzCnm*
zDCF7956#^G=Zvt{zQ#p;L?V?wT3Q>JD~)CVCPs=z(4{-N4D6yF=f1VVdrn4YUxLNi
zB&=m1R^2#^V9haYob;&V>GDe+#<0fYW_wb0_Q%*$-t5P!0o?LQklK!TQ$l$c(bw)-
z)QY!xU2<=U_&EV`5Ps~0gx*{f`SKEG!!qyO9i18Yo-StTeAw#f1?cFG$}z#6_o9)_
zwm&ZGwkjQZyl{BZtU*d#7x!f&jlf<5e+WF3|E6td%+1i*K0o<5t$XHkq%+za-1Z~q
z>)uL-*5>P9lONDUvKQDb*W#&hjxiceFl2?ZB_|XJap{uG?@ECdlD3c15d6iUx%X($
z_1h)n@hRBnozL-v>M1pm6Ya0kGkP>U&C?ew_L4M_<DKWm&zXIaE+v?b9y#Oo<E+Fr
z@EYT$)D>;VfMxzakX0bY10d$n``UUxbbo*t4geoSnRh4mv!DN9DkbPp#RS5T*8`7p
zq`#4=|99cf2eF`E5&3=C<bPfFV-{3r^^0kizafhUKFh;UQi#JL)cViZ{atQQzB}ZI
z+n66qv`2wB6fL!(4k59{6B!qN{;pnS;LPgfCx^u_4gy*%C}(b{<Km2jF{E%_Au52b
zG}&vf@x6ku*B-ja@n2lM)drZ%Yb#H{SpN=u2g4s<GLT{F$%G2$lix-m{Mr5`4gwhS
z&o11lEt?`vNmCn&)ICP}NCtJ}ma_|VKa_!_+2$(x=MZ=2q6Zvf5@pjb<$rJ{a%!?@
zPLJPB%B-4rZbOG!E;Py<HMUJ?*ga9b`g}~dP_aNg0xohMf2~r!YqD2#J;2*aMi+l?
zTm5CP`@32XW`8+I?Z`t}MT4i_4#zO-$_H^S!AwvyDU2?~GMN|)JYQirhG^8nwJL4h
z#a@%|_58Kdj)C@l7G?=&B{GL~-&izuq@A8D8`4jyTuJxCa-R<|7k3FA5ndCm%k6WE
z;e1tIx4~B_uOU-d0>p*3OnsYdrNt(jr)9VNCdc0NY)F7eej{jiY}HP2DcU=0Fo}*`
zfJQW)i2g?{1fc;I1B$IMn=8a>8@Ee1c1g6}zo{^?rXl9<-AXzmu5Rp3Z51Rc9`7-g
z^Ig9arxKOMRemuvyXKW1(|t#u{xyGCjZkQIyh>}E%YM8oTcBK8y(oTCn3jF)d#8)0
ziN@u0`l&Q2z8ipJ48ieYKLP`sQsCA7N-M*F)hvHpUk|8=>}S2TJf5Ph_btJ$rDEqA
zhk^f;k=MTmzFyyhXx^)Qto+QbJeArKCqKjg#i3Tp{>Q0xxk7YoM?|apLpyf{+r;7r
z-G995z-<MLtvkrg%#R2Th?Jw+sgUV%|MO(&TDgggOwy2e=`W`H1y;Ce+lEV325NXB
zu4z@C)fLIWo=T)?!V0KLY#RFQ_#_Zu6l)S?deKca`LSb~ms~(r?BQ9|f=Wt<A(I2d
zr9EcX3KUZPWvkT2nG4D-9c(X7jkBXK=1wnvs>?&FCuAG9ou=8XA5I2ij&GHAX3H$a
z62zlN8@;aA@<Gw^8#mG{HO2Wnta{Z8P7Ap7YR51ltN(@bfd)~IC*JFWc#{$5=}{UO
zPVP)3?Bi?bGwGaw2jU<HHfo%-!voc`K=qn`3yAUYm=V5U*?QH>5Um=wv0<10<=O=D
zL3i>uoas?+JYV8g#~&e9zxzy;UEzx~OdZa?%T}DN1EfR3uw?;REUqA#RQ(s}7Nz$A
zb+H<r*TTma_(~b_ta!EOb&$14YX5YfhX#w>6%PkM68sg+V|Bk#Q9rQ2EvzcXy9F@d
zU$L>}ez4URPn30c-f87?eJN>Ydw@W636Ktpy*S4k)=J8^CVYbY9W_qYd&4cR*v=Ba
z9U%31M|}uUv&kpa-@j+YZ|DX&2psOe34pK+ko%t;E`KJ}+Wr=<XmQRYFP~>%3$SU^
zsB+vMP_q9OBOBERVq{97sVTo1@o76Ye4;B*05$TJBU~o$D%4|wdyuS*#nQzvvZmO&
z*)i=KTwbnMV91nZQ>3Vf>+e|Et|ExqS{G7zMnexGoUdj`knnCkl`?S^s*~NF9adzT
z?sjfK(40ZBy13!aGn3CgOL_RLbhnw;-v{7eMyDRJ!2&6Il>6QoTsku|j2NzV5<fcD
zidS#8;QKgk_0lsq2WX6$1Ns#O1avKX@dsx(xr>U8M`q?(msUsWBsWOVV5Vbono*Us
zc}_2uXq2nrR+Y49+i5zVRH?U4?rOFk)9NmFvO4RspzW_JM1bO^L+xz=^-^%ES@IFN
zv8z1+wcz=(ZHG)24EZOPBLE%%P!eNu)l2euU@pQ7s*R>L99d%CxEgx&KG_7u+fvpW
z&f3Oz^t7mA7P`Uu-H}M4AD63-rL$l9HA%Fmf8%%m)+`{si5KeOUzK>QVsCI~+&m-e
z0HgoI8A!#Jiy<4}hAKdAkgyMp1JK=HVB)_bllyhRfH>I^>;_2~r1(2%skdJ+_IE}o
z0B+bP+7TAy-*oj+QLlqA_Mv4B=&ECf(eoqd)$cGjV3O_?BWNJeIXeMs5R>}cxMByv
zpxmkA>D(moAK$+zSYeve_p-?=7B6pafy`GStG?CF-TP_~(3D<52nGet@`u^_&vUmH
zNSLZN?#)(B)iRB4MjV%A*|I(1wYgHgijW9+YOe4DS%nN(Ue7+l${hnz?H7HP8^R~2
za@EWUn(1DVn^v;c=3<lebHL!UTR|th7XJ)xJ{<fD`vMFm_<WAdxe<6GU2SW)p?wCq
zY45)M9u)q3_acdz?2fbCk5KlZ9@>q}`OLu`f8N8mCV=6j!buVBs|5HJY%w1{1b#&@
zY3-TNdW|S=tddksp{G0p2Q&A73z*Uia~v;fO_!EN8m!A&__TTrJb4S`#eaPMrf?q<
z@)t?gAgl4!&IjfYkT~O8G*7%p4D`>~s`43eZb{oqb*z1KVrKz6*r3O<2#+hDFNc5n
zN-CdA*>E=JYKVa^eW8Q%<My))4<?d?evEeRVMzuyP6zBDa<_7}S_exGo-#lX;#-t&
zaP!@$eGjK*e3dsolMg+ao6I+eax_To#haHsW{Yw=s}Qv*HhW!}0@wFEAb;y(fQwT|
z*(|)1!O?9aGqGxG(~g9VW=G_Bh2Peo4~A8tCYOCdZ&0s#ov6Pr(5}<qSjn=84D;NN
zXGN0)p#DZxikKyl%@;Sit$I68gU4>SV5(g%+Z^IyXC$Z%#cpxhO^z_F3VLa+^5%<B
z8ycL+b?V~)Aw!b)infu+_{pb_83Qhm#IJ-O6b;(G{5$PZLPPQk5Ne9B8+<RdYVmzI
zmjY)JLpIYhQCur9P{n&FV)t(|py-Z+^=G3P#r2lGzIok=4`UVY)&b$2r7Ld$UIye`
z;)6L_o8GiU#@q6ERG*v~`~8NSfc16&jX%g<2kI--3RfjV(Auv);E;}Uj5`d!-AiA7
z3jTI4g*Ap|65e}AL^XfCSaq#fM+hscW2$S&SZkUrhFyG_Cx`u*J)nE0V0zW1)=8|u
ziO}qR!4aq9#jj9pf39|b`sV&;kMK`3>j&<e7__$Ri~x>ol+pugcV9%RqryT)@UAJF
zfv1LKu~a-{@09@OU82(k!jh$E%EC-vo=Y{`5^e`Ixuzkt1rzLK4qwijZOcupzH((h
zr{pLR3CN&+wt}Qx>u9*o`}DRVMFjjjZG4KE!&28R7v`w|HYTx*P&>Wvz^gP-<cb#L
zZ6ch-@D_V!&7fm7oP=`Oz4lwHW%SA1aMtl1g(-L3>cFXV?~$+e1IZIXn-$tW#Z~%u
zx8oiTKypvZfi45+0>HQdYPtd5HNtyt4{ix6FvD_6z+jf8w>JZ-)FR<&I^+a*Q3H<B
z5RG?F@Y+po#((Q+7FCRcSFRg+UgbeXo5IQ@R{YLQUu0ay$R9Vg^7G)iCzF^2yd7@;
z#zI$nP+E!@IFdOViE_%att%O<&OlZ<_AY(;{`v|pE1)$k@$Toa<)|O>v-dE4-34#I
zW(OItvtGm2m)D`1+y!QHs2ZY=Yrg3*d?uoq%hrC#aYx{JVggt^r1g?!eVVBTn`G$!
zbSroiU2|kgniU}KWb67%^tg4S-GYO(oo8>3iR6g1_O~5QdL*HVv~whk3`haDDM)9C
z_}vyq$vCl0Rn5*E{~`1>0VWhWYDHs^aip)>iVNxx5q{QUmUjMLZjG)gV}1_d(YkV;
zaofh+Ho&QWXuPM2*-H55gg14Vsq?Uiqm$~aJOaSZ07V3`WQ!jV{PB^?I3_aK96V-A
zWNf*Zn09_dcAl^aK<xey5~$ZjlQ#}kD55-(wXVpfZ_7NMGYiCre1$+rAj7)Np9wki
z2oZ`z0L2qDXc&Sjb}U#K^3204PWn!=Q{aBhb_8ArW=matS~7yb`R_80=BqY-2e7t2
z1o+@nD}3QpUpY6^s2zI`!Vy9fG7gTCf!KeGX`6(X$>jRDR_bBq_9=#1+3@oqqp3)m
zHaZeBzJR}k&WpLh5(swA_NLM(7swaEZ@@(Ar9_8fBxw9;OLEwOLW4eXubt%H!|iGo
z?_i!+T<2d^FrB|EE+_Cj+u=@JpawQ<Tp2@QxLush+hd7Q4%pF9xOF5h2QEShm!$o%
z&#PKzxd<PSMsw`?=~c|Lmg2yf6~i@808JFE2dexoK&J^6Qz?c(C5A6z$_`_4K_l7u
ztdIFa$EQc-p~$e=HfKC&*Ba#TukHY93j-ltMFX4f-%6(+2nmQ8SQ{9G+^%oRsS5TS
z&ph%seAW6-e?u&yJC8Bj0groGl@Ki-)(I+HE?i`6>s$;a_T`UklCi_Ap?ehw4T(wk
z<_W*2nPo@(3%EF}cf|W<IHA4#pDoq4Dg-UR&zP{DjDCV}bbB7KNbn&U6?;PED#m``
zf+(c6)SE#IYqq~alk|msLjP=)J2@U*&L#fpr#aB2ZgA|V(x`JTXxbAj?$LB7r^|dz
z&pe(;+DMfkW~sHF2Z?W2=Hi)Z1_~{dcZoO0eYWdI^?PjY^~%umm*`nPGG3#zf5p7A
zr{Ehyb_b4^yW-#BJGiQ8$qITKAxdP>tLurk?=6}vPB1fnZZ_F9Zhzn3cHlN;PfmQI
zBUpUE99D1t9>|s47C*oS0iATEK)&Q0{pjAVjKUAjr3t$nOr!mk)9<o0(1YoVTa~=S
z0TQ(UdaWVnIq%N(;T<CV<6~$4u4!LFI>W8PdPzI(+I|}2ujU^>{c*tJId$!z#QH(Y
zGvGhBX|5dfy11}kyd8X0v>Iss6A*@&++E>IFM{3!0jXiHN%k!+pvL{N-Tkhx0LT(>
zX^<bzxN%et{yG481%7bps8l~NYTrx)O5h)k1ip<p_}l(^7S>6DlK13?z48wJiW$8A
zYvi%NKKQHq+|g|Nt=@j`=h%iX7=ZxV0|05KhfPIDemGw^Xq$`KlLy1M>QNPdaduE!
z9~i&i!1kamU?5535v4CeF-x?^{?yP1RP6rh52iSF)N}8`fwB3T1bzXk+CR7ANk8RA
zPd7Z$W2WGmN9XLRpypY-1Xv8m92xTReqjOjn<4}I1&&e))Y(~?^uV=)Jt<_hNkoIa
zI<`54iF#zuDvd}hPM~RK{rgPTaw%gdq64%sEo!qPhT)_w7oh<04!UDp*zYYqPKC1-
zXAdyOn2kdA`yuaB1t{nTklhut`wxQQ@rAMwl)h;Jf}4pxCk6fVKDQm=QvYn>hG(v(
zSxOO_-A7`4up*_7*S1J6uk)davu5JcgjYId7=bFIrqRsGF$cwb>~Pm`p-yVN=&Pjo
z<s_Nd0S$joD>Vh^#>(&#SyjB<Qh`{+TW_-t$jE4o)}5;gK+Ac`W5*QE9yF9k1YQMW
zDPovX8m$K2B1T)E3n8wgZ!}&RMwc|!MGd(*YN?{nX$FVhn&BB%<!d#6GvHRj9croN
zm@6;M7>KmIn`t`jN%6%(;6wbwZaPKdNw>l5&XQ}p;_#U7Z;QFNT$FqoU?tXRCMSIf
z!|{v&yIsc|9N+bmxWV4X6ErG=?<h5eDPor73rQQe!DEDa@<L7q0oRLP&Vbc+HBu|i
zSJtnoZVZ~Sg3wZeh9wWP)q2D$x29N(Hym2UKD~39G(PQfhVyG&V0Lz>lH_)gwzn9%
zPA*hDu1`$;>Ix4F2)zO78nzu*aQi-C3|gMIuV=gkrM`5`<kSIEAt-Qzbl2!1jV4VO
zpyJ1~Ze4~72Mq5K$2gQpU6y)&uC*!Wz%q?WMZx-Rn5H6)T)T;loD(DDAE~C!u<&KD
z>SSJczGhK)*32#X)1#U$ptu843MxME{yeGr+k<8jf6hA@QI;ZLc?NZ6SlZF#RJwzs
zV5R@$eF;lmKCkkvI^>Vr<lr^9J&En2w4k#^w914sBa_ZRlBt(O>01F+1JY@qR;RJ#
zoo7rnWScUlP?^RFh{}IsH$f`HZ6U_~2d7YH->KS1&5jmQ#)n_yzsMt&YX9UC#cNS+
zuIal6yD0O%)0<hFnOecj^)nyg;jy6jlkaxvI{|)LQuRo>R|$xFWT$~ULi+099{)t_
zcz`;Ee&~|Hg2CdqG2)<Q?K4e~uG<$MGc1*6>BJ*4tU$<0pO>n!*yPhFlQ4veQMn4(
zrq6ZrqM-V7_k5M0mOMp}i8#o__0?RIvCGN7?k&(U+XQUWJXWoN5#VO#oo;`Gc!nGv
zPb2;2u8F3aw7|>PS0cnJ$F_xri~&D~_6x4@sM{FbzP+=ZEj4Qmk`4+JV&h4ppq4yD
zhAiN-IgoXKxXc{+*eisLptF6aE?OMm^n}r$B9$jeTN;W5xWj%%<OvAztKB{w9G$6a
zHe&x45vz%bGlQJtHN#UFW(A++?4mN9lilv|MCuB}=j!nLFg1C;*uY<f0-c;;Sy+IT
z|H#bKsA@rIm8kDZ^beVV`>(>%oypu(lmlnUT5KOeZmMiNFp4PB5nyr7j$InV;6h%G
zS>5-Y#ZGgZBek*-{1#jvox<otz?_OoKJ>8m`k&X{bg9Y6MSd<y%ttWesbZShf#xj#
zb|%!WmiHU~q2pwZ-J4-~)j-D00({JoaKB|#8ZtauyzS)b;t7>im*Q|D6SL1H_{c$q
zg<7|;lsJ`ck$6^+T9AN)0`J9<jda(gg3#K2b#;mmE-~VuH7JB&=2&s#K=b^OW?b(+
z7!a;R-Ph;3C@@(#f*<*uv$_<Ilh)4Mp366l$NJ|QqzVw(2H%y>4OYG++!DZFO%L(n
zjTUqsIpM6V@L<0l!9GU;G8^EiNH@$$6i4H<TKbw?WxxbEKSr%tf#b?CKk$dIN8(=Y
z)U`MCWp&Y-v%Wq`m>+mDb)e1J24C<2Q(g!9*OAYlqGJqJyVF+WDlb772w=_>DF5+=
zSoXkO!P7@t0o5=G85Bm(Pcnd>%rji$7VM!v=C?h#+sqpq3GfQwMGq7spXqrF#UO#&
zvs5fUL@IXn4rKJcjy<|zhd<o21ytdY#yL=u|Dx>{oJSELOb9qFYbTB+v6Dp$acX*N
zMgh!zuFr_|OWs=gj1+u&WlOHKXKu)THiFu{a!N~6TV5*Lc6{a0_>(`HcLV6flF+{M
zc*kajJNBK=q~PS{IfK_*egV~`mQ%hGE56hL=i6nH+HLpDBN~XHtnt-uHM7#7761M=
zt&^^m%XgFFQbHUP{R`XMCP~`K_Z1JYTEHY&P$O*#(LHm`SHAj8V#hu18hhf-L*+T5
z65yH4m`>t^_H5TxDPxw_7Yh-MBlEKvDw>lr+m;~W*X0|SUxxzPrUMmtm&pPp4vi`V
zv;<ZZE<mT=KaUw(Ri=zFU|SUebuRNIzV2SQF1QRcqZ<lWcMZ_MB);!dPNY2&h6lYz
zeYsdH-8`q_$@muCNL${IcQ%mDFwcZ6e%zD<Z+2ZVKZA1ilmDaJ5rM{-oZ+QAz&}`l
zsk*9w<arxreY`4PI|WYMU06ye<#qRmBnA|6YOLhMd9&terB&xa9|EgQpw4<xeV6=}
zuT;ivvf7Rp7c@Gc)NzFb#5zBbQtS}D+<RWk_gbS27(S`Y>^%CxW-u)1_Mwsj*c4Fa
z1CM|D$S2v3Fts-2e%^65U=5&=Y1tMRiI>OPY4E4vEL8(Ld%U9{F_&|TBUR4FmUQuq
zQ`O6P7R?7tc=eu9Q2TPx->QVBGOhXD;A2S%u+5ma(_Z%*yMW^O>^T|J(McArv-6go
zA+<B<y{5yg$U7sw<s{A;W)mHl$>fzuQ7xV@$0*rC_4V14#TU%nE8Mlw-<#J@ACF)2
zJd>9Aym3%@p$MPTTdA@(7@|Upt5;^_LNl(qEoSPCF}Y3nW9>9|`+|G@U*f<0q2@7C
zJ}N^~NRpMGO3Gksc|`$?y`kH~>0#TJPC)i>q&~j5IBu}dORF%g&r`uYPVJI@{(7#u
zw|}T2nXWme<~{LFjC_e4)*y9i_?>ykcDxi>Xt_y$dw|)p1Cxvqayn+EnL{guxz}7&
z!v86<SpNB?bM{V2b`n0D^7fxYcEh4(!)zj-gpjw+Y31*jxoU}5@Q4I6dhlDl|M;eF
zd-2^^;cBeUY;~Qq=-({EJ3VTI=N2e&9_ndKYG=4~p^tsJur55I%Uf(t%yKDrY=%TB
z@YZg3Zt<Wc$4Pd%H%?7VtJFLDTX>7^mL}x<G|29`&#xbZ3a)ft65fhdhdgETn7Zg$
zDt?|5ea*$xvyU+Rc}CG8!f$rgG`}BP_(qsp>nu*vuJ*oC*;TnOK7zZSV`oP+Fg0R*
z^>&cwz&YF_g_V9x^?t0vrejR_HuL#P{JhffRchse*p>H|r_}E|inNUd#nHIPqeZzg
z=r<i$s_HVI{>wq+cBfZRB&|t7EnX^^FAYP;<YIC+XaBj_QD)-1WgxxO7*$`Q3H~Oy
zf<K3Hnh-O&^@5^tC9hE@Htrniw%P4Hs-#%ig>#VG(WnH%7oBlgUwRYT5-(9A&iD$u
zP?=8Tu<d4lc1DVQ_N2#~XlntN0vpRpL|Oj|ovl=u6JB^_<ovUY+-N?fc#7~=HuZd>
zS@AiPd-u7(NDkQe)Up&&?&Gj=^EdP5yFPmy19H(P{*osSWHbEK^*(&ieBHK(E@-oD
znYlv9n$pCwJ)YdHE@N`}5kgEcqyi#1%b*^AdC=9+0m!DM)9S<4j#muMwmO4!h4Ges
zVm<DX&H=)+PKyuL^h~s0*tR{sU*cBcXK8$1RYLJ+XmE}?-<?)hmXBUOX!moK^r*$K
zsI6m5AJs3(iXYruaWS`^qK(Eg=6F}ZSt%$F>(~azfXx0%kKRhh7aYi7{Ntl-0JNcp
z;LoW9f5nQt5Y<_|)xD-y!3uH+Dz;{YyejBs@H3qNQb}dE3=*v>##mZ!^b{c4HG&+(
z1@uT^Y=Z1If=x4oHR;%{hjUmZP8G_efjD2cBHQyac4V+@jp!$~J(M^v<>s<i@?6}i
zzm}I4Kc0t8=NnnhA9Zj5B6#VyDhbhE^QOW_=GB7MI6}$+&BSABMXed!5v~=uu`wmS
zN>q}ZmVX$D(hr!YnAf_#o%&&j9vo%RvJT)X#ZJeXUb37WHeX%IHGaC=8Y`B%-zNb6
zz~8C29mWMMQmxC75>+d)C^HTe?9-lo*xCsRMtGEXT_dWEXbv&y+)t76bjTY`ZgZ@e
z&#`!b*UV!;E&p?MXCeU+>RDK3m0zl+(KQ`cDbtvMD7%emD+>OS%`~ck$qA_2#Om#R
zH6N~YYdm%B=n)|eW^B?m@avuVL7}4~?Vb4c)YGjF<sOqA9GCh=Zf^ZH$D>kFT%YD9
z^Rm!TnxFTBof(SGkjt{R9-fKN_Jj|SUz&I4fQE#mEnTzzZrOJN<{Uz3l_ug<fvp?L
ztaN1)oYAr8sc>aPrUv)h#ZHu#LcuyR{gj4*A?r3tWPDE(a_Y6Cge`SWTq|ppElon^
z*h>S=4~b8LgT4c})VT*4RPRXnlD@#d&9q&ar;M2)%WC1@EjFIx1cE{8!T~RvL&oo1
z-Zvfh&4EkgGZ4_S@?byHwZKoI-d*U}o?LpAFfIga)2ShM8EXBMoeS#fKW4l^4HkbI
zq$!-B)2(0qb+|~hn`Qf+h4Ci?(v~`(z-QA$z;n0S-(cWg(w|f;)pq059JQfmh^H;E
z;x%8n^!&@kY}d~}Z8Wq7qMa)@NnwY)eH+vaa1L6b(Uug}My4M}fx7_pA$DF1cnQCI
zfB&TlghPHvC}Xl-m3oDJD(8h-2Jk_r4X6y6XOuu9lW9Lidu^4kb*=zj1+ND(m!S#(
zfIjZn85T3E)3;<wCbdVi2(DBQKUD_UHQ9DO+g-VXf#F9#x4^+;_L0?NZ~LE#8jDIZ
zmV75Lq2?Ip+svE;?CxiOlN?WMn>=ePSK3;1Cm|={D^MxWG`Ox>94@gHLxLrIzY2BZ
zFT#oWdcN%h`Y~xCyV!dvV;qM+j6_SW4$1xEbQxF79EBlafpffYZEuho$9vh2dXAp%
z8Di%gs8f-l&YJi1M7<hQcPt*_7CrVgJyll%7Mx?Qs`7#eF7BSA-<=rYB2`brsVzH)
zeS(mte(Juo1e>Qe^bJui0N}3u&l@ATU88ddq0xjdt9qw8N6OP|h0YA2tk<TUR<`~7
zRgar_Dg&iJ)AKwIWnCCqi*CAbDwQP{bgBRTK&bh!0_17pQU7|JG8x}SNPs5h9nfT}
zc6`_{<lQMPN*pep1zjcxtv!WrCIRVKH8gbk_VWewQQ{;?Jo>r8Yl>uixi!(Q`q7f(
zrfFw>Hsx_vmrNShBhPK>hJ0*xhr7tJ+BZ?}^sirA!S_>i6ebzvh3cE-Z2mJM`^JHr
zncar9EkiXos_cEUpB5(0q`x(Q3u?zZD0}XDLPf39q~0Pd4-Y>X<2Y4QvJQ3YT<}_P
zTG7OOkzpatdjCaS6fM)Z=-U`iLk^0tRvk7S1KtjjCB*ANg7;307hXJKa`Oa|V#*jz
zZP%;Nh-#>r!D(K|)4_H0w)+-N2~?m%EPEBLIr0<cCsQqm6|;4W^{_v_T%GxC)&71Z
zpWppkY#yr4bxRioAgTT=-Eqe~JNr*K>eQH26o)~vV$oGE<|jTWH+i0#cNP0MBj?09
zG6Q40HZsnf6e&=ND~k1JDX%8qyHHcXDLR=;Z73^jn0}5oVfe<lN^pe@ZQk47ajr;+
z?P4L}l3BjgJ9`hN3^fkf^A0`u)e1_(3F3nZl}w!Gj4k}7h>5g!M*OMqDR<k5wDf`p
z8z;xzO&3W(4o)r-#7e}o8#)F`-nY(8(rIyqNYi!vv`N3&_}10Imj7vQA|6ib0AsPQ
z_1$AtZXayOws~6QDN2DeHd}3-({$Z7yXnTS3<?Pt8_!u@o+O*0o9mit@z|jAXk}OY
zZ3~Nmi{){TOVfDHUwZz)_4}>wj=S+ACvOWv%k1WEMUVM>dL$&#TI{8prGAfmxtg11
zq?Nlfl6uj9I(uDKNGJFqEOg`){zX3XMT44$qXlBGKKcok)$=^3Vh)dsRE}Uzp`{uN
z=ZX|9NVv-eP%KvFdc<xyg5QLuX5mXm*H83MjJm)_PmTObNU!e8N%j}3rSuxmkxef<
z(^RVFT_)1*B+0}Wy<^!^;SyYoOQphL>-)NYhKO|l&D`8VMrPK*jJElr<abL(u%`?r
zl_F&{Cxn7M>5B6D!xO8+@k8fV!E42-0Un3+Q0EDkq{0c8q|%dvbQF7QchyYyCNHfV
z$V|WiDGwyi8T^z3QHx2ZJ^T_K@;%!y-^xCGkIHyRt2$WN0`_Y1#mtp2^<%~D?#4xK
z7cUjgk!77M9vg5inDE{ej*w}8GASBE@x(rm)R6Jo`Jgb7H;WzJY1)_5m@gXLy?dFx
zG<f9G1AU7C?1_O-t_72&vFhPp&eR7NtXt){WtUFansXKc+oI)hw~@RsLk@H`eD>bV
zBTQ}kCuxRXtxArag>%Tuuf|UUOdM@PzV-NBS)h9cg#(={bOzBMw1kraIcROu#wG+S
z5s(hfx-!+;{x)%@R*90FTJGsi{ih$%^%iU7;I!o&w3=R`+EQ5Ws9Q*_-!QII`?+}8
zXH85~JyOyKK1nP+(>*mefu+LLciS^V3WyQss-v4(T8pS+zBYMuhsrpGF9LUNHri{m
zB;;Gfk+T&@AX4uawn{rA=OakY2Xt^6I_DWfqCX-dF6LQQ(~wy{WPOhXNR|^P=PRaf
zEWOW|`@>m>t!30~CW<7AR9(z^Rb%2}sNlHMQ_;l68=0qKL?$~n`qn;QHHk}A78MsM
z)52547)~joIPRwDENfu;d@qpC2vXueH|x50fCj_1T9SEURVrM|jTPw+_&U;xJ{BYw
zmQjsI1*G;>hWWF*EG7)@Dc6mksM>3PmXuV=*0$Eh;^7&B?hQY~;9G!y)W!7u<QW<@
zDQ^cJX|tWWxz(%oojVhoM6dO*cOJ@smG8P&xuM=U!v7@1fqhD*OEB*|%Wpdp`&v7e
zjVdNf)e?Qm@G>;b?|m^@TpSd8CM`x^XI(&^@tR3o8Qeza{q8kGL1@0;)tXy`cgr=d
z7U7y0-P7m?KAGMLyvxp7C~=c$NI{WkVkTnJ#>b>kh|-7wHOB^|(qD%9%50{4?=a>r
zqcb$zJWCDeTS<PY(w^HG9%Fs3azSXQvd4}X*hcN1FQm?{%u_nwwNaIgB8G2kjHR|Q
zcN#i(9RoXG&YyB|<`JSX`^xZ{+q&Jt>H3(uwD&q|g~h#a`eLdWo^X4rJtMSgkRGPo
z_d4bjYA*x<X(dWO1AGaG2F73lNm`gIrsk<e#K+aU81auy_dWp@`6Z~$3zUb);4`s|
zlfyFLwBY<wFLF1NijU_3gU&|wjry2>lrN|t{@fP<J+W*}%zcTfbMcPBllG^>X6=HI
z>9g;zby6650^O3pYkQ|qx`UQCFo2&OuoeI(r|bHspSL;lL%SVaG$LQEld2bgPDYap
zae+)stnE57im9H>Q{wU|V<t%NtUm$Z+v~Nu7Xzwzp~W<sgwxmXq1DTU8Y4fiLM;SB
z5shY;D}ZYR@RGE=OP-}Td)P|%D+tXCEqc~OBrmB*(I#2s0MXA=8h(AgRJswElY6t8
zW%eC2DGY$}+iO<V&-oSA8jz}|(3ckKPWzrlp}}L8qjj<sxf@;*V9xMM&|xRi6CffG
z(~B2cGdI6g4G*a*A7A<ZXnPBws<!u!n{xn32`K}l1f-E}u2Lc;AYDgF>5{H<1p^RJ
z>AoT%QU?(5kVjHl=|;Liy5U{t2-o|I|L>i7XWp4RckXau@3q%nd&TqlexK*WK>u2I
zHD%-7C%9*O`#o-QM7I7=tie?fge>VH@MXkPsbWLtM6c*D%D(^kl^ARj8`65K($L3c
z%MX&{b4Z<&*R?%TB)H-u2AlmtU7vn`_@`{~3hN?uy%#bTJChu78Vmnj7ncTCMI`!1
zR=bQ5v;11@I}dGfBh$2FJ=7DeIJ4fB2Tu&i5DG8qWg&?P_HQF4DES7dCkE1NY-|!%
zaa6QpRkl~x@CS5oo%Q>z$8%TL1+`H|%tnTzC)ov00d25^R2b>s#`aBGdUpPz*5_sh
zKCb-C)<MO*z`I2=e6va09`7ml%GehTRQ(9;UdgtBT3d*DdAe}EovNLgav;1n^3%qj
zFj8C<!57ctGm>|5OUd8js<!)P&g8@6H>$ZU=PRsOWyq1q*fHT3bLQX~O^)4^;ke5P
zgB!l@;RNh@VG!S0yuVJB<$guI@Rncd?U`-7;K3t^kI_K2u*y-q&1j=MeI%DCl<CGL
zG(pryRHl<SY-Usa`j`QxvHdB^dxgX-T#<@sMuq3m<)$s9cDE5O7l|;w-errDJBvv7
zv1a9gM<0xx<Medp@agFINd7V-KbW_)3^LfNn=5{KpE7`I7Z_h$YiAPPm>0i(WR;F^
zbtQ9sT<su^EEn`C10F+d3hcu`XeNjcUXlk<IOqj{S6-HG{YVF5EfL1WWoyI2?M6h4
z^;ct>;rv>s?VGTV)bvJ)r!)&Ys}DLo)WR|iXm1b;6UOOPd?B4?xn7=RVjnnQne*4@
zS-)3aL6RoiPM=$5szK58dlwu1ioIzP;U&8~{h2?fq#()^+MZqX6bN~Om`<$J+aI2t
z1t14*2}=Z%Ug-TRZdul15){eYCoq|Kt9ZGjOrm&`K*q{p%wB`s`n6J&%d6~rN0gJ=
z?XYeJSZLQ^K#vA_xW%8tJk^3*iwXQ&3YG%23S|4{NZ{V%U+cXtq8u1!fa|Q*p?zIj
z_(wB0=o~4NU^W06vElTaBCmg)0meh%89_92CWHCo#+-74pJqthlWsa^jn~aiv^%rK
ziC?u7A(~t59Phk6YP;-c%(bg1TAdw8eqCDT`;$vk9%*aZlIvT~7_b0I#2`X&_Br(<
zxqPHw%D)8yh5*0;wuUMI;tgoy|H5uyk^{w?&w`ANwHu1&LW&&B{{Vk*KugajiSv-@
z*?334Nv!idgq|MsH_s!3{QA}N3tvE^zw;m@BL-UjGd6?`_8{Q&25=@9*Lk2BTzeYK
zy5K2(15wyM-rx5_$D;v^`xPbFlaWWMkp)cuY63Z$2Yv-j0NNrH)<2LbnqFdI5Eh6I
zGQ$2BfsE0ZbkC|uyq}u*nvA|?=U}VhUge%(H(l|!UzGC<rv@0Iww|o9B_wS%&6!o9
zRJ)rTXI*wD<#$aUv+Wx6FNEvQg9rH=oFW2bQF5QRBB55RzGkdAXe4{Sl9`6W{j4@8
zvT&C{;1tu7AQclhEY8jSMvdV&f1$=6-v5dkqd5Lg)Hq(NE|o={mCP}k{_tod>2#!d
z%VE){E}p%VDD|r<%AykYO@(cypEFW-CW|#HRsI)eBsmKa{2OPqGN^5=`!~>7DRE2q
zQen<Z&NnOp^4^`JnSvowB~=IWdPjL7KD4bRY%~E`ycp0}_vj2XR_o^Msa@$CDT41m
zUwoq4ZhoMjyz_R4|9SJMS?Axl5lj{&1F0iV=eOknZhU%%8$k}7*)V_`YfEcj;?}3B
zjuz1y<(t&QoD%^)_BhM4m9Wv;5+38>t;HPM#}frY{V>bM3|skmjW`DNlakV%x7^Ac
z1y-@2vu-^rKg!J@te(ZTS-(&_TwTE;>~T*`qh#@u1cc}yW8f*i-EADe9L3OZ7~rmA
zs8t%LYMBPgj#w{P0cCMie+n|%zrvrKE@)m!7GX@Zp$4mLFD=5wzT5Vycr|C;9%E)n
zQku7ye#mH?Cho0Ir0*NZVk_h>s*pTRd&NCL#|vw&;jxyyLhN*{oQ6;746mJy;lnBD
z?Az#<8Yq|GP<x`uC!-s=m3|Abd(NB>2ZS&4R&ZP~SN$*O(WC^R$IEE+II?ht9%nPE
z6`hJdU(sNxiOh~Hvl^=UCxXOG$q__)d8W7U^@#7W2(?1{9$ejW{>UPiapy0Ns}Ua8
ztTitUyn{#ECYrczzE0JCp{?vCp!U@gvb6Z)#n*VH9hy=>AjejPmd?aCAO&T2p$b%T
z|H9j2aa5Y%T2u&j!hy?>VH~dIbqdw@WM2rqjQX-wQ9Xt5UK3gJx|fe}mSdP<nlTOl
z=#_d_s`?N|!d1iI@t@0Xsj#p)kFOHM-9}3y{y?AP!2W15!=L_K3xGe6O2cO;d}<GM
zS8CSN4<NzeGO~P&J%g3d(QN1_c7@Y$5X}f(PvV^N;K`co^^va1%rFl78?UUb9v+$}
zxQ%qgnLDx9aM{TU#(wi{W|>cXx9NEC-{8LiRlOnc6&5=3^^A*9W?8Aw`<;HgFzHe^
zC2LcjJ+-^7Z;@A@t3qdwXa6UZ<VsAv^zCh91IP7ur)59>?7tBxOf_*+*3|Y1(0cry
z+n8VhN~l^dJta$v*Oc$477V{Qc3m;>foxteioJhH+Mv&3B`UPh(01~nF~_c%S+Y0t
zux*)%`o4jm4Xz!5#1%K!Bt1&LD;!;kFdrV)7s1o&C;ZXFts?<E!<Q2s<;7db9~!9t
zbISP&IkbgRN7eVFEi<LwUzVx3Fy(wZL;<p?Zzyub6{!~MiR7+HG#a71Osb_848+$%
z==;U$3CWI&Lx`GuW(=-|!86LQ4t3u9D(cU1OfGk;RHVou;uYg3&ubGK?(>G8S`z=9
z`@m+Ziht{4Vm-)MbVH8Vd8X*uF0!xH(QN5%_C`gki@m{al}U8@vX8IUVtK$W>kftf
zWG{`gn2rC>$Gnp(^NKwGGRMkzk_<pfZ+Q7F^i*f{tDk(u^)%bh3c`V_Gf<v$MLa00
z3sdY~SGJ#e0sdv*3OGA@cOVb+EtsXFbq-Fqb4e?+dMK(oOBaW@+7J~)ncILRy*br+
z%EELOncfktS~9fS#o)^-DC^9OHxwRmIvn7|Qv4RP%lKI^i-yeVgag+C^s%JthEGBI
zRLnYerj9vV1oy@<zlZ)C1<dy^hdK!Yi}*iQ4nD9HJR*!M+Of6qRI`<Y+{s-kKE?NS
zdi==#a??=irHy~blQeAmzT@#U)#hgl3><y+KEgPO)I;3E_JPV49o}OWsnjV#&D73*
zHl3e~kLP!9$Te+t%xw;y_D`?-V=a04ZNH^iW%Q#j+l&k}T9fP%Z9c+jBJbcGLurlQ
zI&V7_=+mD{kWD5k+_sd?$p(2ZlldBYk`_Nu!>~-u?YJ9fIU#jm7hms0Iwj_Y*HKl2
zQViRkKE!8MLIM2=gAT_m$?EuV?c%opne@`|_i9wgBqfLw&tlB<I@W;BMl1TMptdAK
z*(`)4zqLvx#>(wIemg?|#5+9nd}?O_N{m)%=NZ(!H5U2EZrT+ZvnK|%>eyT`hwc#X
z$PbH=xMV2#zkwr3FSDWh8FcR-=+A5zXPJX10{qKiB~7i8j=LrHi$auM3OT}l-U8d~
zF7HQK8BUmPZ@c3a@yeL~(8clU?Q)T}lgw4lh-|;DT^G$``PhSXH5AXW)9^ef>oWFT
z$-bXwu2{l`nr%?(i#<QcK+|@#)%RqFd`b>=zWo5(HhI)9I2k+8lKAK8icMX?!~Vqa
z1FP;P@jO%mrJ>4#<AHc*kzv%MYZ|O>7Gs(@m8b}xRh#kSZ|g<u{xPp)4;me=d8@{<
z*Wfxk;Iy@Ej-2E$cOTh_7>;^;Zs`_M;~Q&OrG7D}UW}|4(RtI@dS|-8Fp{QR(5d{U
zpLly@h<PFlDR;MDMIiS}8am$O9*3<Bzo0Lf$ABtjJ>1wO_gyKqjbYPI{mV4A>DEzL
z36%Bd{VSUKEb<i1lMc1=eFFpVM1Q|SR4bI4W`FK79r=PsG0z&;aFcUy^0lPmlPJ?1
zPnK(iCA~*|jXr5Yz14^Bx{WRswjcv6Tb68TIsQ6;QqPVk)@~tJ3adG^X|j$CrpMdZ
zANPz-`tNKem{trl8yGjGoAP)uwSPTHLoP5Im2891@O{@q6*N!PV9Bm|Z&~qPf9A*J
z?PAI11DrBEx^1yty2gb3l?K*;N0~m7Hbg~dXL$5x^9QJESZi5#XRN=Os7CF?H=iv3
z`-$fV7XRgR>8v~_6K2*^n-1ywTZ+@B$9GP-b*x1TbjsOHdx-Q_D(J<pplp&mE>Xys
zl$b=8=+Qmp+v#d<oj2uoBlqsfelapJ^d!!=sor_i+9MRNm^4pyqomBW8E(+6(2_3s
z5H^*5F_LN~ZR_$<)gIoX(g+a<QU7C_EVnBPyyJ>*(kH@WW(im&?peFZVje}ik|WF$
zB#Ag~ZOj%2)whTGEzGAZ55xcbdl&9|AC<|a*e#96#kD@CEKE$b1*@Jd3w(Ze&S9nb
z{=!`@!#f7z1b^_t>`C-Qwi39R<bo^?2Bx!BR7v!hdEW;->r}b!8P4-wd7#5#Dw`HB
z<V*4>_w{z^Qfj3XmDL9sd-~EIwj9|8w%$^Yx(#M8iP*CC5yiEt@;b*%&6je^%8Y5m
z9e6i)eG2|LkgHN8`9;XoO<7%X$M|?jC+!LULVR<9qwDGxc2mkf-T)b}Ta6Xn&uxOT
zD$fwplr1&XOsNf9ng&VpZuxzZOG=QY$JZ11^mTZ<%jC-^u?_A-l<!R#3&?i#qSIRD
z$HEzatjtC(IE@`y0QmcTImZww*v@s=UBaW4EwlIC69Kug5A!Yc`L3^+FKS3ufqZFW
zXvC-NhqbT4N`5^tT4|Q;Gw!-vlFqzg&*g;tXmJ(VAwh-5*ORth{g!mVvvBOV6}SJv
zAAKrZ`5y!j{yf8v@({D6yvKTPBS0iU@wCPDRlm{uTl3z;>!4}vjTs^E_Nke=W%>B3
zVH38<s~w}|L01`A{k&~g+j~>omeZ*aCBnueDaLHDDLU>s{(~eOUQ9>w%iKm%$-WxC
z>A0ZbFf?OhsjMZKTV3hVCGd~4QwjwroA<9&(c*)_Uq^pa#d(86#-dcP?dg~+l&e@t
z6IjyWX8I4RD0b<_lHEo_C^t=fe#a5*Q_cJiK~*$Xy#KbE9z$(~JyfVYvV*;ii}}GS
zuss|9J>LPz&{VSZsZjV%%ytyh7DjLZ&Szs(e2?sR?>w`$`=X?Au%3Y@U0tqv>`(S^
zMZ{oQD>-2G!Vh}Um-{L3`0^@V-_=>5R&e6)smx*C3x}7;swcxo-325l5w5$u;R~<q
zKt)Qk^ep$!6o?b*wRUMDJ$wn{&{!_Z`aD8Va@)(Ph9|cNe_&?hT07stP1q<McgYR&
zO9<bq!?y*7iQ>jW6c(9a`|ZeM>e*S8kpAkc-%;<eee%m41RwWYL!VmizX}U$ZiuLb
z$h<g7qd!b0INg3RBe@-^XYJARLMC8tn0l;beBv-~bp*BUI{`A@kzE&Wexjyrc+AAx
z(#np?uAE4J26Rp;xx2cbt9fC?dKJa-wkCbqDZ5-EM4G@^UeQod+zF*VtV+=uBsV1e
zi=@^fw+IjF?#&1l{xvM$!!0pm@}t2cOB#qk2Ibv0li`z7EeVL>%{%Jnag$A`aOY|@
zeE<E!_V;7$mDLO|7pbU9dQO<fEK!XTpoI)nziFYxhremzgJ<#A3F4%73!^=7+j=<y
z+F6i9)}J0f;i69b%nKXk9!stoJL>vs@XonID!Kbshxfo!Pj1aDTecz^1Tw}=q;XY&
z-W63YaTV7tKZCl$%Ihtj7_4ylZgj<G0_UrQ$|O*oYI6qkjs>Wdc8cKoSJq!lc=i}W
zC^pR@hNhSJBu*bdio0*5rtlthLo;7+ylgGi*`3S?U2I#)M=HA#{?z<<O<2C4H{(XV
zA7t2OmmpwkodU|LHKzBA7lt9U)s3=)oE1?+hLQ<j!#yFa5>7M2Q#KV}#zdQ6@HFmv
zzmQbuJNy^i#ikzb=hmil_<w@-;^c~j<=N`2O2~X!d9HnAym%NRqVAwgw&Eo$0ZIHv
z&%TH1l=U@>={K%XBVuQXPOITFZo8T-Q^BqsmiHj9X>B)r67$_OObDa;C+GPs$$PP@
zGr3^MwTJU%Nb+=RnPRhRd6h<+x0}3}`Zf8b+jhJ;*9$Fq=J>}!`aNoo;&B4KAxBYC
zy!&jM#fIeJo}~l!5_oOGZWF^k2&A>Aq_>DSdJ4D*)loCQmJqGfH)}aJ>&8(PBb#FB
zO;}`PrwDnEFNKK;z-bY@WC)naffz(<vJieTm1zC`<I;!-92H`rTRjh-k!^q0znn(F
zw?0OESV)dA1(o-{!jfHbpM>Bgv#}TH1^wt;-i%yE##qF<Y49Y<X6tyo5swvk<;*d)
z>^+9VwdE(cbwk^ZZAYM@KAt<dvPbo$t6O=oQg`>@bKe)P;+}gz98&f<@z?|<$E~js
z#diHY3-7u`(M=IXRR?#DC@%Ig_r5!ED@glYL}TVVc-3x=GaBLADCqeBgxkyf_Rz}m
z?KZ*l!F)~R(O<6P&J>e|UCJ`rQvI=EaE;#(R~J7{E!^!F=j?Y1<D1yk>Q~5$Fs9^_
zC`oPgv@R=9&$WF_=k`@q^%z8+-HmnQg>jzyt9CILU(N7HZXmqk?3ovyNDwKm1f7*p
z^Y|;&*i8%JY_V{9ZQNv=&vcIkT52bRUw2JeD{}2Ewg9qkT&OuDH*~}Mh7R|%NEUN|
zV@A=~C+oLsKD6c8H|9yKViq@%CMJ_Y%2bHF&@@Ufrm}8xG_y<seKDyLGmEw8K5})E
zqw0f8lWN`<6DC`8B)wDseOaBvBJQ%i^6_FqFWCPMJTRclQbj%B|JFL>H$)V7-DdVo
z!hptcOt2-eBeVV3#c0NNlSY-&o*?|?MQBXotlAUnv7k~5??<CNZQ@b5ZL>Mi3m*e>
zHw8-y5(%#$WxaZGeJfcZoA1hx8q<f6bL{D4CUJL>?GDvH4RN@Tchm~Rn^^n}^0Tf|
zu*JvB6?1cX>xX`GBs#7{_4gaC`v%|PlZd6+%w8M)#undM^Y(>+mg`n5kgQu%Od1J2
zba<2)I-6+NKM}QU%~|_>bdv878^Y<O8T(N()&f?n{A_&ce^IpzG~pg*)ld1$qq^iu
z;f{T=>kPY!jcJhiN~;<Z?0o%@W`KQnKc|s$F=sSVy_2wGx|1|?$jt7QQSh>6W5cXr
zR!hRSuPjoV^od-Ll~6|3wBu^2AxwV`EtaUyYBEY%8eewNKD635PqyUnv&%5tOlf&Y
zsEwLDR{K6#x?c-+^?3N?y1O)t_mZV1>ihOslPjmk70urW=g}qSRdnaqA~Q_0-3!de
z6^(r7c2CLIui1^C&ee9R8<9Tpc@$P&(J;EK7!p!7xbnwh=wrN)=NU<rLR54G{${)0
zlqC!PV8mDYD7KWpw_3ST#<s_LU248TecS2Pti*+L`vosy+;<2?pn{bbV2AUs)Q0g7
zMSB1j%ukst`1tAVVE922hkn`v9x)wC#G)yGsP5zBUiQ^Lqg-_t>Spy~S}5ofq9ZJs
zVP@G{*Rl`<aUG;}VD?qUwR2=U6)YGx`>^foH)63`wkT$!dnN`3EA-V@-nuA@(cnkm
zW~_kO<xT~ts`7y}`Z;;7kk<^b-kOA973Wgh%|Dk`m8016Tl4kpb8`Tgdp<?^5zb;7
zwE!|egZQfZiRD;7JNVCYm8!cg>XT872X5~Ahx{4^lwI>?S02YUE=ln>6`?2=^WEz2
zpX_yvx{(&yy1H{lCJq#wOri}$&#i24DQMuTL|=>B(fR<S=R@1zeEb}~oqj+~gbo9P
zvl3`Epn2jg5F!d;)$l%$VeYBA7J2e*l+k+u<DhnsN+<Dc$al_uq2)B!QjIJ?*!oq%
z+e;@mKLVzc^2MJJ%(#tRWZ)PLxyF|fCk?%D9=MK?P-GE-##EWx?95R$c&ekOSz#L|
zx7)y4suSMF3|X3Vb?E*eYIZHPwe}MQ->{IYxd0OPYu{~D+U;;HG$gE}%KRI2y=wnI
zKvxMlYjl-)&eO*>mZ3B_DwS-oca$%9@5h~j)CRrL3HW*+bT4lfJmAWWD=67Wfg|;z
z3k506i)Z&{>hK3daY4I(+kH$KU|P)N88MBlutI|h?^_sb=G8Q5zii(Mp>VsSwR2sY
zu)gW_Xr92=83&Sq6_a8PBR8VS$}KV2C?y$U9O!5{IUmC#T&vE_MiO#pQnoDGE(Tl8
z=HJS{5M>m=zg`Hp7rL-gxf<#ew<uOlIq}WVaxZ(3N(|`(E!Dnl)aN!Nk1EYA$&0J9
z{m6js4FAOc3Z>>Z#Zq5J^H+~Bz*_49<CKr?Ml-E#|ACNR6~vFbdF|Sgo3bHAVair?
z=d#N--}GN0!u0dn2>@PdC4KAT-?A_ERv9qB&8>DnWTz$4Gp!>(VS#8}!jcX?55>64
z@#T5}>{a0E9HWEAUgLH`Rw1VXY3*0L4H^<?3<&>&dXbuuObFO_N9B?Ur}`vGW!c@?
z^2^t`n{4jtfx~roY&wWDnzqSG>%h~V#H^zrYvVxz`v?_6)N~K*wl$v42%sL3*)X2%
zcie;c4NFj5>fQG{m>gS{TFM=tYnN`h8QWc>t?PXc&o+4JPj&pfG44*OU+!>St<lwc
zxubd>IJtdlZ8Q<>4^}Nh;cfy~Go83#meoH=2`^(E#nt@zYuume;Iuh5wH6f`Xa|}V
zk-iD`fl}Mw#QD=m^YZ&0_ebIoWkPe;O=(32cc!H#F_~QN2&D>w=nk9oB4{5mf4}8=
zoUd-{!{V*=X-9^p@6$u0e~3KefR$1q?5n|64Rvaay8jE89BM(SIY>lz?^QqX$RlI1
zZKSi?*PT?WX=;}rEMZFW;d{5YuyTx)s^kpl|ER1(as2AK`olP0@M-=$r9g`bA=nJi
z9S<C0K%mgL$KL~I`SGP(YxK{7dkp{~bgZXZ5^wo4{zo$<V0Op2zJ7%|56vJI9{9Ky
z&@QXLy<^aw5;0iov1_|t&#zbw<WM|!_O4}202Tm<d|0e}=b#52RKr;Y$+dohK+nTp
zq53mewG1@o*Z#gPxDFid=SDI>2dVqjVhljT!XKayfn)yg+^h$FLcvG;57QhRe$0OM
zM`va{GK9=q?B{=i2p@<eVFFp;Co~YB3K+Ttzb}+Z&S&<oZHgeceCuD^9x)B?y&MPg
z`_(PfF=*}u-DxLB&|+hH4ro5I>20%2LBeiyP#qCLH~<QX{!1TX9{7(h{+cAfdIuW7
z04tb-GoIfV!@|&pMD&%>T?}3v=9j?C`n)ju^XS4FYtJ0(jryj7D*xF@<}SaYUxvQ(
z+k>SlW%XDtGV)~4D3|85^}$}dk+kbN`GU0m7^Yi+`w-n8M1blU<2u7{dm_xR2>(yO
zZHze@<in{_s1TiY(np`*eqsyKELd1aFbvK60p5WSlyyX2k27CiB`TCax6Am>V(cde
z@>O?(qY7O%-malh(yGKwM-xq#=;EP|1J<AOMA+18)f(A(VKn1hGcLU*n<b7DSt(kf
z-D=SeU3~ry9RaHr-XhzhL5)TZ8Ix*?EA_(f$~>RF^|t}8I-&`-8&UMvFxECq6F}@+
z!jP<rLG}7(3=Ws0uweHk;p>g+tmNZWs;s5NskT0vLo=hng>POO%NqsX+UM-@SryLE
zSk7MQRcxAc)E=4A%a=m#N%#?r2Ia(DmR3$ZbV#m#wq6&}@=4?tNsM$~R&}=%Qm~tQ
zEv>Ragv*fZPwtmkcDH@G(PIju_5dp6bjKDPk1IGTUi1b}d8i<ptCQFUk%Tm2<2P_p
ze3^5i`cumWObAYgZJA*rbH?-3`ECnCnYyONvP1!S$P1hTJjR@NB5HB;Hw#Ki3h`gm
z==@?`-xaiMaoQ?kh^tn`OAdwz^}g{w`(=WvqK5c5ni60Jlo*Ux4wc5~rF;datq~sm
z7)Pa1{U~6(@?P){(UXLcvHh>nszOAu3Md;AJ!I*E&_%lO=!Zw$LPpnmTU)i48>2X0
zzVo}x{k(sK#RkR<<58<y2vh^7dZiF2%rMb-ejUsNfNE%<jEXLU610TQ$)(&cyGu%U
z$+L1uGAYY0r4(T$=SweeeE$9?yefGJrC-_6YPgq8b?`<$F-n)4X6#~qdT19_f4NC<
zA`%u51`j4%)?DbV?p8pJosDyJU>9xFOoKPjgK8QVAj<3SKUfW#s3juyMSCx$X)@lY
zVm26aOIK2Yy@2ZE+k3aS%P#8B>2S}qi!#Q7az}ymPmLJW`exzCw|CroteIg^@9@x9
zox;T30JHcHTip%$?wdG?W-ZabO?53YWx&NagC7@_0ZRC0ax>F!)LO8?s!P+twWY(w
zje(`E&jf|>wElKic|nRTH^*6Fu~Dz0x95Ov=>c85R&A|qa%9;Z?}1WvXI_|Ufmndb
zXC0JUHsxe9GJ~8idPk;Fuo!WCt3!PEs`smm`2t2k_Yvy^utH&G5;u8KOwYW8`{fc&
za`!ziXns((H+xC$k=VXU0XAf_Fi$z(XCi>6yU2p8o}5=Z`_gk>na3Nm^|N4T(KLnh
z3+Gc3U4Bkb0^Ihbr`w|(RIRh7=9b}c+*Yj?BoZZs24^1Go#?Y!2W&)dL5SGQaia;$
zCNmo6Jr8tLvO@lgsm@-~i*sIWxj}C8R#BDv(smSZRR9T%o@BL{8W&+4G1Y=9LW(A`
zPL4lYX-V|Qu>1FXtyn|M%*FsS^+Hc~n286}O?XYA)mj|ttFwNobj#}uTM_8|8@94F
zORvv^DXo+k7Gx<)X6gfMC6VoI<;o0OII>!K#9~1!bCOHUT@u>eH$yvToTYos5hx(g
z@BY_5R}3cej<{-(weUu<I03n=5z=nL?|-@Jj^%hJ?GINp*#w_>YnQ#J|Ad*`!NP-H
zIF<{Nu-#EHy4%sd>IL)%w~2msZKz9W6JEqxr6zpv;5H5hNck|pnAlu`d6S2Bw?g1w
z%8263_KAP$Q_h|3jW@(#FRJP(a|(nrewpQ{`4}6X1=M0muVa4$#OiFH@;`{xCCmbL
z(u+S(fcpimi@O{~C5U?DiCI*@nG`cSVnKYOuy-CnKbW1ZQ!TdGXsN<L7BdWN)Xx?c
z%vXMV1>(bs^E}{uaonSZX!ZH4UhK3EWBcQ!o8J!opQI!!xfiGO4z+e@E8M(~uaDU7
zI+g4+<CdFj)2MDFzvJ!5jr9Mi2!R|Tq3#-cG~iAcMM!`mYGi+eH_fpz<*ib7?8)1d
zPG{Wg&bi%C&dh2L*_uaC@e~i~)XtL{)`(qfz0Rea*h(i-pzcggrJeSkd*=^(YYA<V
zHSI5c^y~74Vz57(A}#IDw<JFRdNP$#gcQ$hDo?P}MKf`2jYoW%t_HTY;iU2tYp8p>
z`mzrWR{*^_QJmz-m^6QL6Vxg&fX;t#CISlGp<ss5o`8xzm}M5#d5JGkcd<JZ8q=_}
z(RL@`;59tEawPTtvfS~;Sq$2EN`5+pwr$L#uNGLwfR?q$fmZ-OMZ!lnELY>7oy_6n
z=AQ<<gvZzUd4e5|zyOV`?q=b!uf^N7E4#^#2RrMqYrn(9peo&fw$XKh0qv0?`Q(9q
z^{r8^x;v)9GglzP&(&Hz{+9tSy6OMLfH%x4W|LPg?RgZto?q7V19#bF?`I1=F3$3!
z^U(=fUc(CG@6n12Gxg39)6vnh-xIQv+C1#EJJ8FDM#h<ivLCCO&gr|8$5ejP{l&VH
z<S2JX(5Pt2QtOE8%8RYAQQ@rw9xZ>O$r1dx_&MaUu43l?phIc-np1R^Z4#_9bQCWk
zbMIUWz)ez|YULX2n9CIQXsNGK$m^Xlc2;OtR<~rfsQXan+>4ln>QSH}3=NM}vq78N
zYGK_c;k7;8eEWy^)$YSWoRNYP>oW`Ko|YWx&U<^wsUwu-UuAbA7z3`^=7x23oJc$c
zc@)p$alm?_gql1Mqk2Gg4!^$Vx&*rRrEb_#6<9F;|LDnMd4=)h6&a{1wzu4{eIVd?
zlG`a^JR;+tNZ%UuVwJuQDP3c~vy+S-5x=pgtJ3FXO5JZ|KbNLE=LjdRu5<<%Og5=4
zR-$%ne>T@76q8aOlke-+*aU<|i+1Ehqy2bLox{}^YA$64S;h7B5x|i5X}U}t=h1RT
zWbF4Ei$$ib4_c(ix{?LHD}ljN<=v~)q*n9>iPP5{=iVNEVog?Rp|~KdHpHi|!E-O7
za4a;y$?DLP0^t<q?raeI5U@u|$hFnS)+w-}l=j>N5FreN8&4)BH`9<t$OQlJb=O7>
zHNm=L=QV}AS0=+e0w{m)XTc;?2v^k)&-5eF)0^y!wY$ubJ2+?SFY);0lhwYIlW4WX
zB9`=wrJ*Y2ks%jU`MZ8Qa>h)i?j}}sOB)x|Rj(_@oW52YC|62i<63w3YwF3H%c^!#
zBY-NI+rF7@o>tQiNu6;m%e;hT(7hy<*vB9HSzn;g1ZCvl9b8PSSZ06aU>%H}e&y1P
zcK=4J_8W!}SFf9~vx1T*-!jG%Z|0ZPHQjeXJqb@WRy}#Y-gDdOw~-KT$^~=Ozu9LF
ziOg_$9y+`|IqsabQdA(BLUSM;$E>EB3IM_tgXtCT24W*G?nnmUfvS%z-To=2``mN$
z+H6$Yz1OAPLUbL8sVWud;J6!SY-T)ev%{Rje*Gu$D2L}?uTdGt54eT1a6G@6GR8xv
z2+|2xzR!?`AKi>Re$~Es1NaFNtyl6ZnjBlB9A8Ad17?b`>W-OXQ>`FShzU&TXu9qz
zhw5{Aum(7s>*(ksP1^d;g@k5e$2l^%dmLk70NxB2h4C~FmSU;$!T-U+!v4RrFrz1r
z#a95QLsvr!Fi0tnDm~b<-*<OtieMxdDCuB`@ZOh~pFdAAGFqoUTy=lqs-cr+l)vw6
zYm;tS_PC?To$)JjV)n0moZcZ;1U{6lrhjxqMyPz1a*d}yYL*X4UM7u=TX`N`-1xZv
zH2BR#=(pk68^eYHN3`{iPPY6sQ5)rlDR9*+R;Ea0xm@F;oRkx7q90Xa#hDLsnxK6o
z#zcy8I|3jRwbtIlNc_>{2Q#I4!L5A{#cFNXp?zpmDsPy?GgFnQl57dIZ;z?FH$GMN
zeoJqBCVMH={rbJG-S;3H&e-?a@a9P#A&mlC9ab^wiLaebF8$pn>$;2;bTZFxz|uMx
zWK4F~DZptGbBII9L}H&g_YfW1*PaV!e)>SNok3dihm1*N;!ji4`v-^E&K?&uY(E2o
z6>&zn@!=mF;`yNZ;H#8J-n0B3j~puIIAqp|qy4)Wy8E{^7G1lxNjo#^UGmhm?epX|
zY1`_uwi5iRH=8!F@otS%@M)Fpwik+f8MZrqkd$6q#II(Ct$fpZgjF`$MuM9w<I?iW
z-d6}ySOGcckGaPZ{e&aPM9X7DziBFrd}OeKB;xJ5=4A>(-Nkk-htKVOELS4oGt8e!
z5(b$eIbBpACn6$hT9#M#Zry-Hx?Rv$3eY0=KG%oRQzN+8nxL~0jb5KEL^cn~aNFvA
zJQ2R6{=Fme9!oiUzzY7;Xxyud^prSPeNp+OT$&yBaeuS8#nP#0<3YD!cNu=1_whqN
zJ=F7`-;^?4KMpO@=vTJ<H-gvcSNmoa$8Km=6mJF?4A6)SJkP+|c9M<ifH#&K8LN3T
zsP)%PM2>L&<>A8R8tz0Ba6-LkPI~*qVyCc(Q$T1E;Td!(HQB$}4GnHv%gfLuD>q$K
z{gG!z#mQ|n86(Z&t9WrpZyyEyE=fjH$VyaOMi`frnU#`bpSiaY>7`@Z$4kyfXa1sP
z?b=qSzqWQ@KY~Rg;oy^-ZKEj%Z0)%4=pMw-7S1eK*~s+L-Jv_9MZbQA^2dFj<F2UA
z54O7tZ{UNjHSPhrD5Ja$k45({EXqA;-wXBbPgbMtr5-!po65|#&l<&cpQts7E<Gfg
z{GWEg*2t0i+#A6SS2*dW;-{tp)KCYsd|IbBf5(}3ptA|dj?OEGo4CuX7xUM=-#XOZ
zZ^tIEVXe_er3m8JyxEwlz&=I5?Ipw;5)@<FJ7o2trsYE8rxEalcZ8Eg(fC`F8S1JF
z8(OYyj#9Xu?7bHg)0Sd2FM$@@mmCJkZ0-_3BCSb{e<8yD50*Fn%~JR!ePqU6a#JU$
z4p<833^;!lan?R;UG5(R2A9v##FeYz7a+E3=1U3Dhr*VcTE0zqH5Oju%hyj`p{1jb
zIU@B=!1J7kim&7A@qx_RaCT6B_jzZ77CGJePbO#H(h|RKcCHc$4?jOs5{&7SemzYJ
zyviNbYX-r$QP1B*d-@hj1R_>+i;Pd^uQ;UA5ex_iS^>q8N~OsD#{AF=>rFqEmE*5=
zfMH}FLNgb+Z$O5n<hJ{9xYnqRTJ*sZ=o+v2nzJdv*QL26M3?7I4V7Z-+(}S2JCWY1
z&*g)>D2JN-3}Qc#e<6^ZQf<PtuxJx*SN013-(JL;3A7h+xxqnRbaK$FY=xF@xaXPU
z+Lzf(jZpVr^AJcOj-UT7{xQ_lHa<PPuE20{WN$B(67eIrtZO0TNCTt11jmw>a4AZ@
zWa?t@u+M4<ZB-V?S&yp6)v~&qcnIT?hdM1Qp9~0y=6MM@^hZfpm`^;P3f&S9&hEp{
zrcpXIrFm}PM*Jn6eO^L9WjAYB!h!y7`EC_Fj6%Pw9jUp&<ZB~$iLWYu;dY!$@u=L9
zZ=k{6X=9o0`-3_04;okOgqU_IWIcE!XDHbX-+R|9{&2Ny5zy;bmGzrKkn^eimE5}H
z7X7ZQdEe2j*Ty49F(Bqa@jERw1-1Yik^2c-iuannnV*=KQ1D4)@S0LXLdzbU)~COy
z%tR#I9e0`+ADKH@_lt)&Fb8%of=toZpQNOJHFFM&Zk7M~go9<!l8Seb_FhSOXb&>Q
z<dxQyNBx_uuy<?k-?3$zNff3IvUJ!jOlLUUNy_O?R!vCh5T2Gu>UM4b%QzB1Be2+B
z$kXP^pP^$$Q`5(;jKwW$#3U@rEqTc$WL7>7!&140);GZ??MRDehY93;W8WEIwqCs=
zIf~4odK=&3CH=@-^*@Sc53jDvu*1H1)h%}?8&~j0{k<VYNMQVpaYVzxZ|_p+d^O7r
zm?+p>TGqtw++n%0H9_*Z(z39WACCt2*?fy_dZ>{>@7zGhfVgPVL*%21hUOu>w`l<q
zkR`UXGIBS=Kr_|Y1<B4uhGRLSE48_X&qCZ*H@oh9`yh?2m2XmZ+xC@m#x>{m%lx~;
zt8<APve_$7cY6z3qv+mSyD*iRdX#w|J+dB>G9N9AWiR+vvt+|k4~qHSxi0KCbP91X
zj*j4-q{{Hv-K$nZ#pGRh=xJ_kvtjH4W9>hvVAX%4UAg#1ujIAqH?rv3KeB)9pIIc|
z{`Kz`NrO8M*8c`%wR{$T3OihMjy8FKoC>=B-jhw^S}WS#_L*)>gBRv#xTxE2Cvnwl
zs2XonJEiQf=`<ZK6u`9XNk;qkZh84WDoV-gKB#})*Qq7y-`c<zva~q#EHI_^>0s&)
zO5K&l#vj37Nz9VEWxZ-|qmIP=O1fgM5YxnSiGc#=&T3jCbD6mpllPc2!ym=jrH2j)
zlFFr5xx9y8q-Yk&YHfcOY#sa5W5%5By-VTEL%ug0FvcW`HEog35~N5OGL@dIS<x>o
z5S}fHOY>B2NG6cX*{0)0=!N+@GoG=(QkCO!tgG{@;0=m-n0{`~EcnBn)d6oIdOtJs
z$d4FGT`e4dSNKYCJ&!E;YXJ3A-+b%IcP&i}u!^Q#H)xCzW0r36)Fm0Q+aGT^zqK_O
z7=HWxhV9I{{kv4|JEpEBFIe)A{8nNuX#0D19p)q3=1iOG;<LpLlzCyXVl?Be!^<u-
zUZu##Cr_5dlZvG6<weU4X{`bnVB(GjBWiTjH+<raIgYN+Q8cB*@PBH)xZ!HM#%Np_
z^8Qh5b%e4;-fFl*9^80{`E!C*`}eQ?g0HKm*&b@;h!q@1(4Wo}!jm1kkz<2v9Cy?)
zK|K%&2UdA;SmxCL?>OwtKH5oqB6Hxl1k6;EN8OsmHoB4-(!HNnN$&LdX6hJAOcel^
zsfHbp3JF;)H#JgHIb>xeJ&s+{%MNx`js`-@DSUa95rx_{)*=GE9)ZLla}~3Mke^X(
z)~&coF?bM8;VDf=SrR>eIi_BEcGow<G)@dKf38$#p^?QZ8D+6XnwIdg+TPLdRw!%P
z<=8=XgR9xcI&KHzs?|QxZ(A=w4r^%<*g-FI4nxT@I#Qg>Y<(luV(t)q*GpHmReWT-
zHN}x+co1!~E574b-{9eYN>853yn7-;<L^J|Ejp|vv1I?BsJT4tKTxw|`TMOWxe_*g
zYW&1K$&tB6hlnw+qb$5)^{N;d!oLq2h^9GsLvA{d-7S%b4CBQKLj-2btD>z2XqVo>
z+3C{Qr{t}SEOa5tYHXV-UA((iA6%l3D>-?jUJGf8R9=J%t62oNmV0+(5@(1uh`s@_
z{wpRc7t^FB2co=M^H7a+5JNj+-xb_k>9pmV{ilae*4V(c_0?1s5!!Oe3vDW1PWjiH
zMu_5oJv6a&+~!izigWN@<;e&5%E~kdiWm|@a+ju9|F(Hz&K^H)U4hN>`Wn*`4j{`W
zI>L}*mP5s+>XGla>I2~!?cQdFpFC(*SRe56+Y3LSM)(Ni3TvB-kBYUq4-yTCl8;Wa
zWOxN12o8@1P85C|mHP<KQ+@xPp)|rxpdA?PvOmAm7|VXDNA<+#VE-XVo$&Aps114~
zRBBP1jSb2JLs}EbB3i$3iU>K^mS53w2+QKr#aYH9&>Q%=o1%vH5n*KIsI_o-_Ip|c
z-^1?d$5NDtcBRsGmq0i&Gfs}?p@0W27me9h)>|eP2YEsE<l*@zzN5wNqIHOahzjn0
zGZq%;?9%QG-IGAD0$Mw&(F6`z{Lw#=*8hqk8!8NvX=%vh2U4-PDnesggK`_`2=x5q
z%0r)ks#k88jjP#U4>|a$0wjT--NBHoRmoKXLeZBl{!$;cT+}d@fMv9d13A0}jp0wB
z#vwjeAdkxUl#wIs%(V<RzDTpdio))WNWByz7#Na|U)8<+Aaf8`%*3LxE*Z#|-d|}^
zyFER|L;^mWyFRYvRb!M8tuW446khjG78Oex(u}Z@o=FZ8+_q9}4uQo#;i`4>o%nkD
zQ2Ag_H_`_V;xr<R;o4-0NKl9UeR%uDhH)mCi~>r9Ju?Ch!E_$rMio$2#qNQR3<(J*
zn@{1vyEt6AO@0IwM*(;s?6667)Mun2Z4y;LK;x%?lGD8zu=3P-jc`Ep&6j&)5%A_t
zdDL}6J^O64i}lmmhukl>`LK%p$blwk_8okm@M0Kz-%(}R+}P^w9os4Eb<whXC1U@4
z1qsUwkkH6AW>_9PFF*%1_Nwsofa##baBCr;`_R_XUgc2pGV^z;^As3{E~ud&a_nS<
z1aSt++krGLs2(3^OxeUJiG>px!ZR$`uQAlYn4^yf>MmKQ*}@dWZtQ<*3>jv1ktli_
zNXs{fKPdVp3r9tY8&<@9i^-+87Wii;Z<V?5zK0KH;p9qg93_=I=^lKX8Cj*_e#S6-
zF>JGEv@r3S*itD&xEL%GB%wOh2e|6|JOrSe1IL$Gc_&wrIG>NiRXMHx{VVL1%rL`0
z>JNwu0#{zMbIobNdrI-?dA(Ip;g1GROlDSM&ic*fi9!#@%W?v>F!YOz@ft`H0|oGw
z9>D6rF4z^iAq5%c;1BUy33d8B%dohMlRN)9_s=|~i;%u-DaXHPt1F|~zMBif{2qU#
zUP?_M(T;vhet1bWqnVci(HafH$4y9+^T9?JAl<+1B31a295FL-yG@>U5qW<*Dn~j~
z2wyMHRyv7I$X?M?9>VFT>h)&Scq;);*NGtNo1Z2<YpMnN{-aV?lw1Ibp2Qn-h*q8R
zcQ?~1ItXWA%O~UFnCgDni(f!waED8UJLWrWDHTO?3K?Hv@*nmat=h9T8(s<RJ}rWe
zypg4d;MKHOnJ4SY9<OJUI7QXk=d=#Gj0TaPm+8mxVgl|E_L*U&?yt|CUOLaFD#4U_
zd;cE%)}W1n0)#V>O!aH?Ev=(e^1Q^y0exCVAC<{F0umnZk~GrXqQ&957aUV~&%}q!
zb-6)5lE^G5wz0wNRrg6+KhCn#^EA$g6!rW5x~RtBS2~wCWAVk>6XDVQW-@Oopwy{L
zMZ`0BAZgBC3~ORnb><V!#*ojrx55f-Dk9(+dzmUMQ!_hm4Xw%Do32pmDMJJGhH-NU
znW>y+B69V{lLhto;&%FC1yns5q<B4^{n3WLokK@wWs(b>_&TX`i={$ss#@w-os|8(
zJ!!-dMm}+%%LMZ$%zcbu^vguJxp^WY*~##Rl7j0Tv(4446}Hl=N4Cwjdm5+*+%wgs
zr@WflEf3?ay0zv_pQO>?E<b)=P8yYtXaU)BR4g8`WO9NKl8b*uFi>gu<tNfEDnfN~
zt{>PZYHjlS-Ml9hu7OHuM$RsM)be#8n$%I&bPTW<a^xws4pCgR1lgtRhGizVG6bdi
zwo2UL{DE#CEiD?g2u+Mn*uQLC`5}N`a&+p7I;z3hPK9Qii2{}Z(&V*jjYsZ}<b1K$
zWM7wnvi4Q7y4!MJmKjPG)B8L;VnqA($D$FBZ0hk}pB8z#JaF5t6ApYK?l*S(!;$?3
zw3I}B*@<apw(FCwZtJ&-J$M%Xr~?yFXGr(I`vd6ET9dCj@@NUvNm?D<zm7lf7V4H^
zd{SN%oM({na|nF?K7(ERavzNs%rl2~b2g%UzuFHH#U&hEmp|APCeRMgQG*~ko|r9)
zD+|QkX>%0w^i4HBfuMFb1ejs1d#5jMfBDt>p*UPODn)l&+>cic7+W&AJrGlJ!4k(~
z);z|$nNDhzKHrOdR~Ko@H&R17h<caG7|Zd>y4wSZl4w(s?0mG;N0pAtgM1b`120#X
z)fsNB?VC7u%1o?xx`;ILJzd<DAYcS@KNjQ=xT7W%EGT~|8%%G&e)>tiQ|p}ny5x2Y
z8uAB9`YOb5b>)u2uVw)wKNYkuX^t4Z5bpqWkl`L@P`6*4%ENPEfqyJ~AIcJhAw<g&
z_<G;D3qRqCk&OKUSLP4*r}#{nVed$A8G-l;+`pO@A-{c6B9NB`yNnhg$f5M~PK+GX
zmUzjt67_{5C@?Y+ZfNQB%Cp64tBf|jFHk&ypIp$tM;JRrjv-DSgnEK}+c(=X_|Q6v
zmq6!$foeM}P-^1kcV@<v(W01cJ=bM)&cWqN?o|-4ox*g}|5dV4@Djda)81r0T0y_^
zRQ2V*NH<~$^or}82A@?>-#LF?EHnyRZpB$%c>~W-eHnz2k>I_0#)9Eqe*AcLQ90NU
zA0IYl@U%b@bKzIRgbc|xtzpZzaWDy#&jlV0@}eY0whu{}&N>2PU>?vV7_fpVLU(>4
zLXyiw${4TnAxIk6ha$mMd5wbso_yz5(I!XO0E(S?7mAh;&?3}%xiU%?i2`E$KZrbB
znbZB!QQo<G>q?(2*D2PIGLR@j@0<lkz>znvd8gD^;M!~}dQ&I_#kUpv*M?tj{Vv#<
zT1`;W5raz(vR&^PL#YGoVow|T^-(>;8dM}0`yNoLmLdc<58R-cnfuJ*kLLERA+4Lo
zpqviKbryj2)5itHqbSo9TgU@c%b2$Wf~kE4lzg`W?xIvS=)_dl@KX9@7-9aD!i+^n
z*zj>`h{PqnXyV-7ymOp*`W!Bmtq^brwM?_}74#j}2`|)L@k`ID)9e<tE$y$Xf=aey
zf%S#d`-vKWg-KM|)34#GY=<Sr=E1Z5uNT&N;M&c5C+RF|wg;i~PC$ML1ow|#j?0$w
zpaKjyPSnZtZHaeomY07}>1%B@@_@9k`wEA}DpQQ5^be@y+I9@_FHO&|ZL^LosU9{i
zOx-X1mXWi?)Zdd+a7R=`wkgKsrJRK6sY>^nn>%8w>m?|R!<RSET;8&^boAI@VndW&
zmKu{Y94|NYY4EeaIP`6yJNgiT@Akg!G6gD2Mkdn?I%x%=8sp*QOd8no-+f$2CxITH
zv#P2zqsAymHXe!8QE`(SZ0jF3@D~Y=ZfUQrP`pOHnR$1#!#^oz&6lH2TK5e)#q3@d
z6U-S^aT}r2M45x`A0TP@7EuC|=?h6`YHWNQc~|Lvv9p@)vzC>>Tv7dmi%{wW^$C20
zhj%Oe(pDjU`zIMFmvTgS*i?xUQipRYBQw6BfO2g-B2On;RkMO}9E3vo-K|s?y^~^^
zFJyIHuMZZ&3=vBx>uOB@{X|!dKy1(sCYWg?c8rQ`NX>;B=fTf9z4C2#n~AqkL$nCR
zs%H_#;*L3SojT7=W=QKQShwODV+V6Le5)i>IbO8d9Xx21dIOST%vmppb~+odhH-5~
z7n^C+qg7?^;K35vuu*?GYO!B>B5PokI58cfe*6(B$jDcmuiOnXyhttD?|r7>)0d`X
z#GlDbqM?5EA%4xs<<rx5z2Ro`>iBVlkh0NFDu!O>X(UYO0j@0ubKD*%X!_3W&H%-5
z`B0p;7}e+E<u46GzAs0<ixLD$R^E>-HlY*A*pDdu6|{n*Vkd!<MfP#X#wr)&4{w0d
zni0*pb@S)hI?zMW7ZuVbYpB2##>bF;67X5aakf~b^|l!!!`iES7yAqdbwPFv#i|ne
zHJr9rAa<m>3QH`o^VwR-Du3wYeFKJk(Dc#LVMsN{HD7uIO_YxaA%@cu>v<m6(79~o
zP$m*D#n`)t%A39QaM$S|K0Stqz=@byja6wUXq{NFg44!5+$g(=AT-NEJnr!~NIuZV
zd4<k@U+aphmw3u@-ZT$<y_+c$&g-WmKTIP_YcGP>(IrG-84V7XPOn~A%*WxU^Jd6~
z9?P2{dk#3cEzv~_48_@rF>WLfbC8pv1|;+4rrU5EN8v!uKJ-v{!>DJOv3c+H<z9k;
zqr0faF|a)!P5rEAuYJ>ww*}t@<eVwFV(8(5n!Szcdf4TvM!S^RTk?GxUI=CaQ!2=k
zFynQJzNZ)k0m*;}fnJ{0JoD`(5XtQwqA9^w^yUVu_`op8=2ME_M6Io*)%}Sakq3gt
z`D5Q~sN`<x+-`eQD6}(G-2Wgr5;^)w93t@GwgtMiPDEzeMa~xb_a;rj5CW!tC?t_I
zN@?1)WKqLd8`W2IoA;`^*f-mIV_M<7{#j)&psXQ=@)VqPFF1?g?Sm1S{E<Qn@n6@<
zpu(27S`~R?W35xCMDse3qIj6TZNZO|`Kf$8M293mD*p}suVFe?+m-XO6LB?~oz=&h
zeS3(mo;IrCE{hv`_<XYEw$cNTb;YjFpsF9_r+%3F&OPI%pJanRKHc_BOum(LJ+JDA
ztdSHQ)2eS4nDkkT?Bb1z-TTrFg4Z*g?^yX=%j_kL8(JK}Mh`oAuu7-5a>f~a^dnF@
zBKq|)GQz~E1Zks{dM5*I4I{txd|YwWCGl@B;mv#y^)q=)0pgm?p+JquD^zXKRYVN?
zb_-=(HJ2z>L-mxm>z3x}AX9ZXVK16efuIBH)E_4|_|J@&u^%>`oxPtqTrO%W5ec@9
z?`hLK3d?@>CZlg7i#6M<3D-XweEL@1KfF3Mu*52ry^hJ5LKQ0@w#WKbCC@7`y=x(%
zn%FO2qDDNn^&9ZN&E$t?$rGX{%)Kfxm>*fLA{UoEW+~kPHseT&$qu|OrR~+klNS#T
z4JvyK1zxNQOc<>w++_=&<4mF)#hUaSsW2Yj*$9a_*8(I{OOWY<P1jl&yn!L^P7P*j
zu$+iPyrUQLtr$Jt60zNBab+?811Qh^u2Dev&`Ve%Gc0&-N}{B$`fN9GC{23>hF(T>
z{}wkOWWL@bkORMsaT8<2u7?5;gxe&U75Wmxu77*JF*}5Fk2%`-e4gUze1$*P7h$3v
zK<xrFoZutJ!mL^7Y#`^Q7k)?J(Z6wi-}61luY(J^qylI(n26CE5OBx_t^WId&<kKx
z{stT9Jq;$YGgy~&{5_to%>9d{9<7>3?<~$W$!IMKy7ic50x%4E3=E6k^(Qcr(Z6q;
z6?v&l;&?RZU?eDLZ?B}^hsIQ<duiZe4js4#CJiZOIb_3CQQ!4XYgP*I<>@0D5%fE<
z;@RafVcneU)X7_Qud_jK0)LC-zzQFv3_{<tV4ha_XC@c$Jug6a;@e-OQX>v!I50bp
z6Z18rPuCQqZ`uqh-@Lr}?eui{CpE*Mnz$Nk^4Q#1uf2ZSO+@!Ybq!oBP~w3Ri}+n?
zDz*+KR<m(X$z%dV1sSKyGRl(fue3xx;gHo(<Kwo$ls9_ZRUvjd%fj+TEGI8Sp$;*Y
zBnk2@WJ$t}kIdOEa}3(;$7>ybrCqVo6d4nlTSHfPDD}XicCaXrb7GO=$qkofj~y!&
zhzxMrY*+7YH;8V#8$@<TMhOU=aNvwvp-ixgaIZfSD%%X9h|0llD#`<%m)BI7s(lhw
zeECQEchWz#R!~gIG9`q#u*A$7rtgl}->VwXvPG*=m8o_`V@la*Oc#{-C=9r7`NpjJ
z6swKjIi*5r7Bp^-2!-A7^bF>e4T$fmRP5i=nM$P32x!BC;e%U~Lu9co-<gK{byLfA
z@*ZR|l@McPN|JIzVhQ11f2~9E5MiC(n)eR(k7RY&)fFAry;zP~ZL!5f<{(SdL*+fC
zg_y)E!wI&3@lR<Ql5-JK{Af0{wKXRv8Q0;6Kxbb0uAmt@J^fVb&9TUxLH3%ccQpN2
z1I-bdAFrcWb65<?$iY8m=)^1dSh6qi2g)FE!IJ!=3RuOrU@TX$BG<!DH{0Jw;s2N(
zo}Noq#3Wwfo{pkLbd?q+l!vdid^=sZI;60*F+$mn&buN>?;ScJ<Pm)N^NpAHxP-Gs
zpHF}19wXH;#8Pe>fW)x?{Vfb10s})E>p7ViY@7hb0|~hd;fl>2C}mLVKd9W=%D}F!
z&kJHCp-ME4e)TXP8_P$c<j>-Pj`x}amY0^l)|$1vk0DySV9|}cK&W6`5Z`X}SIti=
z_O*#@l^gU=3kH+QN+d7v5x~LtV#ETuV8I)f!&#PqaGhKwvJ=G8BfKdu*ox&o1aHTS
zh#`w6{PW}G?;B*yT9duE;L)XFy+?bL!R#JO%4U>E%AX-veZ5~u-xQNo5>BV{+w7wZ
zLQwl2PbR*=y&@ng;90O_@v)ep&$0M|zz)zI3ta*NVi$rX3`#&?ZQj2jzj+^D?3pCb
zQqKk0;$_sw-uqE}_XM%rTgmzKyGt&C+$%=@Ux^~GpfWF_o@D!+(xM(f5x7|BVSxqW
zoxfg+2Q-d5@l+VABHbeQl?)yhwLyHnpcp*URYChM>F^HwDkQfsVY4a77P1_5k1-|5
z@G6#;^{F|r%d?e;QfkpQMo|j*H%i@&R=!swCD~Ygdl$|+2l#(bWFVJsMGnK5CNku!
z1e3`STqs2&CbDx&9E*=$rab*-q<Uj{{U@&Y)`tT)Fjk#sB3`a$-C*FEnHJh(!wNaf
zoIc<p>?DsC+R<87MVEV&G@+hy&<76{rz~5l<L(d0)*te-<qB1wcNS&{kV6g~ur^Bu
zm@{z3)+^1PNcwT=SVsWWD&(vb#FL$vU!@>|U$|x4HOMjW7ui?n|38#{cQ}>(AOC%<
zL-w9gglyR(JSCKovNMlF*&%zKLX_kwn~;R;BOIHPl`VTy_LiOf`yA?dp6~Da{qwu7
zuFKVZ&bjaVv)=Rde!b;p(EGhOgH&!Ji?dP%ga{FxkCIP!jMd4ggWl=*88<%sU}?gp
zX+*}I+e3N(hvgD8gk2d3r4WwXGn+X!@0Y;NC<}@l$KX9Rhgwpk@QbFyD%%UJ^zR?x
z2`3l3MqG(mdh(*(-c!7+R92WZ{T)>a&UTT#WHx}X-T)9*i1@4P3}_4ism)2+u0{P_
zaH4v9eSQ9fhvibb3DJu*jwH>JrU!zr1)j~!{`2rQn9&Vs5yJxXHL$EVF!Bb^O<iyE
zzsR|Ly`Dl}(8$AVVEB+rLQyqJKW1k5>X=a#uj`P}Zx)tSDd!hlngfA>Wegwu4-MC9
z`U*_ECWa>}z$pU%fU4ygBE<VGMt*@5$k5yAZLNXo#zmf}69X;ZMumf_&~H;S$y8Jq
zw}^<gL!B|t{mC!<J{9;7m-FXHk4#%L3-OqY@FCOvbI24SNVs8xF{M-W2oNi;)_f(@
zlRBHV@I+j<N1RrgRq>J4jW(k;k1S+{xA9JYa1o!gi(<bmU*SY?3xsb){DamnE0JIi
zJ6LH7q}=VbeX2F^Bh|z5!@V`YDKB{PvC>$RFh${{<YePbTMOHH7`5*=J`*icO7NpM
zxH~w|K`@@<`wVEOv6JX}a!c>g0kll%pZSAS;vzdZ+Cbql{9avs6^z^AHoD&3VCn++
z1Vn9xp))y?-wvaO^O!x83pqVW40Fs_fsco*x{BjgZ^nanb`Y>X2s9-_v<wgQ{(RT(
zffHyjuzSq$GuT9yxr2+o|2XpR5~Gap@Gri0B>J`!Wq%E1`z=ndxA`A#-o%|BvDat&
z#T%))jqkPl@%YQv9a+$}V~-EU;7UOWgd9LFlBC4o{=*34qsO*?@i!w(XDA=nNJU=q
zwUF0yiJfzWCq2{0e#rjK{Vpyx2F3lW4s-5q&Q+qBi4k8#Pr5o&N!~k_m{cugf9q@_
z-dYuEWb?7B5djWi<U9CpfeJR*1P+4rBRg_vb5HRHMI!yTr9DsMizCP1pPfi>_b8BJ
z@;n=>0aM)Ex&svPHQ8uwdKVh>u0D6dhCFKiy2I>(={<kUek##IkYFi%$&o{qf{F5k
z2+v|)&(6<o`y7z=TyKL|zQQ@o)s0UIxWaOsljl)PTw5ZYvx*lEzcuT_44D3!xZUBh
zPhc#6LrMr2wX43E>}OXajMKk9ATo|ERKl(?nEfqn*m872*)G4W0vy3MYP~ZfGPk$&
z5ZYlKA}6q!okD4^O=m;P=CZpNYdsl}zB6BUh+Qy-$6EGHp(0yniwZserjLUK-onm+
zw;r;F_Clbu`imJk2<@79^EQd6V)4>0_=@YXK)@H<GE<$Co!qZgUk(z=!^zTz=f65@
z`KGE>Rn>*5O^o#)z>r}aGMTw6&hizhU$Y{d-U*1<hgUIR(D}8xq!WRDBJ@rqh?rvz
z#vJ~-44*qan<73eCN(2pcZ5_hIxgd%Z6we0x?RBT(bJ7pP4=6BhJLaoKj5gf?|DsK
zo@C8-d-{k>ZchVEa%{KeDFKcBoMo;^^WUConz`*eD4U8k8Ht2RIisD=L?y0O=~gX{
z*WNKhqMKJsP8OS{lUFMHs=nwZ<#m0LdO1b`U;Et|<H+*D#!7#Ekf7^3rnCxx!W}HR
z=R6=1HgewXTIKv8=!`MmI!7s!u)}dKFT-JDj?!ZV?VaN!5?08ry=&k((D6gt)s@eD
z-Y_Ox+6OOXX4z=lh(f!f9KV3#wLN@5(~8Brv?7ZVL+2u&5x!VdBH}|_ku8#`w%q9M
zKAJy#bK9%~W-HB?SXC(|OFi^71e~n1ZA64@NL!I^jJe?@zO>Qt86<KS4l&YGntK(`
z^bPxm_j?cfl_lB5bw_*$nqxj1RF9g)Is1m0;Ad7NgQR!g2>Ut+^k-|iI<*Y2*Tian
z`@}pse&E?YAjou&5A@O);FRs&T4rt!3;SkMc*<ELn_;pxv-wF$YM)YIBxIIEN+n#E
zTXKXb&TTVwQ&HwPt#!3qyu)Pg(B8r3fSskx<V(S!ZYeEXyU<VMh;X(&P0&N!{WY21
zzN5K+6nC*-Ot=3<h64f7jeHf%jf$>2y^jak&y0*etBmt_h)2-D@yA+o@-z(&*)W@2
zas3ED`tEFJ4>p^%$HC7Xha8re^;b7+5YP3gO3o<DA+f`?zF1|LAzEKQlHG4>C}woN
zR&A&IOKX#vNL(y0F-?H2g>deQ#_~X-o8r}<@>lJt@~aZnY<l7)w78~;&NFk{Kh}#>
zwq{x~IINFb0quEG!rZ!YTfcelT|I{+<uHtARR0-^wDic4;z18dd$rO2<h|Ml#pW|I
z*tW!wb4&RyL2VAo+dH~afS5yxyum@F)xHWB^~=2V*O1xH+3<a|c)IDix81%uUhMOi
zgXauA9Sp*h?^0r|2jG!h+`11Xh_GlJu%J-&$wG0$I+%dH_z5xw_QZ-}75TKnC_5tS
zg(5Csr?kVC%1uR;0z>W?4rDCxjOoppFz&ypsg=|2UwdQu1auug%5>Qoug?g+$m+?K
zOlQ6Ah$if;Oso)((#aJ!>13q69{5$<qAOFE7$K<O^}_UZ)d-s8Nb1A)eZ%WU%!J|L
zwA{FvG%vd|Qun&L5}e7d;UdhD_;j7y?F1N`3LJzjzP78sh?1zrT=gd_)oaG7eP2{h
z1X!vgnlr>T+XVbGpZl$`#_W(QVaWcnZ6&1sNq=f0kwA*`#IR)n+y*a_e_DAkx(^E;
zuy1+ZTbd%9>>c!h5E=vQjsvnYM-F+$t#|_75a0Sod%1VGTp5xzGwRKiBH;n?%mJGO
ztUV4PD&zWS=jQfucz#mF40Vr<e)$5sqt26tf+d#hC=$S<BYxg{4YFhD(&E0LX^Hb=
zy<l=$T3@w!{Crz@9*a1RLAj3_vs9=NGtz!V1Q~{4+NY^#?&WlzBY+Y%F(1+QAEuqq
zkxewu_t0g~SkDIgt(^zMnn4n|QY>V}oI3{gC9p-n@dWaz-&uIYhwuz;eCbPR!KAVD
zMy6T6X#-$O9w`<GU1#W#>MKh93krrL!VjZ-U)kq5x#lmWRLnJgkAI;?3nhG=4cPtQ
zv4&o{p;cFA6mtjnl8UiI`=D`gPU;&vO#lA8v#|SlAXg1}(QQOOslYl}a+ip_eUVN!
z`|xx$oS6DhZEE|)5lbk-HQFJ=YUg?LsEs`tL^tS_^~xWSwnw+4-^E>~+h$Ds%a!ee
zpGMz74Io0+dLA<$+CHF$?~k?jL985(=ontT9wdQox^;K?S6d8uzD+~2*xTk8HFrD8
z-Q^wz&uPi(J{)VFYL5I$FT{3jpKxDuEnL18ZuWAwqi>^wG0F@dk<R}#9Cp@2q|qGP
zL!>Fg(DOIj4*?2o>+4XwYX?WnZ5n(Sb7OAp&;4fdG0o<2`>G&5ru-tShrjh8kBa?+
zZ7xYuJL?DKS&J@&s%1}Y4I$=l7W3eAIo)8E<$77sd!uT#V0l_1h3GAqhwK|7I0hQ~
zhR&*kqbn&_$<dqoKZbqNy(HtdMPfBwX#z&|NR`juTc`;-(&gE@FL9ypfPB5f$@)Z{
zEOrphgl>@FMczH3IJ3DfA%jHvbgS*$445@tQh9PC6nz)!qVoNU_^W&7#}_986?{{s
z*(i#sm3^k&;-42MwjF3~{v4&rw-jB<9>4Y}ImSNEm)35Rw(fRP>@Ui#<fMbahkM_(
zZ$D4pZP$$xSxIV}-)aDWWn3&^Iq1M)^<{J7>zCh3`gT}x4Mw(m1qvNyJIP?nl_XBo
zBd}Pzx(j{Z$uRpD$2aBk$6^e^YkP@}6eTnS8p>Fo=?*sP%3nE;H0d~cfl*xJK)P}m
z+T3cyL+pv61HRhPGf?AW8ux}4jaDK4*M2)fM}_+LE@#6~qa9IlvFRU2im64_X9<$E
zJuJ~$!8T(awht|T(Yfj4W481<6xa4m<UK049dS{lMf=X1&w668W*P83@e#)grQ>j6
ze~~x9w21ROx&m4Cs8?>f#XTQ@4Z`jW(qWcs@If1s(Y+Hwgrdj%r5<Tr`|VH?QvmnX
z8Gqb;-52kais*?i8K5HS^u3_yzO-n)=|tA#$_BQ<__jQ*L6K1w&M<&6Ls%FygzAB_
zBP`aiCxHpp*4zDT%wnin0EeqpqSnc;qhtEzC1#|hijGtdzg1@1vTPS@uwSs<`Ixu9
zmR;9bGENas-Mx5rJN_vc;I4pO-UrQ{3po8dws7Z@ug;iw?dlsb_{!^wXC7}TtgUh4
zS~oo}nM&w5zVMYA3QRv69%A+ilC-2%%!di1M{ik`at{EZghe$b@DQ09yPH2X@lnMl
zMag*u-`^#UJjrzaWG{^`)oWTKHY2*Y=<bDwK#O~RA0oqyy7Bg9k_x5KmeG;EZcruJ
zh2=0$nyhU%#whon3v)sL18x2*F;DpcIl@IyX)-@-Y+HU7tSuAll-%g+=LjRRSUzdQ
z)M4zM>Pw87z!~9A;xXyS?~W7VLyE81+}$_QX89<P*L8a~8drj~-sfDQC()c$r#D|+
z395q01(VLTkhkD2e^fz<+KJ2;#7mbtB0h5;8X!GMpCHsLd`vYF=A6=H(KYp<H3%hB
zDFjD_6I}8qIfFh6JUC+4kKsHVU5&30d&no?T2)DFQWI%Nz6-PCYvDf3EL($w<F0eH
z*GPYeC;aq~FR9dUW{m+e4Aj#Et^tEG84Q%G#Q#H%l)fYr^TEfSlFaDV!vXK(t2R8f
z4mWU5yQzdnIhEk{9eg#;3^O3>$ve0;pl)QoYu<L!vODa8QI(BJwOz92<47*aEKj`|
znb~kI!GELS-G~q+DV*=9<ngcD%E{<Xoy3IC5$*jdN94E$U+-nXgkh(yJUezbn_tPB
zfFo3|8c6bWaf=geGhhfT7Ul3S9P;n_UM)xo+$ThOZZ66}>8xH?pjavuh>rg?L)Mzz
zH5TQ9g!u}GLn7pgJe}*|H5PJt`D!?-y=mUNY}Hu$S7gn3%!b34w0C`+9cj1ga$kt=
zRcQ>A4+}oz>jNB3Y~B?Pa4)6Qp`CBrBco7v(XL(Qn^@A*b}h?I#X8L7<ED<B^60i1
z<5_R0pTueIhz!&1SLZ2(lzEdp_VRK4dCxxx>92^^*(#(`#kefQtO9~H(qZ-<>SC5V
z8U?w#{Wg2AHht8{1!lHpyR+U6L<^uHz2SyzTWv#yH+SS)Y-82$wlw6+A;(n7)relB
zf$j3+XJU>{0-18`>zy|*fBY)-C&4^OSa7`?RTg;(|I7*5v4_%ov`#26=_p+X6Qvwg
zN>j}p2Fzqqc`;qy-`ZKC1$oR`^AB2;ph9ii<!|WQN6!!6_w~!8Gafu~P^|+ee)EDC
zb)sgEOq9F+0$X@>Q37PSW&YYEtYk^-SB);iSDWcK^s-PWd8hI+Ea!w|RRt3mHxj2o
z;DS%CP}NT^Vq6y6FS+3GE4y_(;{}cR4J#8i$UsaR-s7srW^3ie;IrRrKlF^jyL*X7
znT@Zip1f-BZLG+T@j~I6o-cuo>jx5G@v+QP(LFK^0UZ%EjQn{8B8h}?x6>|F<Ye3b
zfl$9Q2N3F-m90vc0m`>``;xBD?Pa-&8=cW)ri-AThsfB_rCsNOt5c*M3p(TQvxQ>C
z)R(cC8~?3RpCkw{)TJBbJhuw9Q?A}%9KJ_vj`kdBL^Y}?!n`#ZE!OrnOZ#4-+`x9v
zoyqdgkz!1}=J~$sXlk#lZA8UBQLyi?$@-5L;~hcKGEnQvWRzVAT~clcwdi?uE0krF
zai^j{6HnRf><Y_F`yZ1mB&^!^SdjFnpK*`d1rvRxqtD^5OQ&8xsIaC+=8~f?<Yk%$
zhJ<b#%U)lGsprh(<&H2-71|%RMRH$7=8jF}6-n68r`;-X#c4Ry`O$bOF*y$H4JMk!
zw{=}|#Bi}aNb>85D^vfd2C3P$=_@FGqi(4Zj@ov@<Ht2P-@xmV`*K$6fn&ctL4sz+
z1>+$LCgmAc`XBQO(ba{s1tL9l-&^$`*aPO4!%~e3!IBR`Ba$tVYpvzU-zMw!O`v~i
zue53}WJ=VE=QdlK*bfv&VO!DQOF5*ejun}|Es=8@)1i6-PioNh$f+N|sM!_jKqKlo
zmW;_PWr;waiq>}>$RU+9vBX#C2|#?M*K5s3V}QvGZrVqU?j|XKUNj+IkoSmlc{y-d
z(@MQvr#$>d%UIsNTa8*l&WzgLwe4_+qDRV%KUs{Z8!Q{I>WB^9W_^T70UbfAqK=IQ
z&1P<my}b3(cXen#o_)*zA>Q(b^4ehC-}dh^GmKv_6gbqU&1<Y8LkluM^O|8?1B3gv
z^tdb{%2tzg=?_^L^+tb$d@5~}kdPPLaJYKnL1++n0MYRp7+8l^e2I1Hx@g4E@%64T
zv$>7$B1}DS*VUyc@|9-ma*s#F?YejqGirfXU=gg|k{9$r2*Ck)PY_eSkP{)ZsS<0z
zW`1rwmsi6WL7jVFLGWt2dvc{faxIM)uv{-{&8TnkNF<8Co{3{65Sm-jUW522BU&OT
z*Fuk-%w#(Qtz9dK+U4i#vfh~CAYRZuc;ONVD7sqHnW!^pa())Pxz7HXE@dLR*mFBO
zzl`M<Rm@PK3uDCF6_bH8ims$g>1T@Mh?pWGr@ZZ-v;8B+??*>v0<;@5atT!=>%Sb}
zLOq@VBWdiNoRovh=m7r+?jEgjiM^-ikx`A=Qt=gAp2p{FTsg{%Avd0k0@84k`0JcQ
z+;^=eR}Xtpi9$qLP#f({8A<OeGlPPr;(-xx_x_k3N@P{qhy&Bh$DcBP9Co$*6j;t{
z`S`LpuD5!kHT31TlQbiWz8}hU^=6TO-8i-9tLZSW$V7|==grAtdDRXm-Z*g}_Y``#
zBoj;PA4KGli-=1jGP5)Ddb904=`l|nBHh%pCWF;IzH7DJC`xjb--gg?8(FE6;;bIr
zaJ!CzjK}`Kxf8yZG_Hh+l)LaUfH1b@eTEH#vsPTZJ(vE>X4a_0k0l433>G6*YaI|0
zf2fddIWY7yc968%XVDFg5WFfV>Y-H8p5c({?uMJ!Z?%5Sj}dwPW=JV(4dLCzWg>2L
zuw!?#ns(OeB^S%b50!GYxKDxF?&s~<7AC{6O?5KH<p3er0e4>T`1rll)#s&~emZIJ
zit{&pDeYC9zT^Xtwk14&yuh1I$@j?w(7H*lZ{Bm?GFW=BJij4m+jU<yg6;06Zip4@
z&^qfU#Zt!El#=cPU#WAB-+xu~b`nww|N3n;_`k!AmN=Hf6TYXvgEk_{aNVT4qqa21
zG<szhY7@JdOlrE{;_nWrH#GI?rLtG8dEpEnY>{C4i-{G-;GngJ!&(D`5dSzMalt5H
zv9aT!G$M<n)jDIc{^exnFwMp%>W8^YcW!Z;O<Lsn=mFt1+xywWeco<&Q0iB)&teaR
zu#%ehKKER=CxLrrx#dw$q~=|J4&=(hwEohRB1y4)60-S@?pRgUGVA``eQy^G-RX;i
z5UUwXz4ao&6FdZ|*^`~_a!;f8Uzc*7LH`<rxUTvDO}<I)It<gzb+cgXiJHGV)AO-C
z@Y?63Z*7ubY*u4NystomRu9J5>aVWImjG}z3Sa26{?7g3Us_5~_ED}OYqSG-gfT+-
zDonV_E`V9qR(@k)o?}qnRThdB(0<Rf>3q<eATbr#uc-kc6bLYRv(mR=2xw4q>{;pZ
zJ>pYm6QsFdr^xN^C~M~!R-8e!@a^?bGE97LdI;%=s_7`Mus)O{FeBV~ev}l7CN_M~
zF@N8~3h%w;T#pN+t*2=#aPpW9)2l^nxLnBq+2O`yh9fnUE9weSZqkUd^5+FMc%^?g
zOGpO1Y`_`w*pEF|qEn>nek>;k=a&(2Lr)c%{~Y1|P5`;gc$YT6hWm>*2ZptWHPJ#l
ziV*({mjJ}DpWXUR=uG0_>_kCmG!$)ZXXEA;<@!?;iWtc<9mhw7=opo%kKqarL9q+b
zvx^S2^@d7904Fdav2?tg*_Dw2^&{T<eZAHuv1Yqm1>SS&R$=}#4?=_$J(<grp3FBl
z(LVf48~oZ7Wy{OnQc83!7c+vPe&yuG4!3s_Bz|=&(oih_TvD-i&H?Y?P}CPIQFA_M
zM-*!7)kcB9_HsU+@Rjd$he5z~2Pr2iD8j<ETHsns?|dU1vI{}JxH$YESq1Ze4Yuiu
z@4KV*t8QFKk?onzLQbBJ+6VM{*`h2&?aqOirNC$<%Gn1U5F*7*OC=5#{qUA4l}b6F
z&D^a>#-;|tSC;8FB&&G)|5{e#dw#&%^SW33*B%XK^1$L@Me4-!FBM;*^w}+s&)mTu
z%eZj*hwUaQ^5t9qU;#`|wDFeP84gD1yV#gNoCx9cY!-i(NUs8&i5}xa2cY$|HTfig
zG0yKegef^fyRciJSWE&6b*=7$gD7+=i*RDuqB)rXG2+F5!+PS#UB-O}ThmdA%<c~K
zNY`;0_`=xxo{Pv#CZb+87^*9DP8tz@`8xV;(T>IDblI#}c4lJgQ%CxgIr+S4?$Mwh
z&*ujW74|cXC=ysuBa~bct~X!5b5en#ISNXA8{@VHM`i#i?gZe9BWAxoAEShEZc=;h
z9usKxM+Y`Q=?VMD9yj(#+pL!gLW(tgrSp7=F*x)M#$q`(N0kd8-s}_{J5Ws+%qMhc
zIL7@bGnafU(#K#Mh9s4@m%TD@4)IyR#KT&K*<k_~ys$SwE*-K$M)9vIjf=*DnV(F3
z*OTd*dm~OMtf}v8_LZZLtS#YUt27Qd%+4ktUGX8Xis3a9#X{teosC4r?YzBS4SB{9
z)<LoM%y!_|VBz4`{qvS)*6>g)TQ+#7F%foz5P`7tTw!FlysRWNxbgGCES2Y-wBz!{
z&i&juq()k_i9z6!@$mR+2LR|mcA`W2xk6E2?NwXj<0r}QXJeA&Mqq>U+ScPFC2*80
zczIY39)bX3u9A|1t4H1@huZwD%e(i|2~Z$0ob^?_;;o>hz{rn#%*d$S;5OcSFF~iC
zn^Wu32=vp$l)^E(dZ(X^CKefRNRQmAwNT4SJ(@+{7g3m`gsx@*4FKqmi4^ClYoH_Y
zE;Awo{hz=N&}`k4-dOUvZLtx$)1FIN^Km@Kogs9bMS4W)9|<`xa=Gfrn!8@7!%!C(
zrX)QdMlKval*TbQS9{AmBX8K$_!INole|z$>yCz&Fzx5J1ky~GuC=+v9Q5zgz`xsZ
zzQOPt@m!}gxwF3TdG2$WNrpKD7U{}>V80Zlb9^|gjU<g(iP!SccB7hkb#8J(G0wzv
zU~3;AAF?6yGrPkzow`ero5dnG<Oonwv9qX!^uoHtmn+}voO*s(ybFi%8|O>-UYOAy
zuztYvtjwk&`5Vt3s`~hX6({BO<j8%H*BD2egm_ZqJisQ$DN!J4WYa=&+XjxX=DbS7
z5h)-R^(3R?1{~qMl06dz3Wq=B;s2C@Y<Vfl&r3g_@gh~7S@cLL&Z2F#Ft#K|1Zdif
z<upHI?#au4>^(Li*dvTH_`QJ;vGTDR7o*y>=b4m{+8saqsvWmnt>Uv{p_{=62>53?
z;@$3OILhf~!vOFg>xcb=o*31bP2;eqwr><v$>YpUh4Uv<?!O8&JVp}^vVN(r)gm}^
zxxJuG;+4uQlU$}nBeCo)S%^!Of^$Go(q;(P;Av$h6uI$3$e%ZAd0=&&rw10BC%a14
z!PUR;T_{TCu4jX3t&5wz;4UPwA1SCm=e$;~;L4x;aYi-n=!aX<b886oC6oZuf0evB
z%aaW$@ZtKyxR+POvsYMe#%M&HEH_F8xY}B3yhw=OxNrc9EpS%z3R9iA>%K?ir)NL=
zR3fCk2e}@fn{kXB6PzBm+A!Y$^kyUo!W73|^5JK()Bg4c%sKbZ=3NK}_4m)oQ5E!(
zyM55*1oUXYdG7m5e~sm8e5yasy*fyDdn;ya+alO2xqE8SkD&jNo%%N_wkN(72PvNV
zey>*FSg5l2zpWl4rm&Dy(X5sTaG6|yi})cw#35Ym3f+mYkb#3IrvMlbumpR)T3`H|
zC~3ku%Kf-jg}`r)_`<F%Fz_WTAR`|KWzCl%$w$YE{eSXb?AWX?;gK4MU*#IObjJE>
z5C#HG@QdgWRQO;&0>*$Ygr?p4#xIK<4#?!4K`qR(62yASZyTZ({{og`2n$GyV^cF1
z0o)VdBd}<kvvd`>3IU!$iqqKs>2LqJ1>wJtiYxdb0G9NBeOz#;2(o&o7qMB-vu_h(
zkqiLif=#>vg>^P8hU;K7{{km)PaikQ4Z3#y|G(ARua$?n`_Iijca#eiJ8~ZsSASGy
zTfpu~Frc$xpf3gy`7e4Nzowm+$<N0~xj3TMn1lL$bXq5!Jb^a6t+3|bI`z#nP?A|R
zt`!y4kp^V7$`og{Sy|Si>5GG@B&O!$0)x6ib~+%C#xF-1pU6WMw)Gu_9^=MsM3^?Q
zBd3XRf&>bfa3IM0Vuu1WbTCXkcZ~?C3mxc8$e+tF5dH6)?GQoQzR<0$m=O~vmPcAs
zBNcN@Zd%vnY-C6M$dP+cY{iIQg*=2Zd06q{j^e~y3hbo+vmk7T#pwf{NdtW#I3dqx
zlec{|O|z<zS!Sefz0tm^jLTy+7N6}}ydKu~iNj4R(<0F^z4g|x_}3`AN_#2-4cl?P
zdB@iF891Upj=Z`_xTufIwxG(O&1*Vzops3#SsRF+@mrY^pSf|mli=7DP4T~sV>Nr3
z8L~@kRU&)A+3@md2kxy>;i)i*!$>iF8?ECmJ4ae?W#^e6x@ZSH`r4ikrEh&QbExZ{
zq;ET4ej3YRROK1v+bQ^P<O9tQ2A_L#nO9fJN31)|w;S#dQi5FpKvCGO4nP{mhQy-}
za&H<~+L1ha(Wc!fop_h~ep9&@7o!7B8N<;_M@=HH>))E<VZBr}co@T6V)MM4;$PBV
z$7F8um;~2MlVP%2D;}8+J(Y^ptS;^C@XiXzIPNXPL!=6I5!owJ*r|G2`jvLaT^(Nx
zWhSEepLIEALE-6WAId%sZZ%KCa0)(+92_&SISQ@kU>_s@CTfW`bgzo@>7frKzs47L
zP0ez@kkc+*dx{max_X?TN?QNLXIqJDlM~Jl8~phgLJfMlwM3)h1xg0uZz*$nVfWFW
zGj~jb;e9m!T(*`J_}D-CJuF6!OZsy|w4Wv2P&^J|@)~h?=`j$E(Bk@-N!N2zZ1*<E
z@06LQdWy%4J>!aBg6w>xo>(UYZ%4Y{vid%}pL8<KaOJ;e%^*Nqr2Fqol1TJ$8Pyu2
zBfl(Dg6KewxS%-BU~~@cYGaOI7eN8~eO#Co2p<-=c2#B-WQn24Fpa@6#Zsvw@h_dG
zEXWbIl32_LR$_oZH^>H6pf>SeBJE-7ibhjmmW-wR*Ln%$;E<K%lhCm|@o1X6>JAA9
z#>-Q_klrrd>seh_F}ZHo;IE&Jx|Yh3J!MHZ$q_vjw|$lWD~!ezLhf13S{Er(edb*4
z88dJbhXsG?xq=*$s4upk?ZHJhlS8p~5_jEZbuDvfE-}N}$bO*9vKP!tD0d-c#vA{g
zR#RLo^>0k5e<=Ybp1Gr37TQT6j6KhR?VH(lcnz;@hf;V`7ze02gJUNVy>sjUPx7x=
z^d&_$2n3a+<%&#1rk4u9Ilm{c2m^f>Uzz>L!7CCsotaBS(;1U~1>QC-5VF<+6SXA1
zPmD;B_|RhS4q^G9{&P%)Ae13Zm*}@FW{BC*4k^*6zqG-C(aC*v`9A4&Ih||9w%3Px
zGc0p8vo7QnpSy4C$M?h|<J|p&pAceXC6%3pKORUDkg@nJ-Y)>;8qlo^ZpG0eTj=|$
z-l@`n;2!==4i9C?OY=}w_tj0~`?7F5Uhy@>DIVPTOt>ib*1Aji)*Lc(<AZp<Y8gdb
z8|_55G@`B!d!vz6brEqkiwi*FU$5cC;lf*DJX>Nu7(Wye&4FwPh%1it%7tGUY2jQ6
zvmD`{pP+Nl__@V^!Ew?!{=viM#bU>lYf(o0hFsC@`XY%{7rO9i&4-Ag87{5<fiSkV
zYy;HYa|vV-uLlgXNx<o=qpKHY&A3jv55tu69%5C&Q8$b5Nh>oB7RUtf_C$!M&R11I
zG|r}KFNBjBNh%qgPNI@W`ziV%ME8bw=<fvTV_wH!5yczt`R*3$?8r;UnXtmt^)4;8
zXXn~koXgQ@cE&+<#em5xScrGOyhF=~P5SJ&QwpC{oIPb4Sw(}1d?CAK2&pkdEafwI
z(f(j?v~%9GFTM&#6^#hjr>R=__x69(^)%pomtZ`VO8&BJ`hi>7$H0|W<g)=nJkO%`
z)bTX!VW=-L8xBxmF3FLN?VEbnWo%qIWg;GzZjboi@r+A5WxOkYdpnDKwDjPRnpsug
zpq8%oR+n6EQu!!Bn&Bo-SI)M56RY=pDOJadRPC>WPYJ<s^Yg^x-=xPo!xwt<Adl8I
zwrR%hsI7+=o&V)(oO~Q5LX!f(Ki6wOT7Ki~i-0tf7jh{}QptP&Ypy%^A%{Ock_ZR8
zz2{3*FigkKeq)7dh%ooxgf$21<mmc#|Gmcwi6(Dhg<wi@5^n$cKlfsXMzUD*CVL9R
z*3Uy+`}?7%>s3x@Fe&7Aio|lp_;DZwTH>t}UmZNrY0f!Fe5z`DaNmF1#z6RVDnL+W
z&z8tv5a;)F_|YS))Fu0`U~dE+_~7MS(8obZ68-}U0=o|n>3f&V06&ieL2-&v#G(w&
zE^FY~)#c*+z6@G~VU-2A%S#p%0h$+i?F=&c+cbf8_6ZF_4Viym29%;_M#*xYG~)at
zafsk4)<!u!`CxXSLBRAXXI1?B@+qtXYYn0FXOX0T_rVxWm*Eu60)_=c<c~ZnB?;-n
zHQ+)8(UP6Q1YQMkVyzu$a1KPP<?F>EgG*<zB}$lu`3tNTg?8Suv#6CcJjO$XB5Te}
zGwd(0Kg#ZaEkU+J_R@i;A5fwIW{Ie3&0XaFUNFUeOef46SghdDSmYG=gB`aw7zy-e
zhJIfIa8z*LZxd0t1V(?p7L5g4{T}NXY7Wp_VefSWiVamqR|hMIwxxpue{G@%6s&XV
zN4(jpt}?x&(1$>&1y(Aa;^`=1-g3x=g>gqQ=>>(|1}|hnx&m9<Oh8!Bx__*-XTA$L
zoPGsGg?-yoSO|C?;D$X1QKu|$!`gi2_XY<JAbuJ6>6`ou&E<v-K9pedW5USu{)X)V
zcrcjG{aexqrKi^bQ8BYfB0G}j|J{|-%u8}^qVi)sALz>2^@yQAA%feSdnyu+3iSs}
z#k$#L_BZ<t-x<Dh%Zj}<<}vZEW(^P(53TM;SJyq>opi=^w2H4RvC<Mb;GEHItj^v|
z3z&WfN9C?ri5;g^C_xc~7Xzz}rcZa@Z=g6q+$m6;g-mtyN`q`f$l5p;bu!6ru^i9J
z#%leqzeCbL7{35`g#|hH1TCSRUc+tJr(aqPmvyYYo!6tP@kCSls1ywsswJ1U1h#6n
z&tEm{mQb3=zquA`Z@@L=R_<{}_GX7AU)PM4*o-}x!@y(Re;~%*M|3yHFYc$SzmJ7s
zB7-A15jSDN;X?9OVwvBXf*7<3x%MQZHtaU(lJ#qADkUH{7gm%*O0Jqcb9Qz4bGm9k
zTs(Y5u$cDC2Vq#$VKG{Q?#EC2w2kQ}FGdLLFBRK9zHC5CiZt<o+pLf8c?(jR_+*Ce
z+QXa6zLk)WFDp|YJs@Uheoq1H`O}>R925W_x}g{Ez=0fM5TqhSHhX+M*_*wng7<jC
zeq*x(9&ML(uT%`u0~yYdMw>;@s#Edg=_eeSAb9ixEQ#@ty>CV&`DJSLf0^4HkOH>j
z*sy@Yy&0o(enD;;aA`RIUwVU_L$A~Ki9p2?*1b5}$Icj25L-?O1<>)J(%U0+^$Ui{
zF-g@=J|x5r&S({8YgV3n<pLobGbA3<jd+d{)igXif6qWYu{Qm$e576Z1rxx3A)Xo$
zx<xM-NL=~^0+=30F~;Ni>Hrc%F<AROP6#ygy;%Rx>Dp0+LTegvm`NeJ04<_+5oDqS
zV$=L1Xxy2uV}A!P<PDdl#(5kA>k)(Y@ZiYY;atO(gszJ*u$*ii2KI+nUZp+p+<-7T
zna;7M{R$&w!@MCc+7};fsAXOF42DGsTY|MIa6qT9T(UuK7`BHeK8gni+rtxTQ+z|y
zu6Xe!jdNy>HZwBQ0?O8tyOE}D+x6Es0r;nn{8s+}$uDZyc3*T^rocp#Vxs9V!(=;<
zo{BbyD+CIC{xu=I&m)JPu`we}v_$k8lW`&9+(}<;oJTTqdO=$#`{YSh3{$rBl&Vyh
z;vJF#=@Kz0z5DoUtQ8$vK{?+yW8hsul&mmFrlSKWG4Wj=tMlzZ#TWL>pSpg4**f=`
zM`+Mxt;3u3YRsi|0Ugd8ai(x+*1{+za%U!@K=6uynli;p4PD-RCvhT-Ivf$EOMmdv
zo|*8aE~U2RD^kqo^`9A%**by=`PyY3^ncx|kD<imk;8HpF08y8-FHxqFqQcuna&(W
zpv$?KJuh#(=4MRQ$f{mF!7?D9VafY2H}6H9Vaek*W-*T%>RVQo(O5|LC_4PQfH`-n
z!)xkLh)Yq)i~4<2!!*iAE9P~E_sq*}uNKH^nFF$w3F#2`l}sgiN0)>HDqH_!1QWyf
z?>v9Q8K4?_<H7N`I7K)yLIfwa6I2Sua=4b)&!Q{iu^l`+Wk3f{SlBQ+p|6KCDKN+J
zJTg&7uCNS-dLsCF$CQZiKp`q3*?xJ}>i%_utC>SJExnxK5E!k@z)n>dS5+^zTrXQe
zfPTG`1<5DK9aw$$w?uMO!i?TJ1Cz50*5+Y3l1*$k69!3mbWKg7Z8x7dZfEs=QC-u>
zTsj_07?gG%@><WHD(Uv|^cGPtf>*hWJvwY{Jt~In&q2%VC!E(1^Aq@3)o|*8IZDHq
z{{lTet9py`3-*s}akn~Qu|J(s{AbK~-UPG}9xY)t8a7t7h9~@ny3DkK>VPR5#L=Ch
z&ATZ}3ZI#(O{=Y3L;rDx`9Q}{!xx^q`CMuF1psQE4@Z^wTS*^+L+y+KuEnW_GQ&fJ
zpD6x{@z@pDgMkx)l{CL~nr0`qVg?7m*6={*IILBKRmXp>oOzD(^fSP4I)i|NS^BN?
zfQH5Dz28bN4+I)0Agn0)Qy_u`_|4%ACJ4M0QeaxXzv3n~VdT9|CT)v-gFh~*aG)P8
zGIKM1VPlxh)JeWGBRzGGBW!My5nHhF$39n_AHW&(G(CMctjz)f20$C@<HT-$_S(qT
zJ5`EjVF~d3tsqFRw8;~v0u%)O^AzA^gNeahExz5DFn`aEGOMCe7kBZA&lDvx^O!9(
z^v*zDJ}ZX6EbrVu&pnOCe48LcEbYD1d**0G#%Rvv(y7~-c~j*Qn_Op$LK%Txgsq3a
zM(!|kIMmjWQ1F=1o`xeM^tFB#WH8q%(kU@2sq&^grRf6<n1`S|3(Wc%LfZniJlV`e
z@S)!LrE|#Yh7Z|5V-1_>0q=TwC7XFh**b)A(6**YuE?2N^%|0qUGu$L7P@(@*{8?R
z>79!hIrbGnksP)N2Rp}KVS^3rj337jLx)-@KE+RHA==DjsB86J6tWWta5IlPtv_FJ
z5QApvkv~pUn?~<`7g|}4bh`ajjsCvfX7PAGJ{Y%Fd*hzn>%zv_0Aj4c@TZsv*iZ_e
zNqi@nG!<+IC*9YDKT<0<)C<PNUS99ledjRuPL$4JG@h9h=^DRTn6)+OF4^&-?*1>0
zk6a({YImyf9IHfaq~$K6Ryd*OO@M^_&-NlbQinnx0mk8?8-&ibe<kM%r`&pqB2>{H
zI-<Xh*ly&25*FziLQHKET@rY>-Y;B#DhM0=9@^sLCL_m%B4~hwZ(s}RP7TE63Yfa#
zQj#1;4(*y@OZgm{DZ#8Ucx`8wR{j@}j*#;lN5GQF$;;-$TJlGS{bF)^3$HeU9bY*9
z%BsZ0^uLca63-5i+0=`&;IsK;*HR@iNAe(@PU8t>!eSU5M!hStt)uUwwT)ns1M6n(
zj1G(sXJ9^5MnUj)@|WzfSHPiwe!mFL&KQL5sFoQy>Z>NoMo4z<o2U(0Crw<VU@P1!
zD6YIGk1%TA+*%Oyb*<puJj_tk-6wpQE95F!e*ER>N6qiIYJ}q6xqFJ1fH%yEw~JHQ
ztfBu=I{bvHaQTCtllA58NLzDb=EsI3bNx?0t<wA`b!+6vCz7*N6Wka|!x<Ql$q0U-
zw6*y53-%;~jStoi<OfBO&8Tn1?g1Az51pZdPwnANZA)t~;WAb~;bb`Kkm%~d?g+%s
z9&;53b=6S;2czm2z4HF6;v2hj)Lc-6CAoP?6>8iALX5rsN+Ds?pO-ICD;}huD#ZJC
zoEm587crzb{rh1zFxAW$b%WVF@>M^==r*ycjIRjo+Y!EdT3*<|-`p<lpx8n<Vo?!l
zJ@R8l1~Duv8~DkD5r3v^8100iYy(;77s>Q8Bb&uF4WGXZ#6>Rbzw>581{pFZIC+-W
zD^}}G(YXMgWnWJ+#FyH(Yi<7qI}c7E{+!PmhO^Z;7*o_C9CHj|O!tX=M3H+8Ii@A{
zD6a(mE1Vnq7a_Xu4fuA32b;zBZ44$0OP&{|!%D|-5g89sTM`pU!%WBwa(-Re-ynlz
z+mEQRLhz3SoghZ|738wzIC?|WCV8<;bnD?gFK^iUpbqKp`|RIF|INGGx85U%l-rWr
z+Ix3pKWT@n4-PHAUrD_+4^!_O(S+r&eWCzKr@2N#gl45*XU+<j)0T3){U=gn&<i7f
zGUN+`+sB4{<oitP$G@h^9_yC+T1(l2wo9Fbp4`aX;&UGqq=xK+WVN;gmZimt3wt_Z
zK$Qt7&iVJWf_Ic}yl|vi!QZr9{_-8XXt*J$-FzvF<60Asj?$+uM1>AYRFVFJUOQba
zIkt92v=^^62G5CKHL-7Go#gd?xlL#6hA><%GKt}=^p`Rul1o2uUJJR69uxJiv-Ic=
zNxGjdZZ_l^RluMmW>BtrKED_l6vkx&M|jqMc_t{DwX^!5)iCOd(urOV@})tYZ1cOs
zNjxqUFNiq8KHvrNa-&g5bji>y)&y7PhevoV6#aRZR8}OnzE$*jj$KVwiISzX*0;S<
z&TO-vUUauf`o@=jT&Q)TEg6Pz&WoBHu;t?Sm)dyuhKIGiSnM6AYS?Q_LCg7M+*rA}
zh<NSVdpsuoiB!lJ>c#`&mI0*IK>R}-rvX+Fzh8j3CTj<J#q)WDDFY-VXs-)jp}G<i
zN&+jpop@6(JyMkpP(`JO)DB1K3adTT9=KFw;CO9j#@)!@+~`HjobiIu1BJqCx*9_d
zkDrTBH&?J?`me)YWcKP9DmiHPX_pke&KE#x3<+t6upd^rWNayLcWgS+2j4I|&uKVx
z81niFKnBKn&1i<j8?yCDbQF_5w$!X2CVf1w-`=-!Yo*Ge`g(dUhJ8O{UwK3_&Gl>j
zRpBx?>JHnwKVVQ2*~%oVYEyA&zg@<|n#01-q?!DAz50<f-@D43pl`6z@o^$V!INNG
zk)lMZaO;9ngO_z&-(-w9r?$uGfA0?<DM9mx^O$ZM_fUl`i0gWj%7JJs`>gtKe5IcI
zm3W%_3f3`(rZY=L1oSezba!v|A4#Y%)~S3b%oI)B`#@|pF8I)5Tg;uAR(JWYkwE(N
z*xR&ixrIcE4-lb`Rr{&^abt28HYkw`-!AXviacJJ&TL|_Fy6SiiYBGIPC|5B*4_Ce
zWhD#!CGNG1ZmGl%V{zuya;YX)2-RlBjKrtbqeqF2NDa)s&pjjx)NBpEOm=PcK)_+4
zEi7PQ7vi6`m%eArz+^uWDM*l@>Ih(ICxHSXVRjmAS(fJ#rXs)oHDH;IxI7Mu;i-x}
zCYN_btNXIWzt*O=CsYYxkMUWS<Oar12ANAl-OrW9F;bK!0OuEY+9M;KlePUe^}L|P
z-{*#|r;!}BpJ>idofEI&u9@Fxc|g=(dV^oaELhNv9O2Yg;}Eo-UgVYkx=9ee{H8|Y
z>yv2<h_5S$r<|RbYWSQi8n5<2D2KMusDdHWXyy^0wgIonNHweF(=w{_S_?|J2=+~V
zT!d|7_2GjezW#AkCSe@A!#-+4W-jlU+0yoTNP9?cTuw@CxSGe8L}L67F7m~*At07(
ztD84aOkQ+<umD!<*+c!gFD{xEH#v{ST+Vfg`*mvu8Cyz@*jAqjZ4O2@I0y5>26)Fs
zoUm}G7W@TSv*>uYQ}gUJeFREWRd5U%V;Pn_aS%N7Z+_hmjpbyZjJgJZv+0#PuRYDv
zzJDb|7){r04WLH?40?JOkLI7{e2J}8o`Ar}i<eXV2od-`A9t=5hjCEHHh1ehfzThl
z{L1YlUva_RqnXCkwhCsxZ$G^Mkb<hmX86}M0V1k~3Chk{QhjW#>9$85YqQ;2oE-pA
zAD2sZO%))N6hTJfus9P}_K)1m(madjhJ#?T+)p@=V_mvZndtebCyV2}nles%^P0uZ
zw~dX62X<EN=W};wfGLEvI)Q}>%97zAHG1xfW2Txr#2=t)OtmC{M-}nJIqNn#BE9v|
z#^!}~7*bc6@P-9bj{_d6c<!_K!-R!2?!R3<R~_*M*6oNtOlV}td~R{KNF<lF8yR)j
zH`mZkVk~sYSa3b3y!5?$rb=Y1MT65X2C~aN1a&`;DnCu#4TjKFL%Y3@!BqeJb`|J>
zIVzm#Ms576E%?e{7-dC3Y}l_jXvZ78Df>Ux)dV5J{DuAf>i$aI`chm(`Nfdg?<fXR
zDuHWu7qrT5?7hn?rt6=#bGX8$YtY=+lR`$eob`zUmSdFDsRFG2y$apO`s6VFf$-R(
z%lAw)uDn{Dzw=yve`RIy7dlLnbhW7?(yp=;j;M{l`cwcZ&SM80T~Z9w{ylO?-J!(0
zb|?|o>e*1&k~b9H`hg)k`shxB$Gp3Tj32JXP^cjXBBE=fNe%)g<{wM^2=wb2$$PE8
zO$kNV6XADJ)msgV^Y`mWu)yrB1GJ;8R&is2Z~bJ+dmF+S`dbonkwg5fc*di2Ci>+C
z)(0l8Up}f;4XWz|$c`0tuJRyxdgRA&4I}`3mO40sxkMeH-9RQ?Ie!gi!0S@8H!Myy
zwO|QAAC2rR#Am+6S?;suGTd$~H}eD!Q}0L0%E5-75i-NQ!!nf9gi^xDLx_tUZC+)d
z*mN9@0Kv^NYFIYujl2qm0K>vu-)1fx3CMsUsfN)+&-y-rd+qD`cH4CljE;<No8yuw
zE;5Lt$i??H2joo!qh<?5hMBIxa&`o_BWvzja9nw>(=c3|#1EahP-po&GbUJQF^|J7
zu3WT+Hu{G=a$8#0h8*#M=TqKndS&fhve-}K>TLL^=@|if(@J7QYK^^v4mn~|K9?`u
zG}qF5BKIkdcM<-T@sOv*e;4SgNi3R>4caS|T0k!1-^Hep8Y4~?V1IFXR&l`96#&X*
zNe)@OXVTKx5@C@_iP6%CGCE#vxrX;Y{#YZ6a1Xz$%Ma(C-qZo+7c7B~7rQ;=<U<Eu
zMbU-ZJIK##1y12Y=qO2=O_?!#RM&)zY6Y%vac}LKAMT{y+#P$%eV<KGkB}>e%=G9-
zX;^Z;{qiL-SM2+wXkrp5#b>|g4(Xj+X2Tuq)$wM5)ZL27Gh}rsi~xv*_1s#F7JnYg
zMiiItBQYEUBfqYGiwf9j#B=&A>_^Oj$jVL=j^h2Ped|X#kXnD|RUWhPy@|ouBHbJ<
zyr((Pg7@nRlnwX6PqpIsoBO!GF0-E%lb%a+D=X~o?rv^-=DnerS~9ns9MjiU(Zx4`
zRh7=z?xlc(wjUA`H?x6IoQ~H4X~6&su^WW2WSXSdIeHCAcvOj%dFL%hs*`1g#XnaD
z=`Xa!8(>2HHub>q+yb@6`>sz616vI|#}>54FG6u{vd=>JIh8J#P(=U4MaI1qq}}wZ
zEg!zgxzuG))&2`b;kNV>7m9u@70siqmVT_bQptVX$kAe4xeW2k&*sG0N<Ajc6^RK-
z4AHB1iX|a8OgC>XC~7v;T3)6^HcW;1o>)2DTO`Ej*{90!>G;T~^v5f6MQchEpqid#
zVi3XVd(<JcQzlGrjNDGgFg7{57*UyS7}A~LyBGdZI@Q}&3_#}uHHHGu{m;H+fF-!8
zoFB>MH5q4`*P?lNDJ0j!WI7Ip>8~zQ@s;4_-<Ig>)w_9k87WRnXG`ibvHGIs%2t$`
zLJ_1lo}?Y}$#nMaPK<q!f;3&UaGJIg9wJTW;Og^uFG!7+w^u?@TWl0J_A=-7*HDgF
zq8HSf{8wh7!cYAbcK|I}5`0C=ExMu*b)@Z^%8J=%u=CM5B!Mc7Pu}$X+{XDIIf#e2
zuhwZjNls+0m+KtKVJbn(-J&W#z$D2l^pOpURsFlD+<DQtIF4@EO~XWx4G%RPqW<bi
znqI;E3eVYmHlItMn?-d?K5ODn0GJEoe!ab|^s;nMQit-}DX&k@N_*`J;?2?S83yR^
zmya)HSbBO;Ej*fL#jwMpYhSPMK+>)4zn)$2`m__P@YL|TpEK^ydcR!<S5rx|LY}e=
z?X^8>9?dXCao<n&O@ux64Us3r08@3+Vz@l{^&ItufBiob%lWmx<7~^?yz^gcH+_s)
z^ric%qLNVSYT|dN%GL3}<Tl|#@49wY&2k=Gv#MEP$53j|=bPt;-elL0Zb2eD$(RCW
zcZIE~uThbU$2v8RpH5O6ld0Kg_k*82CHgmluycaLurDA|X4lk(mVa_GH$6Rd{p2Oy
zVbFg)?0NBS&!r@mo?Z$CZo(r@g{Qw002*`1l!@w`7uJqei8WHeAlyNCwDLRT1P-XL
zY4M%ZyXpksNB{a2Ao`?5B$vDN;1??}s$rnt@qa=<*AMZie!~ld1F@03e*h_Gcm2&v
z^BXt<T+-734#?Ek0}g^eag5XCF8IE}(|<pY_9q0o@=tQ+ELHUn6b2ij{3isaNVx9u
z49pMU^Z8vp3(j%9=7m3a5yg<RjLTVE^N10dcx+vO!7@ku=lNLEh~%OlPV*l;4fOoK
zaY=?#^#gKUXLiPEkPMqH`V(P7ok#LGRajtKQL<1?c8-`T^e|u*CwRnZ6bpp)!|{aW
z#ty=`xR2(l4agt&Y|RCf`J`X@Z|(>{H2mS18;|yHL84fZMDY)R=Qxh=cS;A$FSzZW
zS)X_8fbpF}P7Br=I<-UT#_FYSSE;mWKDvfJF6o(^sFLw~)4%GsF!s)W^X=QFcYS(F
zspbZbx03=BUum;q1dj_MTXl11(T+b#PFqjXie@seC2Z~{s;_a49PKD49?Iblj23TZ
zFy6E1@&1@wnSSp&A)pvgI)m)gT*m2#V&NZ~TPr!C)&$b_qQJ1=^^QxE6(!B}+;zV8
znyM9*vRC9UeaO75f8V-V$*XfLy*E^@SkLzff3=QNxW#`GICT$yCvg0;*6@RMK0mQP
zvR3XNRL^e%(gMU5Pa|mRFkrcklw9z--Ysc~(?|l%rZfsXeF(^XkQ=bvTS3Yl3LmKU
z4AQO=RW-~-{S?Y4MUK6L=NLU&(i&;Z%Fjy)a$G8Ft}!>Z;d`cJj+3)zYj4kA`(s3P
z=EnlnuGsKR8)p%bSgH)p5~o~+_9lsh@mS-xuILNw;9ou64FG>S4bD2kg{kjZmxn=C
z9BCm0m<N?pCqA2(Iqzd`#mps!3k>NLKDLH(W>48~dR=|=pC4-ue3PiVD`KHaTmRE%
z{<O>F{r921vH}}?GjcYE*2?H1oi1C-I(PoZ*hl;mF9cDg*=`5<D*$u(yWOO`5XaKs
zlU*Hy`6s#}&&$Z5<&|E7j{CCYYUVMwP#naeJmH3dmCS!@(0|-qrdcz~k4rWFep%Cr
zD=lbd<6=xlvekoxcH37|COoxIvB}uq&@@Wa2|i{rzu+%ETx7$09h_JaL<Z@gkGgdn
z`!IiIe+vAPwHDRj#WO-5kEY42v8=R8#`DgMm~xq47mH{u4D+VLESF^x4gJw?iY1iV
z2>=G|e@1cw#lD7RoI_~ip|0SdVFowTs6Y<p8SO^t|CNJ*1_e~I|C56W4dHg>U+Kaz
z*nY@-&vtW*E0<dV_w>A;1)H(Zxxo_%fwnsyftKICEf6_ofnvjYIb2i?O8cd|cs~Z)
zAJFVV{RZuOhP9wvL^X{<vqOLsnOSslB|Q#s`hb~l={Hln${*B{*Z8RsJ4G6_w!;~b
zqI6iMmj8sBc6dWdZeHR!$2FNo3Njo8ZpjO-5JDd9+RQ0@m>nC<Y4Ia;P$zAlUOxg@
z!r+mvL;>k;a~2qku}1Yjv_7G&Ba_#Jy>10OI$TiJvwImEmVRAY>36R7k9?gVM?{2O
zrSbeqpD8SpR89Ms`}|QcTsZlQ>kAU<$B#a{wJ1&55025lcInVle{h~-1SCVW9kMkA
zkpG*4nQv*B7Jl>0e&&|8sra!N$C6#6Bw%&L!Z-eNsQe++-^!K`GC41+PeyYtuWlMo
z;n0LZvxR5}5iX-d!Gbb@e6EMKp06THX&+@^nS)Fwue9&?!v=5loznNf`OoNkN<Ht!
z)FlWVWzTDher}wlN-om>&%j>s{B;9!93!%o<#PYl16L~c=cUd=wFl+>vyugjT3MCl
z`~$NK<BPhPt>cpkS_4NFk_GP5THclY5)H|I55hE3Zbzo5{1)9<hmUOV#GP#LDVio*
zf6+FFb$2@HC`)M`&<S#0x;{@$_3{t?Q4T``(kb<7CLo=n@>Cik0r@SO)`x-ed`f>{
zV;k1@g7vOXM*4~K_=fe>5ys+SzAZuOH@_H?q;wwcZz|mQqn(zWXcp8e!JYg!vguNG
zh5na$NA-6~q#sCgg9`-v49Kd2XUg-UUIzz2#r)2m{8#J~9wh=Lf&Jva$&)|(4jiIy
z01l;y<&BZHt<y{|j?q6UBDRfLJ;dizu<m4|y%<6Ja4b1NN}xZdk&`(f=1<@Yt3Oln
zaZ!6dJN~!lHd{3j!gDSaG*yY6OBu)OQt+V%oSsJyxkg2TYt%nq@p$nknS)icIGEd%
zNgb1-P_+6do)i{r{2q%7Im?Pjf>>@oNGf?HHGm09<lr%x9XjMeT2iMJ`0_~*2vPn=
z>t8oB37q1C?7jiOf+O3z#?mpic&X$$1vC&of6%00BkDcTts{3RtA3f+^qi{I8)ip2
zu)5!ER8Cr=x%fSqER7X+5aCi5^&`YcQ4<tejMvv~T!eG2;tuXC|M;fdYSO8nmbaTX
ziC3h(@3wpH)Oa}!dV#ItPlOyYFuAYg>6lU$be+1eENOaiBH87~UzU>=g`R5R?Z6+d
z_sP7M!8YL;T@ZSI;bXdoHMLTEp~jwWPq)LhS8MIc=Wzxf^+;-s5A~UuY)i1j7$+sJ
zJ+S${An@8!!kuBcsa_iWlbLZuAY`2M$K<7jr7z#e4wK%NIZr%q{6DOHWmr^Q|L)8H
zf*>uRq_lJ>AgxkLcMpt|($dnSs0fHb4T8W!OAj?j$tWcy(nCv2OE;W7gZTKq|8vfD
zKAbOdU9jD2?G?Yc@84SYoB=bmWrbJEJ|TSq=-BBR!d1uwlfXxH-NLjj*$5uZN<!)1
zjlX_r-KICUw`@X524#k_f7z`wQ=5nkkUsP%e$>qq*Jn7E<|)U5?Mnk;Jw@-xh3p&7
zu24!con*;xQ&QL8iX{!PF^-YyHMx(HFMDdkGKS8#?YJx)<T+DW?`rhMx%&WzTyV=1
zSAmjRcMkof#8R5!m?})?FkzhQlCkp(f@j79oECQ_Y~>!|!vy6PA-D1gRJph{R&F^}
zWaGnFpIr36PU9??YPrZ(%!p@vzsJVVtk9AE8~uc$G4*~)E*`Stfwc1X*%0S|P_8mE
z4q8oW22lHWuV2TN8yA*8B-gr$n$o^2R-b?HvBVAT2Kf?D<n~c&>OnBjwbKQGyWpvg
z01dhLfzhqyCDp_~zqCJqcWHfLQd_S_@sMbTDn)0fw2RS+-@=&H&tGrBhb?k8V|a(2
z-gh0Wl?L?>slRupS(CajM{i{{kbv$3$A4q8$Xfa-802G<)`{i+ZNihb6{J6yL~Sz{
z7Efh1tXh>GFBlen!5{hZ{+!XIg2P8#aEP-oShCR)4@N@_F?pfyRC@)eBq^In7f8Ek
z8w`PoPTf+>tt|E=WzB`#O0G<^mGjS8aim(@PRv;{y6ywqBX>DDfp{om;wi(*B{VOJ
ze=a@zxsUn?7+DEh3K$}FwyX|Lyu`$incAq=y3YqCjsNj#$Me+*O3E4W-^+y*-oc92
zHQX1p$a{Hl@l*GNfefHGMsHN5jCL!hNF|fS`1ywQmgszEOyy10C=k240ycKMcD>u|
zbtD5J2xSwcnn>ze&GZ7-e9pzT6s_vi(Jm#;wOi0D8)fgC`1FdpwdX#{7dyo-72$jX
zV3UB0!!|(bl8!IECs~YbwPq#AJ5A`04@W}|4MEl3oLrvf!*#a5-Vq~|zWRCCY4q_V
zgD|Fp6Bq0C3Y#!iKU92VQ8F<PucmdJ6L#GJ<(HfIDmnd#M$drIHgjl~LI2JMCQw@g
zjq57~X=CzX(J;IBwZ{(50tMx?UlZ6Yj%fY@ZyDixQC)YV_e*99gir9sDk&9vr55WF
zk<96_<Mpx1_TbzBQ2avtXQxzd9Sj>@{PLq8=ix2OnM5(&=RC3so6SH-F8~o5S!9NL
zfz!;T+#-f!H=@Zw`9+RD$-K3h6R;>880q$aJon0Mj>~cF2-G>jQSxx|A$D#4-Zsb-
z;Fb%U<lL=16rXAEmG2coIUO}C+8zeM*Ep6`fb)VUolYm3pz4O9Af<Idc%|n`3~eU>
zs*<87gPK@PX}Zf%%tg&0@8K`nz*TcCTnf%=^-_TE{a7xE<g;??Y>)=7s2O4nE@;Xv
zGje0Hwn)Phh6-@DM$KPA$yENwcu>Kg?IJ8CfGULz#9G*%{2LgPTVo2zflui3{vB|9
z@GFfMLakuwIf2lQ))ON1;c$;FpTrsmVY}g@brUE<=1(+<Sz2$7{uc}$CJqlZf`{z4
zBS6YMUVKE7_Q<^EC^^grgt<}XCc-H0Yavl@mW&YF?zhxnH-%ac)@w_RFBSf^NJ>HN
z8;G`H`~e}n7=W_rgxmp)O90W!ZoVQg(sZM91HH5Y#^_3F$P);gftzD_Uw9PoKC%zz
z2;Zm~!$X=9bOHZj+wU<K;fnQ;0U;d=p8RBBVQdU&J{^<K^Ic+h9uPmL(H@0r*h<~^
zSpSe&@p#AR%-sPz&pi;=th3JQz_OTonj*u6#Uk&4`b>(~Ag3||vr(~Qj#~8*H`@jp
zdHvcN*8sK3PjhPHIXCE|=(Fy<k4>_7lUbNmmQG{uB!=g_qrgOf_-zygIv&Gz!0IvC
z-k{mwL!sf<ivlT30j9HGxeLv+b2nW*Qsc^FQUUZD?Tc_?ANjNo)mON@-!yv;Hgkx)
zQP}2o*>82r6rux;7Yy>10wl9xlT09SGH0!<uui8|u%4~%6szM=?A2-##GS{5(=m-P
z6~}+MFZm1TL(|%lw?&lkL`px!Y@W`SH5e_&ni}yb3}H;4*p4o1hY0m=JcxjP+(pxm
zm#leNMzLcyS5>G($~`6bj^65F1S<=3Qq4Vf+{1Tl=TvLdg^UJtU_mQ`y8%2X-*qNT
z4*kH`<A;~c=_Z06OWvD==QR`94cs6_X*y43?^tm4G)hZnHrpl?_T5Kjpq3-;6hljG
z6v4<7?#W%CoH@=PdHeZc#{4mD!<(9EL0!at5EGn~kY44}8(yb3B!tY(n<4^FTg2GE
zY)!ish23}s=GT9bk`&&^)gSO-0|YDRAcnEB%?`J?PZ6OZ8s~=fvTlqL4z9#MB7{dO
zNG~t&?fX_L*1Hu>t#z^KZ+8w~4ds)+DcfAyc)M57DFfA&jUBEtrz-DEGI?>=?m<ah
z8sojkt5sA?%ox=^GFh4TKU3rMFFK!pbtT$cl50@zdh8Xu`vv+$Ce)_-Pu(kbOwl?!
zTZ&Ers8y9d<MHUVnYhxnAeFeTt)rX^w|%CTH|BD!?FJ9#QIehtOc#eo#OouS6?g3H
z1wpg3bu}YXonT=dl9k3cJxrjyOuRX9ZSM;(Gcoj~yYA3;2Zgl%R0GshRR^@M5h#9g
zG6Xq>w+{o4I+`Z-0OuRxACbdJ6{^kf-85cX_IpzRam+<mxp#|?{<1nO=V0PW4mL*l
zqs<lOFLG_{){Qb1L&Nz3xt+6~9X`B3HZwfbh++UYJbX<CRbTUddHj_O%_jG=%hZO9
zPw)CX2>pb*X(ukQ%k4^6m1$I{VHxL*P5<U>XDfPZuPm-w=<~U$z_(79xs&GK={~=o
zA?Eu&B!zM)fG=s{+jC~9d+LaV5&8Y2NU5}RlkUQAx=l9m3!EVDDjUJ?2tuVB#E<9m
z1e>1$N49l2M`HrrrMyMxuD;!q5%C?uTm>6Pf6HWR>X-!Vu6PHnTNQBUu7s#8R0<@W
zqbN}-t9ecO`kEkUF;twlv#i2Qm3aY`KEd0$8-ucF{WkL-^Si`|WSl!clj69^l}yCN
z&JrI$^M#)atm+|Ardgr!lmuZd=dwbDY*(gd^C{j2%|`BKWPLVWVW(;a!=F_^Czxo~
zG^hVb9-V{FKe?j?WL9<^Ydi?!EOfNMRLbOXg82RFvb=7DrZ}NI^!&5I>!gm%ajHV=
z&c)R_%AUe%qI5d%98s8jcrF5D45FHADAjH?xZ$(fY?h)z_3<vZkVfN|JkRCinuxli
z&GB$0aVCpucWM>!#M&Uu+`06@<hKXvxjyk9(?b=iUq}fI_vZN<1wk5S9;o_Y%^0rS
z4>;gtLMT#QB_up^QG>uEpzmhI%!{x~#=0Bc652}s{-YqLwd{>0uv0D#-M~JtSzIQE
zwPQ!zKe5vINK!wlUl%RjN}c<34wRQ9&y<3}@a&g~BfJj9y>qeyyc2#}X%e9IUmipT
zRaIGvxJShs_Soh04Npairg4|{MpD*-&~iK}$St_x$R(D8(qR0mT-u^y-xL-~HXPXj
zq!cM&;kq{!deP1LI&6ogQD!#Wf(sQL&TeX!^-Ovb2!l3&2B`RmaQ0aWgOH_{7dSNm
zmmFp3npgF^-5;;zeZeWW?HS;>rY!*-*d45i^>f`}93n%TkM#4Px_p9ME}K@(XwOiw
zSGk?QD&MLAgPxX@`AKcF4iB@5ytJ<dyZc`Hjvo(j8>h)<Dj*#J;xqtN1hTm=Y?fK7
zer|!TRixp5_7CpmJ!F==`K`c)N1~YC2Ly9xCmitBRhxL-pH=mC1xW;`!#g`Thu@80
z2k}*}C%<xC0OvvC9U)d-&n`~84^0Op4yqU0USvA*j2%_w{*s`-B8(S5_WdK!r%k80
zs-w7{CxpVaf|jJP3c1nwOc2-oHJTHr^VjZx`2X-_(v(PbQmz$e5B7gB+nKqZ6xK?p
z5O76i%#2NuKZuJElsM#B=1>sv6PQislvl;6g*T@_Fiy`c&wxI<0lat_h;X%}NTkPQ
zU$x~UPiMvU>*PkD(vVo-B#}u%sL4?C-1ie=*z2vK<tLW+H~LEEZt1@y#MZ3f14M@F
zG<@%8<bx2!!u#p0w`~rH;=_h#@)0D#8L~dS{dDiEc`44L8;*$Lc~-sqQJ7Z%O~$8H
z{odVBTyLSC2$OvDs%eK36hTA6ZJmi(W+>wk7WWD=o%5zdUJ^8m^lse*iI06{uaZ}z
z25ke;#%uhRy3bscKt_(665z-Q1g2N5D>2F?6WoN1BQ3n(gFPfJn4{harRoMqu`xW%
z1Lrm{1M13<0HM=>PkX#6xd&R`GVN$$7a;ER!ri>OYVB4!-ba^7$yYN9UuOL#=5?DF
z9w|`;yyr$Glq{Z$aLE-o8F-er9_dNKGP(Rs&}~^?Ezpbx3MOoy>I_I3bFT<4E_7OK
ze-<)XTCnBFDcGL4u7B&gnk9jV8K1Hu5N3qSj$Y*5OfHmiy7@lA?>RgCT>(+^)LI}2
zjp`4iBulBtM7fa#i5rMpSqzCAIFiGrBB3-5*VVk^Gnt`XDG<yvg@8K!fr;Rs1A$)v
zb+yxKL~mn|$dY?oY_G@k*O>4{N5M5%YeJB!Ek=VUKDD)aOPvoYxOE8}-2pZfiM-1M
z!oV~x_6mEX{*!ZkKx1$JN6sj3L!MtvKRh9JjQQ1S2#BlIDIZ#<;hI@cd4~)Hx&peZ
zcuSv-P`=`;VVZc)qwiqMqx6>#;yESTspjCd5P+u0ZvyTR7P@(&@aJ$`ob;Tqma?Os
zs;pvD6x-5t;yO>uJa2EGwntUs<*TFKU*1(R6FcR<FrzSFx!)t`{(0dkqxjWu@uK|l
zxL5MDqO)GM?IPdiqh@F<cA-yM=bSWze=d?K8+kop>CtZ}VmL{TTxB<-82C{X<-G!K
zS5|p;eVFH4WQvHJ`hY#s?F}!P)W*94!yyJ+MJ>CWVY{&7hkMxoRuirJ2VJ=-F`)l5
zk5e$g`m>Xdk+W7dtiRuU=h=l}HVQ#R`Wr{HURQEhdO7L>ENo2?qP}Aw@Qc||Ft^;J
zz<r2_Q>$rb0yw19?B$aCPG6<8Ypm0*=|D$4Fm``UnW;-ytxZ@hkkfzjJ^&FJ%du}>
zK3`7po4`O$L0{}K=Jj2C@^xmU+@VN)a7-fe(d)tvy+vJ&5KA~`vwkTN;kyr6g}0wN
zEKrg4M^*O4?gvSE6*#=Px)moY6uD*CFv`gBSe60c_7{6ZH^)Ygrv)<S`isXp;VNA{
zedR7%w;S&cg>#TepeRX8WBkmZ0t#Bhm^ttT)=ld(_TlGF5?)ruqC~`|>vf~^+KM|L
z*AW_<DmN-td$i!Z6)fE6F7zL6qzNFIg;;zS^oQ-GsWps$uI$S3uNF!(cK!<LQ3=;-
znf3nYyAyIb%S|#txzE&^knK0#_dBN}w+do$J(PDm$PxOmmaW{+Qrx|}PWmK{Z4-yC
z{bnsLfwtxG;tyEO*JnWDlpx%(;#2zq9OgluTt)|}5-sI{+uwo#0tHt=48T>`3gVRS
z`&1z6K<B1$Vi+GM_WbU@8I&aiW_rSM!Fo$A{!5|!J=f&keLkZDm!um{fwJGfqInu@
zkN-OL$Ip+wANAja5Qkp>HxDHFyT0P=ymSyG?38mlwM&1FX%{0E|3cWlf=^FO{}(}}
z_`3k`?Bvq!d5$wTh-Ie!5L8WHsLtR!EM$Pc6bb^)87&&&&Kdow;y=4y`w#AQN;>`7
zntv|YJ_~1m|A*g9*YP_>VNMsHB|wqly~6E7-{Hmk^x5Bva759+gAzphzd2BJEi$Bi
z^I_Dp`J(as|AyryAn`;R^5<c*YG9|$4o%$a*a-hrwVnWHiMCGyfwM#czhT@{Dp3*!
zROZkS+;peA=iDAe{QsGI(r`Ck?CPs?Z=3Bh^PP90MBhHq^fF`jy0kc%#dEkk?6`P%
z{f_Ls@cu&MUACtb``)M2;CG>LxEN>_Y`-q*dLF%QSO1mYJ=}+ja=cc9OYZWDqrdLZ
z%xKseE2V}~C6(HSK)3&jc&5ctPWeK*^;%}QKcm`kbVSi6XZ-nsxJzlOJGCa+uBj(B
zb$(^>?sdfp2kTs#5_-#shn5b!-Ilzg5*2y@sr10@?m!Pzz!!dB8ebbklE%#uxUrk+
z187ea@q_Q3(o+KD+-`{E^Fm*+(i7Ltq$gk!b2>l&Q+nbG=Wpo=SjQjf334SsdO~EG
z%1Kr<`YmgGd6}W3WrXX*cv)&-i^E3ef!X9Fi>?|>mU2m2EAG>Y;}n4z#USVzphfT-
zau&i9jy9eZhr~y2vYyFMC`1swn8M0XyuSQ@psW<M{)4i*ZDeiGunjIX%_}eBESE7c
z%NkayOQPi=T#8z6xP74L6G`{?xflRD5(RnKt0ez@sAvbAkw^BDs)C9(SrX8r0O$PC
zqo_B-=~3L)Xx(@N=uv#^CYYBw-*_<Kn8il-vuN$BWvDXv6Mf!b<xL&AkD1ot7$t&d
zM2Hq1+f1TnjT?I4{51&38aOsHc?SB|0+$o=97zBQ6}(u5ivC`rP0BRf0i%1`hs|S^
zNQqax5&hv6+QPG`tA{5ie*b{ZZ{8VUk{(SmSsWXsHkoAIdX(lB&Kq@Q{=JG9Kdjuj
z$FWi-6DClfkP~#3npg=-e%&qAeVRMpCsZ(G(Kg-PF~Tv|HXp^BrS{6`1H^l${O#tz
zHwbuYiyQ>lML_jt8ZK*u&c}aG3uaJ6qbQLE=(LOWedaN2#yqe2Xz9%f+8IeO-HtII
z-rE<@gR2pk=>GCVepsOZB4z!Hrx2{LpT^z~n&up>ucPje^-}GF{>!e}k}ElgM74Q4
zDSfcx{m1aNeL|oeY-@_>WG>hz!DBOmrG)6>@MA`zcmzRERmRhq>74iCvEB9kUg7>=
zM?Zl*Yu+-5H%}(9LOebAns0e(#=Fd!*P@GA18)dA@JF{3hSlueZLdbn&n#}+<Zv8m
ztT*ZkX^;(;;1~b*=M@o8LKn*Ct{RI|3Vjp(SmWs`1QS7d3E1*aYDL9mW>SP+7ptUD
ze#u)|a--OOc$40S-+q`VzE?<{+JPY7Gx_-CC_TIFMxupALG#40#m4k)RLdLd`)#64
zq6gEa6#*wXbY?MS?+74Gi!7iw!1*;eAcp0i3@5b+xD&wrJmP)qXhqbw=}6Qzg!bCU
z!paPP)9Se+?eHf5RgTZCF&6LdMD{ojmk+4fI|>!RHS9Ulol(@(;2!(1f7EW%a7d~{
zrNGe+`}2qX!;ak_dJPJ5R=cMc4BJ;1uj;;HkNvD=Bt<EHKf&Y*tOhH}cPem%%swCA
z(Z>_MdKD4rq{_FM*7cM_$qXE^XW)|ro#pKaJhCUEx*0`9C+WuLJlltY`q!Fgu0N~w
zff#NpZX-0&>&dO+-&E}{2eZR`6$i=vmc_JMRLSCP;4OP4=eke~@`x3U@Z`p4;XGNW
z_R|Fgcr8GR=mlK1_(JVGmq_f@x4HxGZ+V?OLJoHy7WThVj}(Iz_7qfBt!~-1dyP-|
z=Tq06Y!=ETe=U3O>Q`HEq?OCEV0!;Ru2wB^XQtI(g2dwKqa(g?TF}QD<$%-WdQusP
zCVSAGk^I%s?`Ycy+u)Bm5<pb*+)Y3OhCn@5QE;m_r#8z7C#`rUIJ~-q=Z#TQ4Jqjq
z&m7nc|66A1@Q4ygURi77T`@l%ECz@}{ktzr&>*k^dKdL)QWZ`Gn<xPA6%d0$%Omgr
z0ZCw0W0k9MvwlDZ#)F3vECrwVd_8&Oe-4nX1b+Vp4-j^eF+yt|lHg%=t#Be-*k75U
zk5?~Rq=3(MBI~L8CiZp#$T_UD2Ok2$q2nhw=`o-cKz<5nwt~p`F!zWYP<#6KRW%mq
zjNNnCLBPEo&|koNR0$6Y22`^Ce##tecyb#%MW;I-Xs_rZvSyD?=?0*0cshB&?}X@(
zZS)|8|9DR5BGL{F9Qp-hs&HeCZQvRFNXX1+&JyU@?^OpVT>aRCY}YM8YlDFoo$dJ`
zOLW<e-1QSntycf7s)3Oo3jVu8pObrz>{>0+8FL5iWWo4*sR6^5Uy6u~_r0Mf1GGPI
zE9tbGfp^hMm}~0y7?&3<JVM=;#`2oG>V9SJ^NhM?9n!Ecs_gWV(Uq1q`%Nyhh~<SU
zOUzqVY5BiPIc{e*eG>o4qQYzy+ehH2C$^`^x%2S~=wn%M&&Gsv!mZ~A3Nljr%@9NX
zJp~BrYyaPa-AN%#^Ynv-MbLL4T49L`C%)ienGo)$39npBFYJUq^7OoRVSB^kI0k++
zK2`@z5)hZ+rpi+A3+1?L2d}_*#lvNJ9$2U4;*Jmr#=7=U1bk4JgdG}1+@ruL*DJ7A
z&wJs=zm_((eopT%Hx{t+h%xPWt-sY_NgDModX?w)K_l;zp5zco{Qk$1P{~D)RgU4g
z9SlbWoe#vWcjBRPl7_d(hgY2m%Okz_2p0`lUKM7A+Lh8EJM1$*S+gMJz`$IcErRU;
zaF0T6^F0I=`P$|Uvz|Goj-fW&%Hxnk=NE{|P0ghlzdaEPL(6(+CrY72kBwf>?FiO+
z*7D1qmG0X0-5!_u??gy(&rI((O55=Iehpc%z1`7Q{@T-^Rz#vYAl;T~29-3FRd6?b
z{o(V<e6G#;S#NUAvGo}Lu4Sr*^$X&iTW{|&ciiqMo_NpA7J{fF@J-vuCrj?{n$GY_
ze!>{~NT~3-L$!uPj?Hebpbso-)N*q0r(JSjP0v=4`muz~&Te)gVpHgWl&nzn@^Pf^
zymC9k-z!?y1U;L{royxK=ABnvmFv}%&=G}C>PoC1Xk-IcO!}-y++JE;`{ZqM!9It8
z&0<P*{L|%jL0kGZLfddr=cy)d!Qqu<%;@(a``Y%eilHmd+mV|h%;og@pB6LY!^Y$<
zRx{^8DPMJX1U`sTDg8bZuoP@u*uOsAhEB{b@3*w)t{8df`)kW$Bx~3+O=iWUa$6|#
zKuv}L8tXErLHTNV%JR6jy|#VPW-ACeK#V#0YmZp)!g$Iip}v$7r43QK6d7Ki%60<h
zwu6KBwzd>?mkP{N#$uhft_rQTn#h$YDn7{*Isn9cP>fY<a#;*czq;>#bzRE|48L4y
z<>Yo}UTe8}VE$a$i1r45cVOclVMT(~QbV?I8*=+yy)Lxl({<gdRzOH{N4tS4AAj{+
zDJ2s4CMV#Vgmd1i9oR_DD==F#avxojyH@IN>I`o8a-SDsRTh~ksg&EeWKNRkf~b4R
zud-(ugT#FvO<uV)c#$P|FQTaStNq;KH0q=YXBTmH;Rnk%aNFv<_(>09XXB#ndM$i#
zomU1y_aHXPv%8pgd5&@ILpi@^EV<G1UwcQA_RpWndd9t7S1sBOsZ_c*Ele=%Nh@fu
z&#*l@EY?0-)k;%%bWd=jf2uoMP~qjMb2UA;3@vgy6+_?Yw(iRfOPt%saJ;^+<Brxh
zut~}`-^do%%A-Nrx$DU~&Td=u77p(Vy`VShC_AWYi0*1^R*yzj5E~!tlDnhVEmfF3
zq%UEuHuh{JV1Mf=k%y{gy*aIsH7|U~w8sKGhO6R*YafPY_GmZeZO6@6Uv_z8m<P2X
zbsM&#Np*v#1}=W%D#@L=5<Ti^Iof1gCl^u8)EcE)e(B~)LrYm8bcB|Sz-gUl+Vcu*
zRH3*}&LFnS01a%6;=9b9X+*}C?CNCp3@lJudC(^qO_vXYeuZ@i=ZdzlRCN=zieYS*
z4TOvf;N`DRZlcA5rAJ|%bjX8~Z-<M)HF9_qI4k}Y>|Y3vH9C@e!YMS8<prv)frN?$
zi54Wx=0OLyluV|r1>Vf%J$!~TstC-nXlJb}D6*cL^4b<fIPct|{hVab-V-DO>Kl2T
z7aB<5$xa}$xj%w}^vhnX9*LK!HbkRNduyfl++t4?4Rn<f`S2H=<88yA$k8j6-qnY;
z7s~~woKC2;l#QmcK4eG+91=pZ0L%Al8cK~Ck8TTltWhJ2_a|2Bkb|Y^`Z;wGnmNr3
zoD79nj1O-lR++?IP2go&q^LxsGJSClxsoVJssVm3!u`N2G-x0&N3iRXngQwJZ03uG
zbs{Iyk$35V=ygmf2{*2z#_ttlO~J!*1I=8%G7$#oGB1TdUaybKJr4U1xVgh;+?g8K
zU=f3!qk`PI>9cOA;4tp=9k*UhbbB+zZlU)15v&L><!AnTn-IU<N9cR1SK4<!!$@i|
zNS0dP)}~+4z{`K^d@c7eLgg!Q4nZ!Zs?L0{!o+Bu(bQ3|I@-HSxuAV7Oe(3TEuJy7
zaf>xE^UI_gO~XnmrvAHm;JG8L8EG#40Lco~EbCoA9M0||HkPi;im{;)9`D^`k*7v3
zTTZt8bYL*P7W(?clikj8s$did0YH$`5aE{s8;o@Txv?%^Bo_{Mj*k5jMKB#Vu%Lmj
zK0su=AVW?mM<>iju;zeg@}`1$0lG6UFg_>TjpUiSaigd&75rWa&A}yRgfPKxKXSld
z`cWw-+%jd-%f{$?AePrr69zBWTI7e=t!p}nUm766poTYyjCT-^ME6~;EsRqMU(T1S
z1@_2q{Y!YT6k+>{2YO|g7FreUGWG@lNzE*i^KzWr(O(kq`d|Kf2cLQ65#pb86u8qp
zMy%sUQAh$J73<F+C;h=em`|poN+dWpB1fn`AYZXFItzDBS>%qENq%ODl4j8NRh=>o
zMamQ$lwEeYR*A&F5o&=(jV2Re_7RU<PiRrWMxB(%k~>>+vgEiB2p2va0Rp^+i;1(o
zKiOdQy+*g399d9X6a`M{PKgh@MMrd>1m+}&40jT!3q@r&`5L#aWyUFByjV68+Ouw2
zkJ44;K<h-{woKNRVr<Wo;;bl8m+g5*$7C-Kdy2j{xYd5T3%&>uXnK+!ia}6;rjhV+
zK=ME>Z0CDS`BIfE<>~wZJzGAVHC)$rStVifV*c?7wFL={ZWCWE7mf|1vh)`Rg|?*Q
z0?|%^nL8Tx?$-uhU_ybL*qXrZ1e-Nm#)A}2JxAX$DGsA{_SaTPVS{Gv&U{7}j&3(r
z$(xKy=LKFx&D&IyV`eMm#DPhCYRfKUnPTO)uH+2tPl4$!br;EbaY@*)ix$4q0d@|B
zh>ZnCK4QBj1g!L3&9eXyP^*xhJ4Z9}arlLAnd-oDz`!#<d$mzy@>flrDG3ufUDLNc
zt*@s_9=Vj6X6I*>P;P`m;&vdfmP6N>nNK7SWHN?*QjX^*Uz*b?CG<F7UT(GqM@u%!
zg?{pciL%bc@*lSi8l{ttMdrcF$(2+=ahkor0gltLWLs{x4fJy=mEav%);1Z>7pu<h
zGt@Qb=B_s6W8dIuJU}E>RQ>saB9i#clK(ljjl8OlKS#pFSc)K7bIu)#@+fIeqY#Rm
ztG2`lDSxV#eSLJo<m|m1>bGhH2_Y*8)qqmDkB{#aR!i)h`|--5LZXi(Fp~K0{1*ds
zLa5cj{@Wz%QdGb$#UcHW_o22LR#0R`o>gVy$i9#8*XsjpjEOFt_)Z(YM|Ihj4>tT6
z7*l+pIvYqRevC)L_ddOU-s&QJP(a->=YfgKy}H#N8ls<-nE`vnUzw?XkEdcq-;#L}
zrm0{?A9!`(-FlpBhv)Y|*~KcKEg72{J~KLA@1otzK1P)7&pB@!z2sZQ;SbBmIa?Z#
z7NaECNx$9_ZSvIQi`q=;jr4&#|C9~M6wE(x_mT<`wdQH<LZlXrqEbclj{QcDh1P65
zJ=kE?&6d$<ccFuxqrcZC0#MjdASig1du8Dt=9=T5Q7+5zU5Vs!_xx*#N6mXf@5}EZ
zS#C3Zlli&A=CQ5az|ldNzS%jC;2P{?`=szyz8kZ%ZSA%1xf88M$E4-avm6r4!xDK+
za<am+g{cGoYrBB5%UIy{OX_`^u!o!4-l;WpVRe4)!NWifedffl=@wQp_g|S_R-mhZ
zaPnF34E#BN68j7Y44kdSh2AIOaC=8z>!YPqe8;|VseyxW8A(8L*A*zg2c`nfh&(<@
zqC3Y-47}wmJ9$)$4_J%eNgXa%145TSc@BI){*M~~a<<>u9tfLBVBZKj%ca(=&f{z$
z?yW!?hI7Pl?DyhwrlR0~Uy1wE@AiIYC1<X1s*wuF4sW7yZ@o!|k>`ee4()xmvql%Q
zZXr9??H`CqStV0nsip8_x_Q!VjP1vnGr(hmZQN*<AHC6}`Q^rbC_{o9Bbgj?bMbP3
zdYsrxQiV5qD@IL_e?Jwi1#r9GV1{O(-;i@?3E*;0><|Gr{@}MevSMst=fGIC;@?B}
zqb?qATLVHH*Ye7j0+(EWdVD&9@?sFX7<=+QcR(pVU0k4VV#1Z!n7)+_n-c#b<-n!D
zhrNu#Q*&kOowi=On(ifbj<4|fGolriyU4rUCF4r>ki_xHbAu;O;EhTzfE*gvEG}O|
zlSjgHGKrL{g!vnV?Mms8mG7w~MIE<Z1}r7iv%&nn-QGgNJNR$m|JBpESvY58$>(or
z=3M9XzJI348zM61r52jgO_6JCxqWA?v=YC_%1r+2JU`6rWM3VvzRd8SO}>O@el+a<
zC&PmEt^q9|7-5KZ5-DIki1u_|C(q(xT`hs<6a*)ok1q|Y+3nJK&J3))Pr#8DU=6`p
z67cNu7Irg?yyG`!a#aoM@VoMxGM^6$JiAtQQP|V5hXdw+;s;|9zK_#>-aQv}8fShd
zif?0Z<t%bw*i!(PMwAtpm~l;uJq_CXKF!9sF;*u>Bb<jYVf~LWEn`Gh8nCVLEV>s&
zPI$5iTk5O(A{MW3ZMoYjP3k`Xv|UUo>=A<(m#o<#4P^6RydMmAaOwN6YwWNr{qG-k
zeZ!QQh>Xv>%@|`$x3o1cm}L8b^F&IUD%<;;;@B9y#elu__s7NK^^+JEdj702WH}$N
z<;P+0^ZtDWs$!tW_m<MEG$vm8we%X?@@(6}!6E^8Ex4r~1S7-HN0*4-QMxVJ%OY?K
zP#4zDW2Ox;rLM2p;zFeQB<`A4c~bI0H46cUXF7-XAM1{A7G9Yv&ogTq$5=4M#;8Eu
zT++7xrIL2yVP20dSWVehLX7TyX>0r<fqKR((aqCEheJkoTMpm?x3W24xr*6}wWtI5
zp20VB8bO4@y<F5*n;fiCLpo@|M_8@N2t$PNL{WMK1U#3x_}2!JPsWQoyicYZA{=h~
z(wOvf2HR#cgm$sPF_Du8Iu(0fH@tp;o?dmPM+wa}@U$lPUSvo|EN!SgAIyu=%3*fo
z%1I}WB&sGAumOJ(iYZFuT>&rhJex4~8TvJ8a2v<CXxlN=R$yZPaSAP1FH!Y{^Lzsp
zu_J-{x#Gs21Yg{opT$@#Z}3nzy8h`G-7M8w;~xja8Vo23-gn664i&~-%a5!tBaX*!
z)t7!Rlq~LFir?tT!lw71Q(=RzZqECl)W+=DKXMC#`FzBYWPZb4p^<G$QuqarCjPZ(
zCzXIX_~8!$4B<Wj&e~zkEOrUue(v4_wkLWA9|WFCBEVT*oT&q>$RCsU|7>DGyUCy{
zu&Y=k4WOF-#=rnO3bYBr!EJ!0tTBfCYkvWn6o;Xl#pvhIi!9^Re=rzaH{if+AXr%I
zG`9I8+b$G$YBzCj2k3E}AwPZQn2!=k;uN%pZ3u_J;mkJ#u>60UNWcjJ@BiCR;Z_X}
z|G5Ie9t{Fa80geBoUAblr>}4yjmGW`J&oBvLRIuMS<choo;Y<|%m7||5Dl>lEggU0
zhpdyQV<B+46m()&ct5hPmk-wz_MH^M%m9?QJ%z8HnPquV*oO;-vy?dB2aM9LJteY;
zU+%C3o4NwM8^3vqQr5l4GrarcVqvSl7azp#$+W@zLk(80<@$^-N1}~duD2}9cd9M@
zb|~a)W;sfJ6i9U2R~791Bh*SR7=INu@W@1S(9}=BdA!H97M2AI$r+u#H#u@!hQ;&v
z`c7?>mipSlo9Ka<3elq@{ekmaqzhY=+RbOR0P&{dflE+45ZV&*+n57<7=)I<{>8@~
zewb}>DnnM;FYRv^ROKQ`j;C8a$Mz$NQ}Z=rB4Ru_pVF(Tso~F*K4e+HdfdHDpKiUL
z{#NW&`7-BMt?h)Wy9He5Q)V`bhheMshY5Ib2X|_rwl8k!e(TRceU>#T{V4u%aOldI
ztJ4o)cK_A8uk}1{b)CasLa?P(8LhsVdN(4^1{_gHg=ZRaH}ZB3N8_tWrLp)2qO0z;
zI%~~lQ_?#W1dGW-&qq-6Vuk}qUX)jbjjiA`ig)XS`Fh$Tr&<KS?H7pabQG3kbw%Wa
z0R^_@8g?`%-*e`^Yj|<P9Pv`P@*5Y@f_(E#o)7_U>I#<1#H}q0ewbi&dmtao!b%~R
zQdr>rWXfunvp!WeCd-_~YPxkU;h7%G!&XTg%foCc*Jpp&CQweZRi$3ZV3c=7^($}C
zm5K6)G!<2I)N9#}7s5tMT^p0Da#rx2>>qX*&0E<5?ip)%fGq$xM@HlTiSgIxX(&jX
zf;qzL{NzKk!q@#&bieij4C6>uOB1`Oe55FlJAme7w71S!H*a+B>q0@hv@6dx?Mv9r
zVg>i(-`9<XCqA<YW`psla`8OKjKBmrWYMR192yL1KCq|Y)Si1gmY28Iiih2MxCIOB
z+#(v`J+U|&TXq;#Osj(-{!$6C*@ep*JiM_G1GZ~A&YqfIq-c>tsQGg9WcTv8dmZ}n
zG3TGL!Jtfs7bVqL`R2XcIbY}BfazA-eGEV)eeb?0#QrY#S<O1msGfbBD}^v0I9myQ
zjuPpN??i(v3(yjy%lxI+I<@{eA7b~4z-eAgRsUO=VI+K14PSk6NP|{*Ag*nvBmlXY
z8=#xJSPb{2D_(vYcdkkiZAH*v?uq}`2E~2`t*|BCNdd&Wqs3S$m<*r4+`ZCI>HI%~
zQ7Zp~wQ9+v5Mou2guko#pxxcxy{?iH!9<2|B=R*#GaM`|^gVAyonKu>!ku`IOJ!BJ
z!|xAOfir-CdNd9Gf>72^>C@l2CBmvi@8)dR!W*@9!)`R%<U4L(=4oKn&=4$g^Dsf1
zbHg->ZZ$=rBH?!p8m^}rqE+YSJ23?!y5g4j{B$v|?-ea-H~Apg!FklC3?n5X`{qw^
z-u2&rd7Kqi45>E0yPjnH;=9RUpqc|vYHI2aE}fLliE0#}dAOs%L%(Y4mZAyfn{T|E
z<d;2+ax6l0_gk2P6T4NFhn={&AX$1!eh4R_JMQthwm%i*L`D`kiz8~`V$@O&xZv{N
zMYu|dEMqF}DL1TkAN)F5X(pQdCgTAgOvG`qaDxlD)_i4AOW{r5<C1sonj@+Pgt)fy
zoO+yAli<+ylKUR)uu7Zfk)^t(O+^rI>NyX++J<*+kAapP=)cy+g`Wl<|MD@w1<F~8
z4f-e{L)F{nnNAau6`6a`0;YGi)YFTej)g1!wU<3ccXnOcoloYW&Rn_<J(m4>s|(&z
z9bUJgA;<k-oNEI@J1m60v~>Vy`r#NgpqIVfV9^(y{T%)|v?y5F9<&Q-J&WKEZld*D
z5_PqbhI;%op2_e-&W&@yo)6rI7g?S9gK2myKw<gc<<T{i^>@))=$j4@!oTq8E;`1r
zCITEVGhlg0bqYQLUg1XTX4If;&cNakL0tg&o5e}lr!hg$uY;52x?@#9R|4y~eq_&L
zH##{nM%t1RUi9mD^*k=?0K5<`>ieBdfKKdy;P1Ep1ZL&Tf1Yt<rGWSP;RVSG;P2ae
zHqel`li=h1Z{`IgKI8$U<5Uwnb<H~!74NWrJNq8sZz=4@TXw)$oiQMwUsm92U7tQ}
zzXBe@+5+4F0{{AZ5==h4b>@+Q+8r3k@**;?%Db!3Z^15089m~6tB%U8N@zd`mFWU~
zJ!^#Tq?^R}X{XeTFzmidV0Dnij^Bf<LRqtOkl!gC5TpLkB8q2LS#JJV^RRtJY_{v!
zqZ=P~O9PI@IU>%lPhF*(mpqc0qf?fC#l_rtk6y)fYEG~<>T-sP<<|W>D&H81jh&1d
zTrM?ll8b%SR@ifGsgC|MQf_X3E^Ml)I8n#NT|dj;M6<d6u2h*)UqT|}j7<Tef`B~u
zvj<9*HOhhyZ+x<St%EqwmJ5yupBi9sJ~FOpshv4D7Q-^;lGE8PQ!qn4vl$R?W*8^l
zw9!)MF!kOot7*t|CZg?%oB6;u>q<clXqG{id}48Bel-tZbFe`Qj`8y$G4_o82P%SK
zocD_;{*b{dzI#jaDvMBjtwfrY0#V_OmwXOl@7PQ<FFI_qhMDT-EyjP*@BTpvPPCOm
zVTP)&$6XrTP3C(%eJi8-vs#Q}YsaLQXsdR%*e-uWdbtPB56tMrGkOd=n!^O@RtjAP
zO>D3QcQL98(V2#tS@@{q2mYkG`#o!jL@EjTRi0r7LD{VD(chTH)j~Q6mgtK#BM7o(
z0_bG~<Z6^{OAvMxMzd}#Gf#O#zFtL06);w+F^wo!2Keg%aTSm$0ZRo)mt1Lu?-r?s
zi-r*lzJFVu-_5{js*m3;_-T3?V)R;rlsAVlzcrA&Tjv9*93AqiMf#x;hp~LithJ<>
zBUQ2KIg{pc(IR1lJ>rI`Y+#Yv<$`u^;Qgm*DNq+A3}2-|>f+UhUybytDAIwLH+p?x
zgB335+t24B-!b|{{i8R(#(S&0I3T%w=`rUE9{jo6IZtlPAkEk7B|Gk4&iHBRgV&vi
z;4j<ql#4MLJkkJm&1pR8{}yh)TF(*$HXO?fp0OSEKSGS?97bIG+T%!&-|&=H>8;S(
zazUdYM7)BfGxBTvf-1_<gkOEkkcA4VyJD@mR+Jf}QqWp_q2yI{O!I*E)fsV@j`^XR
zD=t3&et-oBY~xa%ZQatS_{Y~ujhtHNryiWV_3^sa#P)-H#5@0d&<EE#&y=R;<jfBI
z+?r1}8X^5kWezp1o`sXNU6+SntB5c`8QQ&;t?FyT{AD>{nUjH<YwJ+UdrUS=742#g
z)YW3y(%@lW_J8jsB!C-_Ed5lZO@7QUM_zw-YS)qq`H?W@fJP|(^@&xhf)e_ZJj4(|
z{%Mb3lsFzLN2UUa>n`e#t2m%4^V3F8YP;}L7QJy`5RCT#>-nw<=jjbL=;2y8qhAMz
z;?*GHbqjso#~&ScR?lOEG2^ttV#iVNJ?d+M<bC9LkZmh)sTx_l3;)%sR{tG=c8Ius
zX{D3m12^`%FaZHs&HE5>A@<fu6`m*Y#GTd9AxsWDbNMS!C$SgA1*-=3CpPTC#>!M+
zHOiz9x4>ZkmDV;OMtD>Uw^g`nKv5Ja*rE2Iy*6^<AL6uNhS9h1dEGm5&oY}TbDsPp
zCveIsO;tpvJsNBiEgl903N>Bz=OCzFGM&oYsW7;+EAd$-fl<Tf|1>>}T!W;y*Q+dS
zKA0m8?7;&sb|!}A8aq9|o*kM<(q|{yHbLlfF!)0w(GcCA_lh7t#p9X{H>{%`K<-?U
zl~WD0cobG6QeQgPv?7>ZEsmKe0onnJa*^d1j+D`32-WS<uckwUOQ!UUM3{oX?~4MR
zbDy#@l>8H2y%I}?Lm{(^`Q2pztozs2vS5QLsB?ttAl+i|6La0$`xzPEtvpztf53Ry
z_4bWWO8qB$GU}NgLwt4eoN{QmNBi(MU7u3k7M;@f=j$I0U2XShM}(<xS@7StyT9Po
zU8vsF*g505#8rN2PMB%bdGBFz(qZMihwpR_09!*0v#vtP_JWKgR2AB;w3*)aeNn2<
zrQ@*>%)IVU-`jRIMToqwS$afVYJvLG6_~4GPF3+58%)=wo-axBf=2l*L{WwH*ovbN
ztb694$drvNXb$}F(#zid8$*XTXqJ(mRfmkWi@SJvxLMY>Epyi1$gb(5pU3cvUlywU
z04%PtKgJ7bL=+!&C{!T`?oHE~e>N8IFhh;<#miw9u|3-~wtGtnf|SW4SCW&e``c!c
z#y^^Rr75<@<((^cz4-ch0L6)sU&_JaI<#Zz%@&s`Y)?l0pn5s{;nM!dh;9|rxXfcr
zMaveK*?{x&Zwk3mHV)=o)F*zu$aZ51^74xlKk1hbo)(=q){6_I0d6j$i2)hXAQw$v
zSTM~3lFw$um*X(~x)nhuTNawF-yLUseHLfu<bWerj<!v5!W94k`<HQf1~<{UTpKeX
zT-xBOOVpUenE60m6w&+DakYeYQ>9JQ;4aDJE92bjNfDd9J;i(sJAK5GZ#WAA`@dYO
zifS9JglD3YNJXWqT{!}quILI&4sj+8yGIEA)Fy13U{9&F`;}AeJ2bkiiLR0xj*4<4
zD_qbn(WSdx$^Tq*a?ox=P=}jOfsB*!^6H&0P^stqR@V^Q4?NbLLOOz~WO{+vJUuYw
zS0)=Hn>r__0}ZmR{6$Qy_knZY(6104whRZs0V+LSv5C2LP5TVdqenHA9<gbX1QQu<
z;x)w_j_<Y~GEHY(s7>@7P0pu7nmT3F@%)J!iYSnhgf_GEf_KAV;deiDycJSu3WH*(
z+>6r)j=IDN+xxQWHFH$SFjUGOgFH@=MDu#!yc|bXhMp{)uifd2aW)TAiZ;B6XF@CS
zGjr8*YJ`SnU3LHo?ZNi%eK(EITRo%q)H?uhGyLzKaom<u_TKO8ySnn>^Ch#XL-opu
zauX2-6s}Sq>Wh-k-x?*eSe)EqA!#=tl=UK&+t;dxE;{;L8k$NZ-hUh*kX~<X0_Bz<
zI0Y$y@bE5#RyDq%|6z;v_z+a}*~06%J`dkfD+9r3E91m;ARj>4S1)ex!c0VB+7*Ou
zWh0?ok2qk_TKCeN(=$80e#xMiS`)s=VDybh1WDI3#C@vikf_e459)!hK9zUXeBHQ-
z4v=Na&@tA0s)YU`d@wTwFcS>U`%mx3q!RuaLM=)p{iu$?)i^K5`2pSFjD9g^h4q(L
z+Ln8B-8;IJ(VM)?_2OBX^yKR7-<%EhgNCO<IA4_ZE#g-xtEJdcen^eZEQ@h94uRW8
z)l0Q+yZAu7d*^tK2b1~}JG6kZ9DP!m=k6OC8yc7WW?thv4L|7N#s!r)4+0>{X88O(
zFH6I`_L8KBQL3*6Oyj5viF;X`@!N~u>DJONZG-cQ%b#zsG453jJ}V@;V_&vescIg}
zN$tdwDso*XuaU|&et8tgVsB6&x8&Su8pLGcBA0KX+xPW17Xl<-R1n9bT#Qqc`C!$`
zz%pDV!t^=At_hxnszIjs?G;fXiOW%S#~-S1)DANY7&0xr_J+)oOVG&ySzn}$CV^9d
z<cICZxZA&^P1e;0(Y&x83$(Y-!3%gnT23CkPj7wdF<c`Qk|hmP%M_(^L$dPV8bp}7
ztFWHobIoQlf6zEUwA@ud!PVNL_EjTQkjOai(OWu(rrUuYTk*?XzWD9(6kw0VJ9Cu6
zVYVGgA5oE-1pEkdPm8?Q0NLsi%n8X_bVtue6B)CsEpR}x+>?~^IzCe=dSOHJWOi7q
zWFRXJegaZmpt{Wj!qqpodbxs<B-UcLI{h#=c-(7p=&C`m=Nr6PX5%OEfda2R<#`oW
zhbLEC!)06;l87<dA)fo}VCl-?*91;9`PzW$;`)csPW*hWxsnL@U{#k1wEIyqo*gBU
zoA_Tm%Rd(`b|5s6JEP_$@0%zunJ_C!|5><*=H$!lPrzTkt8!pT(go7&(Kz);56h?Q
z*QsBB7OHizLpghL!4}OARUoL^;ZS@h4RmXtMn9obCqPw|lsTQ#X11b4X2yidQ6Zh#
z@s}<`ypPz+F|MO0c)LE8&{M4V1w1L{hq2Jt;Rk(@`7fQa%BAUZE87=8nMr=@VR5Fh
zelTqpFGnqWZNPfqvYJ5Lsz=M4Oz%%0nowOT5W_s?{>ai-_)Z=bug@Ec3D&OQWzpA)
zC3d`(DABKAj%K*tW}WkFriTfrb*&CWS1A)=1_;#c8;38Uje@{ULX>AgP&yT(hov?9
zVptFFg*I=aMV)X9(pv-){cQ8;B&zrI=3ko@MC8$V^o(?k9GhyA*#ZQ?dQ-dUUh25I
zaoeR^3rs`qKV$iCU9VQoR->5nq*GRljU@lwE!6>4k4tLo_WAlE%D&0{3D>~U8ZlGX
z$}*Q!hTgUB_qHrWww5dO?rWC<dz%$z32-Xl9}$<%5-aKF;?b(pXap5a`PIom9hZt;
zrkKdcgY+h(gH+GwL0t-K020vHLz-NBM<Ou0IH3A0X#6Jtn~S=Pi7o;KzCH(U-~xS%
zYQ3!&0$CJ-)yzz~J$#0F2k3O#N*UrZkiGXPks83{EJDODH!fa78)@5Nr9QCH6v{UG
zmBGMB&e8==%~HwMbJyugd77qrk01C(YY2=Cy&Z19Ltju*787$db|5sp?Y?8{R^~qe
zwYiR)CYSdgQKJl7e-h-s=$Lh3p+<@lW-tD<6|PqPn()Y!Nh-%CzTfm%K_pvP?RwD&
z;+k#vOlrUHcBD6Oe97_z^g}D?j7sR0gK<~hle(U#BCf()rgmUJl&zvh;?=9;F(e}#
zVRxaA<=l~P`e?igwd|)~MpTy<V)l8QlHcm4h_4DtNb=;QAO|<sr8fY&2!KFv(5fUX
zI0PW7fD&bSOW<Z!ELMgk8G%p!LtcFkM1$a~=l=z@umBg9F~j{lr3(LK9shSa@f7R+
z4Je$Fgl8PkX=(v9j@|BLm(D=y-^HLn#su^k$fj{15g3Gnx*y#K|IhB8A`yS`ISYO)
zi19niKf~8gpE>klgVEhMk-hL&;V_W@{XxF4N&6}E{a4QR8?C~Th1mQZ2WOu8z+ItP
z_+>Bo`PIVq0j`YR)r#6A@nh8@+!Lpm%o-8EFQ!}+mVSSv+!JziRJnWgVg0WI2@hGv
z!%PcG;osy791c9lh-Bf0@roU#!7HzUJ^s7|$coWg5%56UwFv|Pz_0`VW%nEvE-gEr
zVMMA@Wjr((%QK@CrsgP84Rs_Iv1j3;SwZjw`H}4B){Y-_SBLISh;hFqaIJl-+2dSG
z7^oBU@UtSgx~a{*wZGfZ{vbJMk>DBugZeTTIrSXv<la9U*_ErY0aoEgq3>(5YGUVC
zv*|<iK8NNo?jEN1O9+&j3R-Y^c7Z^@xLHq$r(2XrWpvsVQp%lVf_#2)&-xfz=GJ$&
zTC&|fr<lL{W)>_W9@7`*{x+)cskXH}Q0N^%yQ09{XgOqI?WrDgy`-raRg1sZVxcFI
z)5kGU8X)J*up}F4>4A1<$*IV@AabX5P^#~x&{5({N$-~#t&jo_Gw!Ew@V_jIZ1CSW
zw|?~9h+F{YjskG*yH)|$IT1m3=zOiyKG(EuDL1mX0-&hE<~x4}2KV8t0b^)=E~bAp
zDz@^?aBgq9``s6l#akBP4;xTJielBR3CcoQT#(uBK5^TSMtRQ#Nl(23h`4dVwBXd!
zvaa=XH3XnQQIJHTMgb($e>Q~$>u<38)46A~;2w9b<2~k4<*;mwU*HS7DUXgXIh06F
z!hDpoUxz|lwp3(rWhN@k0>R@m<v^ntX52{5QA1leX}A->rc`cqXDK<5Z@X8coH#yO
z2O9Zpelz{TR&t1Cj@LC--0E~kYh#xMPzLu5{>&V%;7q_D`cZI^s$l|U&T=$k7ya?8
z?w5;(QFapPoGU;b-YP=;A=h$RO{M`?4hyueS&^D}zGqq+#S7gOkqoY;ksxU~Rz&N@
zsOx@Lr7J$_RTq<++s!L`U|B%mF6Q<<mEQCd0e6oD7cd1l!vSnj;J_&>Y+v`kaBt>Q
z+*=Hlq2}F}3hzT{6wR#1<dt7=%-T;?zj_h8xbP$UrU9|V-J)ndd$UGxw3b-?OsQ@E
z>imY;)hUbc3x&br)IbF{cDbK@<2$&?`5OWd@fUDsc32)<iKjca^6Ik`U1kKi9gVOD
zKTNGiC(S*p9H{UD(n8Y#mlAj-$~>r*q^I0yCi({SH9>pz3ul7%Ec>h$gf4p$T;Q~Y
zGn8wa7`%b7C9t4DI%+oY?t5H;<;1@C5rf;Qt@rzDW)XYo{4hi(Sg0Mx6Bodt?mP`@
zM0)HnE+O8S>!oFfU2|5U^)vLhEn+_yc$Ya^Ji*{E_OnF8Yv-Iq136$FPjNi>3wSD)
z+6GegDBc%4lk6=%F^u~hFdfe<wf0Sbmbf&`OPL-2(yIf)@$5#1eU9CKq2DuXPyGsJ
z+&T&`susNdjen~L@CIcSDqJ3i0s)78j#3>R((d+eGjbYHaYDo&t+B41A>X-We~|CZ
zMuAxOQ{-FhpZ_iLO?B(Pk#8}v+rN?T*ZBOeCf2Wy`#}2DiB7Gl!sk;6nFbOk{>8m&
z`Y|-7O_{cHG-~as4Hs}O<F2kxlEh$@s)uDT{gZsMn2s2aNkd*e4DMitZK9q3D*lpH
zoNOWkxa~k<_y%95?IABr;w_IvpW6G%_rw^1K*3Sz84f!jk@PzK$TJkoLht#QXLNk)
zcB3k^v}{D4c?osBF0Y)u)agk;l1oQlV3CA%;Q{k_WaYAaZC;0>s`GxE-xhRKa~4ys
zH$d)^rT(IV#p1LqzNP}_n=pCXU}^LKM^U!sa#(FHx0dsU|D{Jqiz2FcXgclZXLTe%
z&8I3G!f&BBx!;j@`W~h5t~mG_P^20_qwpIL&c~h0XpJjb81(ShE#jK<XNCRJfMfxM
z&=-F2)g4bFuopvNT^y!aCkxTOa<|rE6+wc-)J-j2=|H<jC)<|6oTX7XulY;Q1K1iN
zgak`Ts|0AHM<+X{?EpTE6}!C7;`U&1Y_-rCWs7xk+e`pkjeW-{ZFR;8WBFN}6U2rC
zXBZjaA#wZflrTQ^$V7ky3bvm>Z~uNR01zK`K(bbrC026V3l4}A9A&%2tMV9DfBeNv
z!&L~>U#Amq3=a=Kh|t*c+}sv#Bbo4GtflWx6}oR{@ZRZ?9$%-~jVrLTDFyuy0h748
zt_WP?#;gA38ar*+Gd!$K79t=Y-(6T{h3EMfHjhq+&~mm8O+#6kx!X!uF_*^ZUD;r3
zghpvrAzCG~-BC*C!^5IUYeMmU*AZb|IWrB?MjvrYACNs!>%U|%J{`&dn-U8ad_r5q
zG9^FT-P+J8CN%l?H#FlrwYR{m4DFcJ6dfr_6UM^dG=3l8PiZFS0L7VQZa)Pk=Feb)
z$cc?<Klqb5)2!qOt5AU3Qkoi{8wOp9hVKD#_jd-rMgSiR#7L)v!jI2vj0mcsR<6t?
zZDKbkAdiIDjhjBAB>Y`p2P}?lwlgd?RPg#|sfwh6HM!CIk0zX_DU-b!EZqoJNt-sE
zA$Dfq#D3lvO6XZUFoP7hdV`DX&%_~<eHohvYI_KGic3Fc@B@cU6pmwOtE%-Q)1wdK
zExoAi7(-Q7#9S_HF?7Q2`)`ME+c&>O&ZbZz^PE=1noscH2Y1lsxi3DVz1z=<Jt)A#
z=F#t)0Iah=&`C+o#p{3sGTW5ia=Z+g4YId#qqf}n91Rr0#lxTJE@>|?CX-+iu;oB!
zMGMkz6A(FV+=kOZ8fYsJ|5Aw8_!U?^EZ7nq<ZLzL^389p9u7ac4EEUiwLL+lnB;Rl
zn)GwiJ36<sWcUSq`H8en$QOB5Saa5{AHcp;&PWhlI=l;xPJ2-?p#b)0aV&j@Et>h$
zq%r=3`q`xMs~bPMGJ5yA3>m~V0Q@9HV&NwGxg|AHgT>)m$jn2J|Ha!|hDF(Reca9n
zN=OLOB~nT&C2b+n0@5{zfV8yqTn4C=O1DV&kV7+qfV5IGw19xLbi=!cP_O&BpZ9$}
zy<hM+oSF07=RVioYpvh@@3qyLQa?x4-J;7-;)1nl_{|i>MTuVEFO>TB+^}RtkRZZ6
z5nf*`GSb6yq6K(qr>S&P-hNXZ5|Z-fxv+Qc&I>RePb`|!H&XpV5^Q{VA=f(7>8hUN
zlSk!AO$tf@pO_f%x0XfcVkTdyO4-PuR^RFlq+D;ToL6jHa}e)vD|e6I1FP<R6U?)3
zBqx0B<8F$@`M#=B63eNLwL14Tt;H;DdyJ`2e8$nOy|aN2+S^|3c7{WsMJ4x~=#Q4L
zR#s`%q4lvTokiNXj&t!GU=K!EQ(}$)L?N-DSo6~1d~i5%X9qL3k-f^COqxiMt{R9T
z33AFf`_6tRspRq9g7^F`N)bQxY)L!X4Q3}C%=<IKx%7GNykjx<g9-=N-KTw#+vv$P
zYmqh35<oXlSB=+L($VIX?D1=U>3aG)O>C=Tk6wgT^FQ+S*P}Zk4CT)URezgq{T^ld
zQz@5UI?J{1`z+wvRB;+My_LRyhG}-=o7$gjWt<f5!HKaKl<YZVuiOa*dhX?Z4xz6D
zNv2(ykMQgrxizBO>wRXXF=2sv)~^|eG<A2zbZ>*@tpTqT<*^BnD8J`QNR<lRakzOF
z{j`0~b3OVdZ%o#;{)-VAfMjo5&)#e3E6=>m%*4UM5N-bCTH%G~0k`G9^9*ZP3MW@p
zceXV|ZAuiTL|lS-B^5?}iU4RMPU-C0edDbxV)rpN`aeR)v(C60SNODFTJy_rc29nZ
zNV>qb?2y5yG`Rja=HQ2ASE6*)Bq$at7_nB{`~B_k6kPH$tRP6mTxQ8x--xfBrJ^7&
zvN<Mkn$xgaAW8$(FBKE>MCjK<;Ve%f$<AEPUhDER`4|SoB)msY#L+oB_1s>`x2D$b
zO@9fIs##%)PknQ$uXa;CjVSoIoy5i&issRrxOT<2ShOE6(jum$LMjg$e%gfdY+(5H
zzEp`XdH9iex9<=Z+}7Dir;J!u7k7w%t=CIHY=hUj8kkyb{X^f*;_Zsn^>1h}y;ynB
zgjW~jg;l85&4rs6kt1x9LZVJo7&lNLr>T)cWj;x_yr=M;V^4P`xSRF@?R$qGVJ?;$
zWs{FtVD4+_#&i;DfoH>StypPnw-JA-VTWZltkSZ5^S?0BRZjeNM_)hF&TRYcUQ@Ak
z;^L*}*G87^qxubdJGaZWQqNW4-=>mn0d?n{9FT_|?{I_xdc;SDxDe$aoS*yI(Oge$
zI$s9OdA_iXYoZ*0$*tlqvUYd?iC9|aj3RMcolZx?4083a3Z_vBImuYl?*0Rh+EdC7
zAt^Sz8`;m_ZwSJ@)yzoIL8O$^ghB4}QgVbr()j;)PS07o!am-u+2C^jE~|aDt6!rm
zJc`KqM`WyzIGnc@N^E=u@V6N?z~3H-AS6i<r~UQk)wCd82Blz^ZdW3FS{W5E%eWo|
zpXP*-V{_5tIRiY=A|;~if{Kyh%9`+G&#ZQ);?D^mxBSE<(R4w@oun1KNS})!PoZ{8
zo~D6@&vJ|9^~gfalDlCH+S2SWF!!k^;6;kP1}Y7PD58dWTtx=#iXqmw11<o%4sZb^
zyvO0ZMY!_tG&+`RB6}gYS?|DW;I&oKgS~Gzi6cE=_z%~MD+0QSkQDp}2sn|@wKQom
zL}jR*^nxF>B$wvgSy9*|Ib^o0thWNcCEPG!60U<YHw|^ES~^4YYiBU`WcpK<e}WON
z<KnoPu~xtT<8ky<Y5kK{m1|kdtFmV`NZYzKc7Ag10^*j#lHRaYiYNQn_B#Zk$MIeI
z0>bzmhY0cLRfrxrLVw87UHgS~yc9XY^elY&NAnP7`(CT(Mc4o!UF!dpbk&j3&*Hi*
z=9H&t40~C+3O;xpg>EZfzE!dR*oyA<xM<yK6r4xgf`=TS8_Kqgaj-u#$6Z^bU5pH2
z>cb<+7?CKQ!TQiDrhp_ePo=G-jTkq3A(!3NBs^bVApa7~1WBTe#)AN$NJDhW=<|t2
zLY(u{)eRwG#a#b%jZ7~o#h9cERkY6tc>V8Met*{4m$99sIXgB}KPc!bh&*upmaHah
zjmvG<njOZ}P!||k96&L*iGZinF;nxrydy=55FF{_vT1DJm7+uxjXFfz<iuV!q_%V6
z4Sx{-NyqJN(QAh<w|zg>_tN(D=+L-<&Fs_ly#}AK_)i_z`q~?;HseDpD0^`@(OWlu
zrQB}8y)0k+M)$(f+-0O*^J)`g<DROCwnMSBgr23z98UI?J50n5sPO#3Jc`k`pC;9)
z$F))2YVRNM2NPh_KGgVD>yP-&D{$I+d~@{4Q|pipE!fWp0s97KQt&XT=b`KRV4HBw
z<cS&=i1A~bvdhKpPl)*FIh1TCWm7t~hg_2hiS1|NnHiJk&T#r6Eb#trin|Or2BkfM
zWN$*jscllSQL)0=o)30ggKQ)`F<78O=$da1oFZSxwl3Q1d=S{P;K;aK)iZ$SsQ1>#
z?M$OU7VeZ)d(`z0c^&Te*%x1Gy6a5#35mtg{0rY(HGfU`;XD16dt@<~ouYrxlA?C{
zTS2q}gG*7oFiGpfyx^OAV>S%!3#+v|c`m~$E-UB4wu{_$=vO8(g6lZkFnEWw=@<{~
zg+Q^o%)g|P*r4ur;D$wAAXPpN^iHB`oB&zypV;sH1-!6;?qs+eeRMod{{wd&#oveG
z^Aj!qi4GZr>e#EC-0$Qn|1HG-&nO;rk>}~xC-CimZOiV2D2(c-_u7$6^$=(MMr0?y
zKX50e?tFPf3XYVT;Pk{p=5`{r2U!Hpxu<)le=q46QT`VNX>kQo0*6oHB&`8i3@Am9
z(@Jb!^KBL8<HIW@-_F0g-=^O|>yv?A7*73koC1MPgkqNy5~%pYqP<m7gHdp>L*nqQ
z93@e9lkhk~j20!6w+^bBWry%L4g}u;LO8PjpAcL0;x%H5gL6pR-09&0xW%bcn^qSO
zC+6J`^#6mdO*Q=oU8C^)-{~4L;{QU|I`;IY2b>)ZA}%hMpFVXM(u4jvk3jR@3}An_
z*ubXK2WpskU$b}z%3-M5KD=SYpP~9HB6(A_@(UgL{G>sy2<QG&E1WsTkFX*2fwu#~
zRSh$=n)M|M;n}S(2Q^a|!xS!21m|q1y<jQnVV~*J=oNIoDs-MdBDX~D!x)p;8hv?&
zCdB_X+fIRQT4GEY*eL)6q%izThjs;4+N2<keWnX~kQE>)34~jSk{@^m+a|rgUN1bc
zP0FGrh31Z>h3Gk;ECJP%DDuqg+KkY%<eH%fyH{=xPVoC&I(C-KkWkA$%R}nCPkF;z
zjO32yTt<u~1wRK<X{VgPNezWV#`+5GmGD1cT3(V@AM4eEP<|e|(0{`;>o>9%aogW|
z>J<eu-%2SFn`W_7+%6xqt#7+kAblQjfi2`hQKyWxw2*pWhv+^hPruf|xq1D+05FyX
zc|lY8>g9!@>^C#A&16u#S=FDf_k?~_yW-1wKIbvN7>6+fp|;JysxGfenQjZhER(7E
z#jW#*Tw-qm^OWmRt72vEWi{#fGYkaurS!~(cFWrTmR$p59^r;*LY4jDM3-O#co<HY
z>YE}<Uis0q(8h`9I{#Vu1TXUM$|v(0TdeA66UYkhLx6c&PcD4Cq%gwq?<yzSmTXf7
zL_jTC`TwdGRYU%VTJ+noT68r(@0!19?r#VVMm<mmHUL(pUw+F|wkffr=gOedYj6rP
zl+r|xZR|owey$EY`LMLfWPO_{#4!#oRCR_%p&#_7#`&%nx)83oG-(rL!@WMw^ZXg@
z=cU!ri2;ke!FZT!C-436Zs63;q~lU1l$V?|T}I@~LpHiVH3EtexfH&S+vkQ!QXW@E
z^uWb%vy-VfoM+-}2Xd<n<@G!)aINLDPTLg5MdE?;`KApDsxCGeXND(|Y`y3X>5z^(
zi<2F7qHZTX(nMFQpgJk*l_Mk&{wMO#@A9GP#nF+)&S<xgoGihOwKV20GdKEvX-8x(
z+9&0w&iBtwa1JmJcyPd|3g`L;@wA6)`Wkeu@QiCgDqhQ$Wf+dNn)1PrIdCCI8PuVR
z0e%3?fW#Qr@I;Xz*3<&8d^NH$PE*2;GM=_Y%lR+dF&B-}^c<Z>X4@iXs~cTSY<E-^
zEd}1G#q1XtdTAkLnN-Em6Iy)0c^xLshkQx|pe%TvoFNc?l6z>V#MAOg{2HB2P^CRp
z4Zn8ca->N4HOR`kfqt~eP@S2?AN~o6A33^4^F8bL0-q@pqRvpwB}}6uejvnMNOXh{
z^4yM$KZU~1<do4CE_KbF-xmwI2FjMG%&fWlZ08xmSJ2Wqc}T)jyZb&nc{T5K<c_xb
z02B*{e|ipGZ;!zF&Q*Ef0rh=$`1sUED?2BwVmAg5tV4G7FW-q>w!wliEZ&+!;}56V
zrEX{q*Fuh+@2)u@Zr?p{tUW#aeTePs-XNd+VGoeMItc61zH{JV_}j5ob>hfRecyTW
z<RWO`34S;YH=^J#+#2g0kC}O6O)bRyr-;bYvNM}rkd>>6v-39mrZ$Nc6`P-a+EPh2
zb~N7q(b8m^<k1lkh`snp|D5`c#+j3<r0~qmy&AOjb$YpsIx<hIDsb__=&2L7edbgR
z3#_Te`qwlQXN-muUqX)cx-f3tSfiF`r}5>FAm2C<{9#*$xG?#?-cOiT^E|&sWot^9
z-%`RN*(o~SJ=1?bR0NLoWd)M@jL_XHjm&S*&OAluS&Vgx&td)UQIvV^l(!1%qukI6
zx>c?OtqpxB=HGj_!1fL3=@XrttoMc+)BZ0)#IoUD4&T(xcxBIfsUD9eM^p3aJy>^S
zpe`O(`42TOnPujRI>{6aKaX*ABR*UW1l<m-+q`xBdNg{=e@DAYABZG_*6qARfrxNC
z!InP8+@c~$C3=B>J))9Z`eTS;>vdwhZY!KtC+K9R4!|iur^bmrTj8WFDn4s62ef-x
zhBiajeW+__8V_RO(_0aYu5NcYsxHFv$Po{QzViK4hY+g4y%FG)3oy50twt0Ud|B<0
zcTd**u048TkqQ)15r?dR1wZJdPn+vdK0M5@m0ufYMn)87XWC>uaR)WlSXcbR7re*c
z_a>2J4&4l5B1Lov-a9b+HJ1WC!*>DU284RU4Nur%U1JuMSb__NBGzS~2t?@i(ptK&
zHA_4dyyEO#M1fH1s)DagwcU0W6}}x!LgH#7sAawQS%MQbbNL_TavNOhsu}ILk_}r>
zmLab9CSOI21_5&W4LoHqH=~bqP9OE4iU1p29lki|x<%;S#><%P_j%Tt%_p2HEy@0u
ztgNV(JTF#Q$NTl23Rr%WOzw5bkhp3mt}xV=$$F#Bf&JXLMG}8UzfJkC>Fu%$#fX)Q
zOv&SeoxQfn1J|@fI(FDz<=aKQ45w*z(PLs+n*>6u<;TmVmhoMZBudxNB@yeYJi+M+
zy`BD1=E$0j%?z-<WBxS@h$s8p`nVV*6`C32xo;{Ki_~i9Wz_!j$8>l2;jCLmwg%92
znWRqt>aFkhBGfL>Af+vrTUZ~EH{?!})i)81^_5vw=?~+7et47ZVTry_x>wRu!PTy-
zxrU_8FAQu9?;;IEwo*I%pCs#a<2&sOg-)7)Z5tI5cn0k`l;!g&9uHbrX3~mR)%>4q
zE~tK1F`#i`Cs^NsrZ(sfJ*fm_Qw_)7`t-jB3Nhj#gZouzNG-cmGIfBs===0{O@Wo`
zat~M6ANTQb>BtU_D}<#w=104WxtNaM)nq<fkX+oMOZ{Bbp-h|#aiO&ErkVLhU~&ib
zWr8^3hFOEx8?V=|C(N6#lQF1o@fv(hY@fIdQDBj;LtL?Xc$*k6{Gy2%<BxBVP9eE{
z7p(^r4$>cZ-PtP&H+%zs>A6^<9ov+6%`LwBCzxj{^bPuO=G-5=81IcpM2hGk39(xG
zBQo$76wk(w1U2k6c+RN5>B_>Y)ULe$F`;I}A~%p^LmZi<<QJzFMvq_%m@Fv3(294a
zK{eIUw|X0ulHN|-c3xZ8cuh$pgYv{@Bx38O`0=%8Gj`_z$~r1yc6NJ~cC&f!2Y+bW
z%HShA8;?Gz%;i@lU6~rB6NasWgC1X?>~Wh^l%>0Tc-o&|e6UUMB(&pv@mkCFce0SM
zPjJo@HzsFx#FvxS{&XHfRQFo_a(R8GK0EGXVOctefK8VRdP)Q308?y|SS8~i9H0o4
zg$i$7xZf{KV1VF3t}6`3=xTiH{$SujD;}!x-i?=uP@D0ls}-qNpx8@pSRENtOxCCk
zPWHU%MtU<#zj78iLg?AFNL-~;$o#>JKPx4m)RJ}>nZ^i)D(qfO_%=(iWy4#;*_8s3
z9vp{Wz@4Uhl6-9x6@(Zg@5T;fuI@?IomC(;&x+B{EK$YSs!H(jK9qTpc}>|g<$FUw
zk<Sg(;1YMwwTD$HX7DO_an&4SPwF|ZI86?i%e<Ox1GfpF`Pg~jX!pc<M2!sUeeLxa
z>Iex=w8l>icaGk-;@&%|ANB!f^H!26FsSafWkS&ESzYI=RqaIT|9k@vy<1ULU%pZu
zC087F|M}BT;bfEv1ej~HiCJ70(O#(NU)nA?$G5%&+ba@-SP46X{2aD?adhWHH-?3L
zcTt|RtQO4rH9zvCXL!RES$>PqHuA(yL}*cJ&H13qV*(2vxDIRjgP6+b4ds43Jg5Dq
zFf<jYWcF1xAOnh4T(EMY7_86&;OJvD$o?%zj8*aK%ma72l^JJl3YyjBno0~m<#-Hw
zdwTCgdS($I(dmYx`0<wG`P}|{{hJmXu)74;dI?uE;1iiI+O5`N@gle7L1`0b`F;y8
ztmpib2L6EW1wu8gM3QyNb*qfiE6(c;F@=d7?39qB?*c&coSuIJMfRDS*_CG6`+@H;
zvV|~=!i_snH-8DpD|dQ7x<G}yspI#RAUphLTd}fiS&i}m<yr8%=WyWFkK+mu#1i6W
z_xY4jsu(p-z2=UkS6ZRp*kPDlw&gS32e;vTWj2%P<s@Hx9#Nd0Ks#k<b4y@}dbe}d
z%xvJUID{^oWbpb60f=7OjE_2sQv8A2)iJd(pB%@7f8g_s8jNltIm)QsXDnr`($IAc
zNX78e=OBu()jDxc9BkK}W;tAjI-9?k=~g5qilHhOD#Em?)?{rk8J<5g#fZAhp(WN<
z#eK$Elr0+yWN3tD7Dl)qA5*}jb?6<!vnEH*BTQ?qBIi!CdpI-|wdIO^DT$a*(#6e=
z(X=R8I6XOQ6bfYXoG^K=;rdh6%d>pmuTRzv8N$9t?$FY)qh-1|&na9tlayzUVov|w
zpsVcVbkjo1F(Ude6jl=+a=Q;ffvCJ%sOkOlg6faDmoNniBGFa(@Qcv~NpbL$vQ|S2
zJr^%2ooCn6Vgz+(Ja)t36AbZTjF$L~m~r~$(nOq$Y-tL_d=h8yWAU6$f1NR76Ma_N
zNp26Ig~Mrmd}{NOFV@bm0Yp$DVSS{1&P`SSOYsa7E($|8`!1DATbd@bN-@Opq_DX_
zd%HtPVuV7<zCNrTMruqT1J|Lc5e_V5@3zzN{PYDCzD}cYvw6N?g6Vo40wxtvCBc?n
zcZQ1O`8104U9GTp{Da>P4f_U;bqhN~7O$JS+igBQaGj*xcxm&(tMyN@D9o-P_j8QA
ztgQfxMfVrAuta+4H;Esf9|_F_J%G@xhzeo)X3JKJ_cqhwx89HRT`uB}DqiQ?;BW^E
zoYf-ej3C&%{jTXkny$0$NXw+^gltiq=CrA54!?*8kj{WTwSY1F-pF4}f|0Y0ByO8|
zxBplz(V#!?)^$nUXZSOSq_rY97-buEru4b(mAf%lhNaz3`E4v^1>d(RpJN>0I6#lK
zjoc{n6wguOOBfbEq-!Vj0SR%>{a*`897WHEgedsb;YKO&Vtz-X-$4P-6C*ktPJfoF
zuz|{NZveo>(X#hp2m`@xUinLJhP?{NhCmZfgkgUz0)wlZ43nd)fT$f929{MFUgb!0
z1sd_cwq>)$5ygwxnjrkE5g_Ye1_A#caovC@>@wByCg<Zc5R2i#OmzGzz_XC@|9uZH
z9aKPh!m6v*q!qc^%*Md5GM!J#-$|<k*r7G2LJ-N&?wvIKX@6he^Fpcd=3Y!$ywJYd
z|B#~vlm8z;7<fz&TiabcjEGS+^pGspn*>@DRpk^Aft$;jPNk`&A?wC!qux<tX~++G
z{X0W^RUWUH3?0dIe)ZB#3l8;qe5IN=OQm=LVO7bUX3bL-Ua~liG~`!DeCoDc=C`+H
zjwccGiQX}6;z)h!{H4jNSubk;+XIud(agI3j5kE4(Gh~h5=CcD!E101Uki$)8DfRQ
zP0&edzo>(1et26%(PA_)mL}AbmTI>tY`Sud%H+0A+-0gO)AD#i;o;$U&E}(0KU8;9
z=7sJy{*Yy{qPH4Qc$+XM<Q$@_L?+cTWrF-P+_fommV4u!dqp$p^W@kZb)HR$pZCRu
z%5-LaErch!jY3Xs<`JHhyYv7>{T{Qg+v>j$3xvza;)hU{H9;vS*v}N5388)YRE~hQ
z-oNtdx1iw(_oT64<XzMPGeNIpF;N+)TbrG0tYJNC+tjT8#YSUBwTxA53FFQubN!*7
z&Btg1Q>7#-12Tx?v}H`er(+h@%UW_%rD@JGZJNxBXqqg+Y*ZZ$fLQoNC<5mlHUR@h
zT&0cDcZu53L{;KsKVX6Bwtto$Nh(ceRnAu`lluH6tV4(}?Jg>u9=qXKh=eC$MsR;3
zy#I~6LF!;&mIf(X1BLY4U%I7l^oCYmZ*~d!eqQK9K2#ZcAh6YV{}L?1^sa?)=XCuJ
z{(mr0O2k{jC+Rux2~xDF!L#dw;j_*~d@+i0;biQ^@BR(OPE=+Ft#^`u%8d2izf@)m
zLLb=vwX@p2Mdn6s**``Km>A4u%c!;{5C$C1D8~@cBOgAk@D6mp+<ne0o%4tmPV1}6
zLMiDF2p-7Y;pz`=Z+ZY~TLShN-lCq{do4R^#_w9<{UW)IEq&#&N1d}j<QaABQOPcC
zPqwmke`MeJW{JPky`j|E5_=cKyI`On89p9n11~ZR-gOD~91kN5Eg{gpK$R2iueNz*
z!oJ?}Sr$CX1fu62NERlLqrn2(AcJ(3yM*Aj7Edgz8%E|<aVBs-Um8+9(E`l6bHj#Z
zvYVI&3*gfr5Pj5!6EXYr*Wt$T^PsruQ7WekS#e$(;e?@M12k5rZlKh-L>DbjwT1u4
z+0aK{>X!KjEVrH%3T|4%`=48`^Iv#=$s#M(eW<I>lwA?}<64u19<Cy#OsajcPXyT;
z#(%#=zPx8oJ5sprC}EXn+^SCOItfUs{}7&KG))NE@)AbQ;$%+?ebMeL0qE>aBzrf3
z_O!$vO@+|i=1G6J+>aC8nF};rf6-v3O$18$a(3u7nXiHz(RkR|;~?wAV9)SLv09Ru
z$h0>v=*hV*pKQKfm3ffxX(#bQ;6?%M{WN&k>R7UJ)qgD%obj|$p@a$)3huc@%bY-M
zyY?PaZ-`1woV(MD7pZTva?VlwSQZK9dh857R}VF_!Y5EApD1`&?}&UP!7TSp6ZNpS
z*I-JiB)4-Ao#1;h>$IuBL~LnT^Mw){v>~5XA7kIJIHV%dv}5uvYI(oyusCoH0Y)jd
zLurl7ocAo$rA(H|shpf&uf(JJ-kC^iwl*#j@QlB!XkfBhzQ)*+srOZDXILpGl>10v
zY%ILBtYpplaJIyTqO*1k?HcqqB&+Eh2YlSMVqS;#uSTrRRFua_kZSn1qq(}4>r;l3
zbHQd8EJZn~_%s3>HKdx|P14y?WllqKSdMqk82xaa?Ow^w1mTnIZS&AGaJ~=cPPF|b
zIL9@DC3DaZzSK#%+uutH4+G$3w|6$-zo9tW(BCL-_NE@8(97&xe~Ey2W`-yG+i68(
zHdvwBsqqLbE;$UF8i$vUw`@;GupEAAZOsJ&A33l)Skt=3bzBn168lD;-bW2@y*cIi
za>GaEM9%rU#_);a|8TsYaHD{|K<r}K@dDaORB*h(db0y~XwZn?YZbtao&e87W5YUn
zpe)C>^Vp035oer|RzL+z*Vw0m5)wOpMr~Q;C2g&Nt`2|UJX9GxYLw?%q;c%{H;Hoo
zhT9bLEkRoW`ob;KuNWGiss$&lPw!GMHySHb1rwh=eJnXYyrIh_m}@?_ae&{ro|Gn4
zVeBs|(WUU3poMv!YA#<SvMiSJG@$~A@5bM^y9o1xQVLlXeaeM~d%uz%es9$Gy-Ru(
z2#daJe^q`o?+|$KggKd|(L?kv=0}QPf%s1frAqMi;6;|}2gcs}l&u$<x#V&gmg{oS
z?>7F6z{-d}8XC|);$#TXMr7tawvGa!Ym<)5L8_WGjCh#h`1m_0)}5CA8<c-DMeOzU
zE@`4=P(PG@t!uvI%7~IA<4494M_j@Enmri?<Sr*KZtJ%w&1aWEN@AU~3O(|Re`&!S
zEE^RIHlwZ2^KX%5IrA7}Q_6``ef9ncW%|!dF7AVJJ15rqMItE4EiSS&*ya=43IW*t
zyX3lQOwUx>95DW5pSpVczE5l2t~icj#9)s80V1O~QA?l&J%`I(<n59VmUzahPTB)M
z@WkP^)fEid*T^fejg>x!SML=<irA*E-n{SAes~R_fB2D(ANUdo7Jxv|RIpUPbidvI
zq;uh5-SY2^yC$)pi0T#zBX@)#;%@0FRFdZy)7+oIb21D!3{l(k2p9aZ`?#&VX<Zdb
z+>(OpHm?Itq#LIW`tY>Xo^4Jtk|Gwr9}HB`%?mr{*wisIhWlT=*naRx<ozZxF1c;S
zwqJikq?(<YwAN}faB=Uk@;(#P_aGC$(Ty_Ig%36xw5peIAlYW7X}8^Gv=Vf6H*?Cf
z^*QPWiWLUTzS@HbQ)-*TuxGCIp!>z-bG-=CcsmAz(I+!i@c9i9rh?aXY%wAti{_<<
z*DBS|ZuC|>>CXOTovH^J2w1uwN1SABR!xpToLhl~j?W99o9DpcR@Ts4o4tveJo_Sr
z%~!6<w<$YQ2GvaaSt<eD#zk3SYH{fXsv8crWNen;W3($C1nVNaok?tFny(hMJ<l;i
zI!|}?x*7f|8EFo!^Ly%JInAc(g499HaK;Vs?y>rg!z@Y@6$=@CD>*c$(m3it*1bo{
z%!8yaUqWyOYrb6C<!pCkN>!%rx!>k07+?nzFyvOT{V7t%E!(j!aL%+<A;FH7amOT7
z-3&5N&CoJ{7@o2ZoxVFhs+6-r6!DrTsnxE1A$dxmP94&sVz|&hvvwJFrBAFebs<&e
zrG>pQ)y}9h1p+Pn!ot-(XyvPjn>rCSICuEmMHosX4?<YBpQRUZs&|XaYnykZGC!=*
zCM}07VIC>GW?EJ+E3v3-(1~=YEp^4jRnZR%?NnyRyCMgYGN1T#mTJtWbt$5$<=gZ`
z7`__SdM<SaJi?Fc_pCA#Tac)dGk*GnOPxGuDZs^JZsJ!iaR_{VIB0*fdML27&5y%a
zZ=`#IM`g-(q;-8EIZdFB4(dW9zfn7S5hhB`_2b^GOMFSD28v+5B^CeUsdG4rMARTb
z!Pkzd2}Uc>1+iYa&7|JkDcL74D!-iXq-L}+?cwb;sLOaYT+!IGK`T<3fjun7HTZV%
zxO&z@{DS2^uWz+i%bWdNJ8-#iU2R$mtrk_9O^EAK%X7Fy1Vk97*;y>#O9Y;t@J#o<
z3>&x4A5>7y;q9GA@J;FBSPu>$d)$!pPrR8{Y?O(S)eOeobixO!E=kGrybZZux|UOW
z-TJqb=t&4;L<+0Kr~6ueg~O}#2fkJLuDf4AMCfU3H>;$;BHq8RFBKg9SyHic>9IM9
z$r(t<p=GTL!ESGfNwwNsZ&;kx5D-cu@yqe<w=5U+nNCwLAMefA&xldUSqQbvgy=mi
z%Eh#j3HPYrTJswC%cK)?)IVf2jzLa{z7T>ah{P>saobq81f7MJxKTyRX~tAFWkV@B
z#%K6kBXT();?)d(GdXpa*NUR-uFMU0?-y*DYTb90m~LwQ<qMCSJj-F!TfM@?+}pN3
zYo;&ty^L_II4CB~Tj=VUVB<3o_0wm7#u`eQMx7Qn9&70myQHJOgeaz#)j?k8(h8}I
z+3UTDik{CHNR!HIzyB;>jYWe`R7WEBu_r4mqB?kkquu~hQdR7I9$`Cto{Aw5Y|Hni
zY8Yyhu(dV;J7LRHkWIE@StC+U#TRg`#hYh}y41eupnOLQsxZo^AP&hWnqgAJ=-S|}
z{7!8#k>v5L&<$s(AYCuSdxWdq+mj-#u#<zxEz5c@{JHW6Up6PQPYh4H%Kd?JYf){(
z=`IRC8?9}xfptJ7{Ynfu5aL%D#jE)Yd$^&!dFa@QWFPI*B@%_@ZQ;UmgJAdip0RL+
z0^hSTpQ9FShbwU`415)F-nj9*J>M!aXCEwSkn`U-vQbPLF838hG<&-Og9dW;Ykps5
zhu%!3x2?tp&^waC84491lb9h#)TFgd-3mMXL}{Xb1^dM=IoWTR&2fH0?bwAZUA9~g
zR@jistBil{qD4q>xo!357p9FSkQK;rP$M@fJJHxto24&6$e^xM+hoIxQN>+Cppp$%
z*3)o51)4hwq$p(kAmX+JN9w@#dUZN$%lF>b?DZ~uU$v>8E-^T}p$8VY7jLB^akB>u
zGTb;}Eum`o=%wVR>CXN2%5`Q%f$$y`oa~`375d(d?}n%ukG2ftf|exq#bgf?Vk*;i
z#Z;b*$AZnmuASpiqiyW;dxKSoa*)9scfu5|H8|yiS4x#hAg?MYh5fnL{()(}aaY7y
zRi%!Sej7;@)HVq#%%J>kS?3Clb>*Xle<EL6fs+B%X-75|*<fqNjm(hQ1#-l)-jJs3
zX%7XIFyR#@R@fo|22t8A1+hvSe#Z=iV&if+b6VvWg(sREq__6?oZ`IwF2ar<o^dWd
zGoh2aqD=CRkhExN&W2t{`e4v=r-4w*nzavSvUdROymT4qnKF<hyjpRWEKzVXM!A1`
zta@N%tNKiKbsl7(Tww!o#@cXCWKMCC2Qm<rpg}Sm1bR((U0Joizb|=2Lg9Pv8EaQE
z$PSPTd^iK<RXENZ(D1dbL^!_G^3oA!Fr#uSaHjEH`qpT&rdsH7e$Y<x=QE7H%aD|d
zyffGjo&RW5;sHrCzH;E6Z_||mIK4_aIl{8*%@Yoo0?GdLTjTgSgwxG)vulmGujX@~
z|2T_d9rd)v>E>V+!%(h3lYQu#w0eb2ZN8xo_){I#7=njU!N<sTJpE3tuX5ZI@kQU$
zk!QZ;R`tbjGr8*Zqz3Qo4(5=R%ppts>C>nx`Y1A6JfOYYqiRS!98r;$#STaFHA@>^
zdkG-c99u2T+x8?yY+W&M8#JrRpHA#-+kIQ$p3B3vUX=INLmd^)k*=g-Csoa0N2o1H
z2dk2}vRx^)Z|x?&Za2Ba3SB2p2)TcDq#oX}yG18`#}Wmi)q5z$;_uY!lETps>6~Bn
zko9EiUCGUO_{u<MCtUgG!}N->T#LfuwfFXG4@Ha53DQ#zXxK;)XuI({GHhF>z3O8t
zryj_dy)!&_8*D!sjC10ES@4cOawrUngHJRpk9SX*Q<x{d_Hs4E<tFirPpB2@tqqK+
z^Rq%N53jZpslOatnvWdz<$#7OJ*n()gLcKxE*C{h%+ERQh^#yTZ}WABocifa)<CSM
zgwrC#Gl#U6GLkRb#$1vb&?Wy^P*^?CUwTKX+@};7pgn|-Nv$!G$d2L;q-<HTGHTf0
zPxgSsh)pD9CBb{@7A)HkhGvwA=~gpzP)(KR1Joq5pOP=qO?<4{6}&*Vv6aZKnDWZ;
zq0F4w7`N-M;d`x9$@tY$rxTb3sf4hR4=YTTctU%{q4a)rDN_Air+1d;6w{kN!H^}V
zQE#g)_5r1(R>AwOk*ZP_EDDa7wIb@WWc^5N1Q<q0Dw13{h6uGSy0nYCR#FCp3}SSD
zYS~wae#W|@7H8K8n(Y=pTx<8KOnyZx5)wPv3Xku7dzUBfPT?!s&8!BI*n7_`FPlk$
zW_eBiGjVDk!*L%9{J{4FcVbLPKSIn_Gk6Zk%WNC5?nj+q%VT`&>GiMW6<a87VKm-O
zn|6(lTHnS8=Dorl+D40Yr5|;4i%oubG0aSrEu(P<pPn8JE8ET3Gd8L+?w^G~PUA(=
z@?)LMdKk_eQ%X!rM}I;KJX*FIdlCxvwl|0(`NBIaMB2_-LC++R!{KruIy{9>4cQ6w
z8F&1qArk94KaNlBseB5`4grPHy5Z*$2k|LuFf=LuX6z|T5J_UkXaIaq*)}o9H*v;$
zS;?ZmWMdM<=f|T34;yPhQ;!BSc>kvkgHI3z{t|_pG!LK@=$TC%dF(&wpw-l;j^7j3
zU``!5_WM|O3GR4k?x(=baTKB8G14I{*jMTa?ZJBgx7a`MBQxX2J|G;PfxX_v!;9i$
zn*y$keH_pr?AQ11LOiy3H+fHEzl{C-!<hj1dC+GkcfzCg+&g{v^OH}0Uy=np`^nRI
zDWamEcw8Ii5lo1=k5}Wpu-4bq$iS?h!0@Bu9JUJ%!(K8(9vjSNZH`aZptwdV!uvvL
z=Jr~QsHFIonsdc`Zn=c`7gri=qvf!VDFhq2fx0EO76R?Xwg|;>AL|a_HNudXt#r7T
z+0tkl?%Y;Fb1<Pc(W%Xf!)M?0vqT9)DaWp?dgaE;Lwi5#YiTs9bM9sCJjGvHcc3w<
zYS@0Tu{Xq2rAKch5q7BngY*hHtAt!*>E%nzE5`&tU1&+T*z{V`yUL_HjjAyE59wmu
zA|0aaZS4n{W|u8#c9c=IPoGvBY6-1*zFX?KMh`If(d&H+_ljbBm2^>qWhnR(tm|PN
zJ$sMFu=>m0nVgyBcNRVaHG(#=njDkQZ!vO`PjTBwBvn${X_Uzy6fig|HZJEW8IE61
z*dbf7o4-O7(q8^!GkcE7FL0j6z{e#^T`QNiGr0vvHmWkb&O?FJ82=Is|0DKA-#@*c
zf|G4&rxZ~+a}n0|^LB(-h0=M1>f?qRS(cr0S0|LNM9>;pN2|Je{}_+q2L-<IFg!ue
zoE4@T92U&F^DFMsH8@sS6%_D>JKm<f>LeH6FkiCh2!idwa+;pGP_*EBUw46C;5b?-
zZfZp7cBAK0>ls#S9AG{dVTb03kI|Ax6>w=Fli+Kj2m(4t)=K=+2vd^$OIGD^(XJ)?
z2Z`0I+?Cci))|nPj-dcu-Z-P2t~I0F>A`HnB#{Z@@-o7QL8T2;4waNDI;RWu!W4R@
z(YDH%&MPZfNB6;wrJF<;Dl&vN?UNTt@UU02fTL;~M2yQ8(`aq2nc5i&N2*i=$!IqP
zg4{ef!sbbM2i*h@&x*=;ccH&fl4bp>rCPd+W_j7*tb5!bH~S9Q8xk9BA24Ie=pN8?
zw<fFQqBI`$UzW<p3ft<?c1U^-pSYiy-p2~#%R&TNbg`wVX-rE{zn|<@7wx@$_&j0^
z@y*TQEy597^%9BK@iDn1-tz5g{b55hv}wkjeQ1lf?lj5F*uio%k}Xly(ePr?C%QP<
z%}^IblqN*MYPWXsLntgoELTc63oZnTanLx2rgzS8TI0+Kv%#DtNz`$&2TEENRTSK`
zVsfJ=-?vLCIp(F|Warxb>rH?j@;2N>5@0eem?&+7Ft}64%}3<y<M{{A!kV#%r)@w>
zXq+>d2<^FGd?^%T3IP$I629r439o=c3)4>7r_o?FdQB<_VM;6yL;M1db34bs8m>n5
zd4QF_$@SLoTnH-Qqhr(F;3BSdYl(8ooE3M2*hE3Ln8?_dG~tx0hGH&g?>vsRfMqMX
zdCC@t+f_!9yq^Fg_;lNqzQn>|U{_%w{~cLzx4+c9O<KuC^rh!j?DW`9I!p}ip{gU{
z8eZ#(bK)i}wYhC7Bh5BLD@ipVme2k!rs4K!Bwb8nL`%JEvwCs4t~}Zzly@Uzab~`3
zHl44lY`#Sk#cQEtT;Ue0O^Fb5PF{RJU$0M3IVrq4ZZ(l9z5Hbw-Qw_+F$fN1FxZKd
zls_G^a}63EuQS-A&VW()`Q}~VPHxlFhwnco!2>n)kmXl+@K&bxcJ(M$W>CBQ6KbVl
zjFZKZt_*7vp-f$a!!FSEPVNrtVLWX&Z%6TV&hD-4Lij{d#n&)ATld@*C%S1T>~u}a
zkDb|{<IE`(C)&A$lwK%w$7hz+S0AXI(vRq}GiFG)m>f}#n4SE&myS*q9SYt|vdG=Y
z8?GIHtzT;)5HZm5yonS{hQFssqo1NMlAlwT@(!FVYs|Yh4l<z$d)w$2v?va|Kw9uU
z2pK{Ihg<Qb{-|_Z{~}Eod=yEjJw7Y&ONaK@A9OjQ7=zx=r1u~6hkAFU<D9F}L)~KV
zq&h9NGG(_*dh9?vDk^7@tqU6g@~B@PxY@ZXXsS~+KuV}0t*&zg>t254^}@YKFgW|C
zAv>dVg1>0IcNtFH%z5C9PCN{}rsfP5JO0c09XTJkPu7`pC{O}4b<roK$9!&QY2@n$
zl@Z7T58VfLhM$wH{mL5R?q%aMDd1tVQrOgymp5KBG;1~AB6fr#;Mk|Gx_z)s>urd#
zokG6>@A$V91ktSangX=9k`j{D4jlR)--<Z!gHwPR07MMfP6K~(YA^6Iokv(*pQoht
zolP{HyL*C;Kx>}z!jwcbEvu^ID=H;_$UJA6-=a6%E}HdRD1i6ema=}Io7%jyy?ma5
zB*@LxqwV>Ru4sGwF*g?2(3WQ}@%a-5LH)}MH`^yp^gz4cthKj0TvCG!u`*k^q;@I4
z_Q@5!p-M?w%&JwPUG2M|w=e!V@{1rssLq4Oy%$(>rjMYlUU!93s^RpmJ1^xp4s`gv
z^whQHU~Z}KD^X(BrccRL>eKe=$EQAko+R97JRKpkQ}?W#Qb)nrJVLOE(%fBoB`)co
zS)x;QoeQ>{G+DwzFgnP%(eK;`zQ_xk7bVnmNp;1UYjoF+q~xAt(AY;>qsRF`Lb;{&
zE0E#$6MY~Y!;JhI!pRn#DmAN{Nkeh*8B27~3OjgQf|>8*Vgo5)EJ~KB=;~m*`Nf^>
z`9h!i#hGfRgRz$+vHC%~3;|js2YtqN!%b)NUgTYYNk0?`Jws<lh<T*nhv-N1xK=FU
z&N*i?99j@~R|oD;%J!*Io;tCFEM&)m%fOJ|0~6~}$#%~8j(HDRm#r@c+EvS}(hh6M
znp2Jk3ped*6qc%($5t8Fc}TWv4M>4L!^K3qM;T??I24RKr$Oj`Y>sxoxdM65V=f~j
zRH~de17x<@=bxodsthFCmQZjew5H8t@4H~#Dad<tyBZ!>hwu;<I1Y6{FaQ`t0vVz_
zb6Xmm<YY&R$h7n^K>02keUD@x<HEzF-|MmHk}^4unBjrwS)mLkHR(ad(;7I-a|`E~
z<!o4?_CLVAzJ~8ZAs%$l^$h}y>4I%!b2&RiT&YbM@QX)Q=t>&Hjyj-~=5;oqWPWyJ
z>c1q(5%wh>5W+TZ*Oh9x(5Uf7!0xgts&|&5V~9W-kLhRQ`JgjTT{{g?@k4!}093%<
zBQd3?mtjhqG?0pzdtV#J!9a<GBC?h1wr}Kd!@A@@KR4dH-Z4-&=<Ce^i^#AT(?sQ(
z`;*=TAut%s)uu$+MnqHZGC@6)+|J2tW~CSx5*tSjqN|J44!PY^Ba6BYKO(ZO^W3EO
z^>(u_zadZ^o~Px)1EnlqeOP8q?Q2P6hgp9Tu=OFcQjpkaiptlfvsm#OzIIvR`nNcc
z64}lbc^A;fEV}NBR1pn*4ZE7TeHpejH$7n)zkhvaTa8!jbLQ^3#@ETNtN~t|4X%ZW
zat9l1uQE37O7zTkxARXuFqrd0YoOX~Dh0B4VUy)ejW0bQ;wh^AEy^fv(Bp?*=er&|
zOldtp(Fn&n)$<_F&%!Z17}~4S$R^Vtluww@TsFW?Kkx95+-7Q<3k%FXs{U*8m&ZZ%
z4I|MzqaC1D)~_xX=dy%HtzFu@o|T13@cG8-?v*cFb5}U%+j}IoN~sXWJ1*x|#N#EM
zXiF1_@nd4z$Y~lEQoWvEm^<KwDUg5eeqBw&^usy6B#UiZUfEeNJEhQ=bFrKX5#iWZ
zNRIFfl6iGJEJw1>WUG8r2xvO%3$T`ysb=4+XlA>04b{Xrc+Yf?u;h6zi+eF7VoZ-F
z2g4$?AX!~-=aDdU^V-89l@c`^Zi8Zf=eg#ry)nfKinlh5QcT_Lox<xMvs|Q#6bt5T
zcWgD=_Tm_D=J;L2N@rFkl~J7wQWIJ|hA1^B$}~L*Jnga`sbplSyow}Y*B#$$@0No?
z-7M7)8vDN@(Ixk~*^rUajn{S5+Zz^$W>ezh88oFWYnM8ctLAT_l>Zp&9#~y5u=JIA
zm3c))-dJ7QM%aKdq)`aAN8ekt^T|&sx(H8Oyb9CKsm^;pLNFZ<^H6^x;z|6oJlizQ
z!pHSO_oCH{7L19s-OBVgpPGX=8YD?V6ATSstQhv6y7taR${MqFNwgd8ymBXVPrS2c
zh!?kJ`erMdblmhH#{ua@FuMB7(Jj+tZ}+rxFV6Ne;-mTL!x`=ew~;nJ-?({ID}P8J
z`z}vOQX(vuK90if^>{9T($%8k0|tEUg^#l=bYPcnD~|QdO%C%qPA{YEg9>K6E*2AD
zzFId(4E7nKf=oKjT#o{~NA@O^&!M@L)OJeXLIbY@v~-Xi6>H&}(x4pkalThmL*zy7
zFOy^Q(`5NMqFgb|>3cpr=k`K$Y2G}hA`o6*d7po<xGHaD*o$tvNIx%n%3+Sxh{rEH
z?6rNo-ijhBRm(hVa0uL#*d!0hKmw&SE9@uK_UNnJFM->HYfNV4hU;LR@rl1(5QQZ!
z$}@eILzTDCO7%?fteHRtSe5N7e0tsk3s*-6C&pFq+U9{XMac&;C}fI-M=%3@w4@Z~
zI#p9q@M1cM`0&x)rhK1c1J`V$Ggc$y2=C%%iPp?ukQsyU>M(8d$t8S<w7iF%Y8m&G
z)yFEJCA07Ix7BLqpOxz8TP@^@By{oFP_%q?8yeGnphJA>6vJb=J2xLN_t9?5d+&*2
zZv@I2Hri69SQ0~B+_+)(F)ypQV0-KRM|Z(K)c1rONQ+zd*W&zXK>G$Oyym*m!IIl#
zqxtZcuH=X~cp%lZLb=9}ft^A2^@aIucSbRB!<t2hnx7qfY_LZ00YZ%N+`a{Ly#(I&
zoJgF-iwmUJzZ0F^I(%*Yu>_E2>1e+>HB@3=qjkDhO8X6Z0he2)Fh);VA{~+yp7yq_
zqEV~%=Do}^sFm2v6wcgJb5|kQK>lo+5G+C@;$piHY)S;jnw-`p{315aI81hTyM$o#
zAKB`-VOBLYHdLQm_#Xt5A>7eBi2mp=(E&D0pCx)@gl6-tI%<@tK0A}`N!(ffxL2IE
z|H4Z8vj|RhH5Fn!ZXS1ze_gC)#speYv6%9}`e`q2zE1hYGtl)$oH?g8BHB&oT#jQ?
z1A_U9D4ij-)0&3q9gZXZ^>D_L#5|GU?&g;oZMN@Vu||ft)-ExYoq^+PGd-@I{&kgP
zPqZ?Nr9`dW&Y@KZFr)1Y38zaKD&j7c?Spemxz1yfgL}3;3;MK>ZM0c!KF?-uq4wXx
zUy5xCpYfa|`M$~g9vH(p;8O3S+6{#EYJ}-zn4%-;OjbjFIywL3czw@L>*|la4U&h-
zDzvsOmnxWj%O$U?d0(=RGcqK)BHsG+*GIaRwf_2WU#D-W?Sa>Nw=+z38YI#XvEYoJ
zR5?c6xhIDc0E5FwgRsbx-M8?z4au$PvOq5pq@H3!4`rM6K&oOg@wDiv>HKz_xeh$-
zLn?P1B{xD#runZ6y;P~`u)NxpBmB-{(F!%zEuX}=Fo56w4c-4!k~c_$dS+<N;Z=!6
z?K>kq#$t+&3O_gx(Vg%NNeYC;ds&G1VBbwJ_V`@2y&j+l_I4#EmxCw)UpCH~CYnXs
z;X!t8LtQMM<#nLU@!DjtCVPVjQvr3sulLLR`lEL?gU53LBHfzt)#*l`6rQ&I>*8Wh
zieMg|0*|5{;nn$M7URx9GN<B!AexEFrD&_uo5mZYi1}Y#8CHv+p1xAZ-~!{q;+%tL
z=&J3U;H>2wC5=MXTQeQK(pV?JiFt1oSBl>bn4nyq+!XdT4x;g&cU}Xh^ol}G|1y>O
z=P;Y!RlvtcDlr77y`XmacEhv0$fvTyOloTM=En0WlPSUrL)0BMLE{ZW^g$$$3a05C
z@pCHs5q-!7YY`X6k<nj!uElO8VeAibNo%)9;9v<GV4I_nnFZN-D6y2;60-iw=Zy^~
zg_kpssqN!pqrr<{lyxjxZYIqxWftcpn*Q?}Vj+BVP_=HQcAu7f*j}T*I!~=IwT=D-
z)aF1kQz&e@tL_vm#{LZK@HjRxEqv_(?~7_PzL|T4TnDz!T14aA&lZ)yb&tb)BW|E{
z`GdT$*zEWd6gbf9|AXCaJ;eWw)>sechZ7D4sosYilDZqvyI6*Gbcdtq{TS%CQYnC-
z^(5(J!A4JqpP*{u;Z>e=o>7O~@(AtRMPZr5iFW{}0PLSU;n63*gUv%^cid_zR+v($
zB+VjabcfRA7e>+>+v*(BQJH)Ke<#<W@Zz4rn#ayP``h~4-`-@-pzS7C|N7qHVxlE#
z-wQ%G-K_#nf+d%g{gc3+-k-sl6YwXI=7CAO&HiCD5Tnd9*6jFd5-+Ps&~m8gNW$Ei
zr}AqLoSFEThYfkhv(VZJGu1UaNv{6m{%LA=D0fQimOo6Fcz@nzTh*Y7QAH__8>fU@
z(Kw53$Zls*#VA;t2#~1r3bgYC?U)!C@|Y~P)NM<V6t#b3g`w?JyXbF)cxORQ`A{6$
z?rnU`UDVy1nRm;XWKgN6GO~EDC^ma!zBQ`SFp#=7Z?_YX8mK-NN<!e4t{7Wbv=p$c
zTd6U@x!2;-eU+i5MpzUX-N8V?X*3z?D`#%t;HkMDT-UH3o|{0$F?ln~Ox)k|w2}yu
zSIg~Hpqx2MH^F>{8-6j!w|n@mvBe@zHjUTM_pN}>t3GPD!L_9<9jzAOEq8WJNud8*
zu%{<^gHawGq@rFGVLLsj-98i`=7N4)_te%^3EETdV0(|nm$#|EbZFhnw)Sego=8%3
z+;Vh-R7`&{U6_?b%~1O#r8U{%cYG1%L&D(~Ysv1Q$nKl~1w8EtgN$+p-0Y5jG%$GD
zaT@^#`_x11toH5}Q{&^2`fDlXqoyn{1tN?m;C>F%yOwde2M$V8W^3+cp@$4kOv-?#
z(P}AF2q9M+2F~;>yr-VC(%rBWp+o*J<Zui1&;oTn2&#E07aSDx(AgkJ<xLm6db0w4
z#PD-;YI_+dalW%uK-9kMmLv>n=2^tLyX2ca$cZ#m8tZPC7unVx_Nh{~rBtvE*SZw%
zQkd>|BiuFMnXpmR5stye3l||fWYF+~05%b@;!2$ICRz!)UO+GqscxXg8TKqQ_Hp2|
z2NBI#jZoo)3Scdj(M1_}7*p@7DwmZ(U||#azA!XIN!`t@ul*8(Xt5)GVgBr(&$o!b
z>9WyXR6ji^jHhV|5oZU5@dDKz__f`1)=bEpH7O*}UeQK{tIEFS4C^&!fg!IzvS!^P
zFTsXN47@W5W3&Xqr)|x?DUXHcxyLB4nx6R`Bmf#p`oA%_%D)-hAi;lSa4Xqq&cQZX
zc4qlH&my5$|8SEJXXX@~Z&pqSFR<Yfx)rKGh2OMKm}alKUxb;IICE|bP@2R!=xE02
z!G5U6bQ-b<U5TaSumvVYyHdPd2I|5YfNi}cP+_9@eFi_9=s{s=Kbz@YGXZ}=wJ+kz
zO?deKqMvLqlZ5rbNBmpu+9Ey0Thl;!*nC3YQo?`r6=YWDrKT=<jZ8G!33XjIC`ry8
zj;{#Xz7{u7ZH+tkUh`T>Oyg@)NS3<nHm{pzYrSz|Kt$TGt+{H1@3tG~__sfk1^~NS
zWQf&Q<GJxOD8pM?0oH@AO2p(L7Z?ER>o4z7a-(*Ts!H(58Y>dxf2|#!@aW!vBU;r+
zdFyK1ybTAeOFa~v`w0(|<w1^T--^pSSiUA*Say&fC&M^RJ7q3<WW0w6h!tj(MdVc&
z^EoB5M*%ObQ~uZbdVOxoG!jAFEx2Nr*5d5A>fLSC6}uq2`%MtNqh&Yx=}z=yqdjHg
z?7zpr?7y%Z$*vBr)Ye)az7Sl6l=e8nvcuDkBq*!(5i1@M;DprKQ6U=8=HCkikEiKW
zP``+tjl!h(p!mvOyedAmHxe5x@q%EfV`P(A?MNQ6?&5~FiyArvcN+xS1_`-*r@TQ?
zy9Dpl0<}ZOYLo-nVgHKnX^8UPJVWH^%jDySg#g%PJ`foH=9}La^A2_Se~{d7FZ6vR
z69fQ+&|VN4xfoL~k5}K8meMoc6Q<trUeO8g+WX$4NIp<4C1p@Kz4P4zaJJu!tc?k=
zVihJhx3(54Ws~=M&E9<qjSlpwn!HVtH%T)6w!_0_qpbhwty%1^uw&%V%PJ-0S-nf1
zS&J=sBP&FLJGTr1xHlzi?OMRv|E!dO6AMDq+?zf{qYKvVqcY8*;jPwqXuSh>QeN=A
zLyUCjIO!mCITqYQViX#g=JjAS$mKB-VoJ>;U(Sa83;mHpxU5Lh=&g6Z@r(@DDi_zz
zs-mI?Xajrv^ORbs@<#v0dpOqT5u=_`X|*}iBMY%DrR^ppLFzHy4AC;E+;O|LyMQj=
z94k`@6gO;GNe$lT&(OAQwzmaC=ug)uL0!CuRF$N6B3jH;wy1+{^@`9zVu-Jc40Ozt
zzFk^ttkkui@&Ea+j$zB1DOWAe%$-$>?y2|Q6<zfT*|90gH^9wSHZ=sr={88fk2h=G
zbaSq+g7P`X3o!RUq*0OqnO#|_vAwdcYlV7$Glc*_|6<}X7nSQgfWJ!Q<JELt+=S<|
ztd_7d%AdX~goiQG+vg5(g2HE2*C$JSHH5Rk+2MuNIR@l)gUKelZhcHZk9=&=ryw!$
z2ST)HXBL<Se(4(p3X+(3vJyP76AG8dia26-)^mU{d>3nUhdGUB9WCN(a6PZhhy=|?
zpOUFy((USDo0muuVkWwk(|+|*-rMq<6*$)J`&vS7-K;QwSW3@}zVvmoV&OEOxYiuO
z;V-gm1~Kk^v(NC3>;mPgh?<$vr|$Rr*b~>mv?Jb+JP6KfUh-^5;~QYChX}t7RFDWr
zC+utl(~hKxq^+%!<_{cvHu~o4-SyJjT3Q+(vn>JqeK@W2DoaM=UCVD*2{5r9aZ^3M
zWz3Bh`^5&7Y-GUKVaYgrQS)?fyjHmiNE6~J4!|-%`)asxRpHJ7A8g1Cv-f!f?OW~h
z9v(*`3o0+E6<ckH2@PY|U_xN*9l@jlHn4R(^ZGt+W(CKY^_vjFse@p6k48^~PL-)P
zmI&r%dIKUTR|yg{k>W(ADhumd(m#AEo*12W@dhi1wRL4@visM?^{r4~AHy*dbP<BB
zxoL#{c(@ipg$SnUT?A*cJrjklFZRIaJ)X2edpl?}zu==c``QDfgu2&w2(_!`pJA$$
zZRR4h=dSU=uq)Pw!IEblPIkX#mkY~_v(VlbUSSv)M{wqdAFbMpJyoSmQ@{>Y=4=;&
zh6ylW+lu|^_Z4N75D#xcP@3NM(oLpdu#%g0Nx5!UVxr9v6>Wh#HoL7lC_MUQPnfs<
zbM3x8tf`{BjPKG3V&Bvhf*Dh}|395wc|6ox8=qm+b#>FFD1%C=NF>Y1k}cfGplg>1
zk+D|B=w_MnQnnIVvdx=97*e*YiAKU}yOK3CNJ94Ah`~L-F(Y+9z4v{ukAHk-e&>14
zvz*`ae9!kBt%F$~wWMkNk3Rqs=w9sbr_lXgn#k%gchg|;2|<nVfV=)r=C2!C%}4O>
z3iiJe;q9Do3HR2=L5YCO2s7@do9DJUR@7Rb%yN4>S2dn4G`<ue0h-;ZOw}46*ZaSq
zwtVi%4L54lf!8@1NM&TACprynYPD`EtSX}&UT6?{u3z$$pTz>O)TpiKVs@exW>!C$
zJ`#d2O|j>#CR99ft~h<D(J6O0a!~||14i7JnX$<yRC{Zk&3~;E<hnT;A9UWokPwyh
z;^)|ZIdzW?_GL|8+}pQZw{qF2Za`ZtVJ1o-#xn=4I`es%D(gTM7+1Qb++*FCsJX00
zo=2s$I}M1%=Iim^?mgS!whvISf-9EtB}R#Z*O%On+m-Yx-<>ig4b7_mIFCiRZqJz-
zykMcGz-2BuoZus38+7GYUzfBLo&ru*8c*h6$elVtR+)Unu&0T&6$h}oZB12W3CHq@
zTo1z~*xshoF}`-@_3Ebe4Js*I=FvKJA%;q#m-<dE=Or4L{BcTH_B3x;KRt4w={7ea
zOjNthvDrh|dfovSt&x7Br}7Pzv!l1FxxDYubBi8FxE^Uqb_OG5E2dbd(~e^^Jt!(j
z*e<_Xuc&kniRN{#wTCT^)1Riw(E|`f<<-NIDkwhqQqu*$&{keJa#-Sgm$RiafI;J)
z6~7G@W<o;~v3M+Z*+l!5B3`{zla@?E{{5nkH<37ZOiH>yo?|?rS#DG$H4tA}Q((6%
zr!&cTcj=))i)eQFD>sVxuEt#7D*oAlreGZNI(x`lMW!}Ln7W``4Jgy7)b3)5kbK2L
zt@?R3Z-CV_@QMvtf(zLEZtb7C8MkMCD9omrMkA1{gc4Dz@%mfZ2d`-o4a$J1we^c6
zkT<M8QD$->G-U@ii!WK+PEN2f2|+x!CACNEqyb{|E$wMiOZ_#{SY+$H(zLLc!&FZ5
z<1$nZ_dDKFE(a>mUZHp)4|<ZXM<@6|^`!t!Z(GLYT;B`;^yer4$0r7Rt>jRd2LDMG
z+X9pTCVJ1JU2+d#ErZfJYCT=is+{Je+dkbVeqSi(dHo=V#%(6)cxEg;s{herBSOR=
znw<3+Q=ti`jCY$`7Vb#CtalS>Ls6^>#0S+q+cUl3`>B5pP|VJ$$k<@TaFj+a=q1dk
zKvvKEWKR3{Cf5erP(BB2mKjz|@tC02`RN#aN#mR&isOl%1!;XJ`K9Wr>LtVLv}~~6
z1WB7|G`X{w!<9tpwjTVwZOXH6qy(^R8|>jDapj#f1hGfO?}+=0Xh0!h(nKa357>_R
z_ns4)FK@j%odTfge7tqa59WUSY2Y@$G>Z@0<hwS@G!zNu=wES-syrPvy$e2qYYzeY
z)TL8$buQnB`j9R7RuVb0M!(6duyem{uR7a2_&-i5_=tyb8Fr$*zvyjQx*NYT#C=B!
zox?XWdoM@i2;t|vcqKXTuGkEK8lP2J_%$o?KzVRi#LF0<F;q>hB|Nx0W7k&oH+ggE
zJl9kn!(9km9e~1D!k_0)@sTb#9wPpvYg(^ZQ^U+)$hdVpX*do+y!df!`u(Mg%Uu!e
z1}<bt4@vbT7xEt-;5xTW#C*hER>S{3u?63sK0U*~a<tx>o8qSW+I@H!HKJX}A0CL$
zag+Lh4vFo|J4WB>-#R1LsXy}CQ+TUEyExY_QvU<{OEj-%D8y*f_*_j>g`p5{UPZ){
zWX^1GMQ5RcTdCL%WC~W@HCFQ0b-bSnT*=xmaFc)X$SEd=Qgb>wq)z&Qc$HD(2Wgcd
z%+;;t{)Q&G4>5o*@o`%NHQn#(o{q9kqEus@WoV-=cW8fyy;)?*VV&G=3~2MaeBZ68
zBNzK34*ryw(lECdewYSMFwRh%MP>rCopw_cx|H{^%~v8MTFQ&1-^&ERG=-Q%Cl!&9
z3UmC9C3kQR&3{BQ-q_h%6DMr<m@@QOht1oalD^Ya=)+MY#nP><vI8v=gQ^ZI7%VC5
zEy>ojN#^bvBh5_vJgvFiCK+mi1e<ZuU1A<tcDK4dmj}k*K?z^Zrpv1ak7}~XcjNp6
zhAm_>aM<5&d9}CIHG+lII!l+I2U3fe3HOcCW}2e;grH32sRT^7JL>!ymC@&$yE)CT
zp1VvfkR>KO)V&ZRRx!U6R>b`q@A!?h^L)gb%x9Cv1{|aB#(lcGC;(bVl~FIx8Nn%3
zLm48?su9(Zs~We|_<0`yxc&<6*}rNDpQK81X)n@i-?%SXoJ~kIG<l)SmuIYDy0|@d
z>iIw}RU+bDz201{Q7e744^v#y(E7?!vB<(C{w8I%tb?ngx$6P7@=Xt_SD|~sXHI%W
zV7G~BoF3T09zae^Jl|6kW_ZM-eH++GbgZ2oAY7<)s$G^ujB@?B6E8KxX$<ud?|18w
zbu0D4m--ib7hcT{CuT2Jlaly7D|NCBUisHg3Cy{-n$hoz9=6w>8d!a`=!KgZuy%ES
zQ8MAV(0y;XLz$w>+qq01LT-Zg?V%-v+;fgSIK%bV%uizgR$6gp!FU1jm@$`&7JxAZ
zet*~rk;azMQ9eIe<4y#4afo~Yvlg_T>j?3xlVMQx3TSLImD4W=O>wP9jol_qH}cOQ
zwC_v73S%(=81y-)i8N$qAZ-f>(8PShbb}OS@=4U7>}KJ5YxFsAc7cIB0szjJO%%f6
z7-O?=K<EJ`IR6zVk3pXU3NhG#;2UrzaLSkmLkyrTL#nKUa~n8$uoDLv3PGGz1~ZVL
z#$;gt@l1da+B0D-(l%*;D}jHq#^hK9NGfcdM6@CW{v!93su?l%S6&{1vx8&UOy(Sb
zr|_!cpwI)>19V1q7)vo2>s13h@nv=}CewN+444Q40wBM^VN8X#z`z(_AUWF=Wp)62
zLEWD^<dY4fuCWoJNkKyZtAH94#zaEbmEQjKpwJL&R)np)6~+u3Aakwcj|3|-Y#m+&
zDluq}e<O$oTF7Axw}J71n*Tr&bRb}j+zH>H6sr>gr|ck`d~2tFBItjc5{6+~M&%A7
z4HgMJ&2S0uGz%Ywv2qCt1SZ}Aeawn5pz|WfTIBr~Cw(IbsurMK3PupEEub4+%;Et4
zUoo};{9bd?Bw+8uV002AhkTz30FSf6Y(4<;KO-t813-$e2QXv<kSGhqz$P$O(r$<p
zDE$EX!NYnQ1oH+<{UskZm=yL^Ixu6IA>n&b4-|k>7JO$zBs1);Rt{wZP!X~_m<P+6
z8<OM8ql|p}Uci4}#vZ8O{K^DOm;JpE@^1dTRrm_WR=eZ%A7^3U=ad%uWUhwojXwdd
Cy=G4U

literal 35178
zcmbTe2Urtd*F6e~ARwUhB19=7T{_YtsB{EDiu58)n)Dt7M4EKzB}x^LBE3g?2kFuh
zI#Ls)1(U#?_<P^?`~LOb=lVRrn3*#(=j?O#UVH6z5~cl2nSzX&jDUcELRIC74gtYc
z2=H@u{VMRu6BQ>3;Lnz}#*3#12M6J>y#r+TQjr4=hZ{p&h>D6{US19Z|CTOA?TeNU
z4n(86i{=j^L`4tgi@Kvkfu^>$_WLOK;^I<~z34$_#1_!ta?qg&e!1~=vo`qa#$`A1
zz%2KtgQ&yjz%N6Wm!hH(Tg5tQqrhcb@A@tY^a=?=dq*?h^o9~#j;4u<*%SF(MhMux
zBOtgK2+7wc2u|p-7ZZK`EV25Xd$O(Fa{^-mf_IQ$9|8iM7X$=8&|KSq>Rjl@oc`%;
z57XZ6tj?ohWL8Y?Z0pGU&H_|Cl;9n2WJZK&1a#<<z^#`+t+0d`5)ZsL=^K@o9s~rG
zUHBiuKG!d=2ng;Fs6J76;XA*VLt#EYcv?@o{hp15t9LM~f98sQcX8eQJxxCUy*azf
zma((TM`QjO85(!))asWn?i#48Y;t`!`6|w5d7#Kd9441Yhob*(@tunJD&zs<-Z(0N
zJgg(Pe+ttk_{wRMXOD?dJ~{1#u>CYtYncR#zYhBr1m|BS0WJ@`mlcJm8J=973?l^p
za~9oUCISij&VoD1pQo1CX;6=oG*)kVO=-7#>QaY<_#`CM6?z2vS5bVA7a)OcNL)`{
zo`q4tvgPQ({=Z_47SWE3dj@slZHNxdB+rx*NSXYzih;-bvG)e1zg=<vE?@GnNKt2f
zSE@;lnR_x*=5^_5$>Q7Bs(!DJcPiaFA5h*?O;b;qtS{~nmedMh$>&V(qcYE}(j=9q
zx?W+~BQjOE^+6>q#QsQlwEz)h%ttkE^iGAfA(AGb7ILgtMVt21)xl5N^FcZ51H-E>
zP%=-`1p$9WOti^arR6>Jjhlg;667$KCLhmYG%FkH5Y{Q4&EZnv2hzRO_vW$E`s8iM
z?_Y7LCr!R`omzwH8^7OXFVrf=Yv_kni8^~YuCqqebZ}dfVJ%p;agk(OxEqjth;bX!
zcrQFYrT~37Zdoq*hZn=;=?T|5B=<BLFch|&Aa2mi(qNnBB5ooU9|<Q>X|o`3WrT>G
zaTE=T`D8UVL6^B#3P*9jV7vL5v`n0jPeM<>=odb`8vuLKW<d`Ye5%{$CL-)Sd2fWR
z$;D%FCcl@I_&Zg-Wk+#Z6Rp#mCFB6OtwH6kyiWiIg%<A<TqDKiQp091aTKRt_hFT8
zvqM8Y$cEsK+&bJTGt8F&@&Ir9?^I|)FeB<8yXQ7|3BCoP!sKH0gamnkQysaTr_yb0
zqim?FkUuu9C+|smARLv`4|r);@7o2J(57oj-&UikdHUO1uxd48e|qSEsHym4eNubg
z>a!?;38S$tLE=jPFkYZJA{GIMNT)NbG{lw1Ab#u1Vqa;w6(0to_`J=;v)W)Wz~e?R
zWJ={m)$Os_i!)j1g*aKn!j_#Hf$Q^cN6ryY`L*&vWUJ(-5fqD_gZ;=ZqJg~Lr9kY>
zO5+QEAH$E7=u2W6EljAkR`}qhXkPnX$@qcm4sLaK=*T%hEk(Vww0wQJk5!HZE1d#I
z1kduZ0yAACETxa{QV+q(t2l!Z)<;tIfSI-W;gxDF=URuNW4s0t@2-D79=p3{Fky8#
zlhuYh+7As0z2Jvv-04zC{}TUN<s`vSv{-vl_%p|B!Q>qaI`DjLad*VFYvNhJGqhf5
zrQpQ{CXYcM7}l(wv1_T8A4%n-uJPFQil&TD3=^)|LEScdsp(1+!-uS%>tWNKSrjs<
z?>T+cly+kMLi(nT6H4)Uq%FM(1Wl3Ss!Z8p3-peb>#a1y2H*`BT&2&Iq&`Xa6011p
z9Ax-u?V%XDaE!Sp_#(4C>M9l3J8CB5rOpk=6jMWgdN;9f2Xf~@m^ptC4AV^WYc{N7
zEH~+JfLvE7)-Kt<gwj7HW)#7|(6&Pe*lTWzeB^W9@S~H%qu+cnhh;8$MFDI3<14Sx
z1FZ@7g3neM3STmSz#eKbhih`Ti{xprrxy^t*2czPKT=@uIb&dOUwtX=O3nj=Np?t}
z%o6me#L#RW2W_KQhK2%Yu?3Hgts9V{b+{AC;hDodw1#=&-rU0Mq%WIaTE{gKC<DXE
zYZ9P~%sELq8XkN%qT47}R=78Y-<qfUTiVg9oOXA)N}RBJJb9LGA64oPPV*n=h(A*o
zGTY%2DIT2`7qve0sO%?r+4Lco1VY#R>y2gkna?$F!_pLV;ZLt9Usn58pLVgjh=m}6
zl^Oer-DWZNQ=-p`f^r*CCL6?kWo4%-!K`+<9lj)-Qk1CEW$N4CF$S*Nox(Kfu68BX
zC;2@k?tfi!$dB5kH9yI2EA2LPveIS9^2NGdly$|z5PQq6b)t3hE=2r~5XddWuN50D
z3&ZUjXgT-hCDZ=5ct;Dk-er<5yDR^=W7KxXThI+O@C&~jfi)>t(0Ob9_P;;Fuhr8=
zG)17MCVjf8)5$`3pXyD67t5-GlDZ1<8Qg98*1(v*g<_r90f!94OmZqR(}M8>r19}P
zEmGou=clam2c|Zq$l4`knqqf8qx}MZ_0>I-cVdgK@x2AZF1I(NNdNF&K)m?jW6Rum
z$gA^1bobUy2_0L8lJnOH`C6#%nOreXLqW32_n*C?;3Edlc)N;1Oq2XTwdahMKauU_
zw{-rxVgLNp+l3>4(i>&5Lc5(U%SStn4-2Z7AVZBq)@1S+!tGvBsCl0NJagvDO?jc^
zhB>s?P+PuC4>Cc@q56!*EHV+&@Q{<_zIGvcApdrurd5n=Zlm%p?)oa>7{S%V=vgw7
z)Tf=uNXw!JA5Yhgu0T+bJzU&C;Y*|)%JFPr2X~$I6k@{J6CY=UP5;u~6|eT~Z1Si0
z8?@Io=`9>EzE>f#c)yF|%=q8=UFtw)EaiX<oXF)sc~~d5U|~z@1>dj5_*}8QMf|E;
zwyU`Q<=YuK;B&XZa{P6*OzHwQhsguXr~u;C2}Aog9Q4fHrb0iwBjn~pTJUc4jvxiz
ze8hM|;|=`Ztqk0cB*1TVqK5j(S2fzrp}aTO%pK+{pZfdrAM}X?^4@FHk>l8CsCX_k
zv~!Ld+2zyQ92K&zq5JA-XK8jWi8ycw-VDDA)9e$n^9^Qzkh>Wzj-Rdgn3r>HHSw~s
z#dVarQsMpY7Ope$m1S7M^!I*Dc<Ifu`EOf0Ghbe$T(jva57PTiv7vp~MS-;WHuvc_
zMu7aMyF<lK?VxWy5k<L^9kG=@AI|2J>(RlYpUQbFN?fHsGpB7Wd`tOBm$4`>-f1<%
z^*pJ)h2MGHC7&G$<t`gV7Vz3l^{<~fFW7AC#Ie0}J<|?%n=TJWoa&|^wzEQ$5h*?;
zcU-9gzzZ17(ppD^z)(qmak)-Idx6|6-v8tcuua_ge7JHAnxdW>0r$5?=~n9KxcQWg
zw0B95CsN3tt1s0m1e;Ve(!6wC7h7ra=cOB)*88}$Vz;yKj7%68UZTEcbT_}Z{GC5_
z536354}2_}yKF!*+p29mv%$3bRHn@SXvMG{bOqz`f^I``@qWST(YqTk?tAEC|JmMF
zpCRIb1Lr#Q;ZTWtJPPuCY^ASyXO%8=uE|^~3`+PUbi^=a(!rb_4F2tLLQBXo>e72Z
ztulJ+#}*qzFprC%d%D1x4AQG5^77e}*;aO>ECr-}zQXb?=!8qsM5=^tqFyuMzNx`<
znB&*)R2lI7x$u|RiH7Must#^cR$si>PrJipDIqE_Wo<wG^44!^li`_3Le|k0ZjRYu
z*8T6Zz9Zi3;wDZRGZRX~J_Ic#CRiy(@yZvx+6MLNG4I<gc5209pxJ4yxBUZZr)F4s
zgeF_+)7y>NAb;xT4Mr^O2(WJvIQ00N*Ze4m_XmNVcogY`|L!t3P2+o({&}|8#VN0^
zA<%3UPY~p@hNazMjZn}vtO#;O5&P=Gubl#D9fVd5xz<q}H`+O|tebhByFB^9v}L0j
zYxYD66e!qH`6-A0y8Jb;UwWTbJH0-+yeM);1lu?v3qd#SD`6MCS+P=@+N;Qu_pf-c
zmLq;7F)Ozrt!cgKuhi9!O49ftke#PV(uLor8gd$&%*A(c6YG5<SR%~NLT`~0AoQqq
zY>wh4rqn+T3}sBkbd0qclcUxqK6<X|Y{qt4(XcfBd=~*7{>m949|p3!s+kE<|Foh3
zwnL3IEdBUkQ?!0h{#$o6F<5jf`MCXtcDbF9Yyp}y2Odu1Qa8f(T<A*rvjXBYkz{ZL
zR1-J0yalzpJuvXIRr71ZwV&ivW~hO}P@Fw6*kQ)h_vb_u3rr3k9&s#?;4>768(!@*
zg-@h?^i%!pH_%8!`Ug_g!!TY+iQ_~?*Oe0LO9RdT**DU%Yh!~wRf+(70wD|}iOe0F
zZUfDn69JxLXs;9RB?!TRQ-IgEIt;*^?!y-v(2oG;6%dGpAMk{spZs$yLIng7tUmgS
zU2u#%toaI}@6Zx+0d*Tf>YsHI%hLcS*=~Sc1=4Jk8bsUkdQW>7(Aq%L780=OJB3u+
zH+%v=N-5Ktsh><QjsE<h$N5WHDS3D#*{DPC_VYV?W^GodrQnqvF;rL^KX#A(hDMCB
zgTjp9T>VAGAm6tS4bCV(rh(W?+iBwR1fWGMS*00Wr*}K%9pKm`!=RwRdGk|4|6gX8
zZ$yF~J5ro`fL%l6j5~-5g>i<VF6XWct<$V{w<v(^NW{iXU3eCM?1_h5m2AgtC5Z4e
zp$q9~!M~H-*4Wvxsb51#fuXBRDB|7!W8+eIEy8?bXBQmd_5(56HCAbHi1{<-_R|8Z
zh!2DavJ5S?syEdW#tt1T4U+Aj&2!B_Z37)bx(bJU7e}+xZnxhNw&G(!*$B>)i$1t8
zT+BleY>~FEE(kHZwu`%H{?knJp+WczZ!HMYj^1*)kf}9=o>ry>6>XZ`&wp=4Hp{$Y
z1a~^-s`i{P1D{v1;fiVuKQFEE-NYM(jSlP`+H-fwFSf-DZ>(eE3M#Zt_d-MC77bu>
z?(;T;F&2IuFf(?Z^`E%#kH!C6pjesgGOl`#PJs@io&zHabnI{RK)hd-ye=!aqg=-|
zHRWm-Z<o8k-S#}mgw?Lh)}Ija-L>Y>dg!Wk2}Nk3?|c}^)as|UuXp=ty39V6Z{sLk
zk_yT+PK;07+~vN4fTV2Hi<MKgW%0J|U7p`w*^6wk$qqYfUtYU)254-|zjb6heuc3}
z`p~?wSw;QEk<j3E2c`pa7tM*Czw&-{7CGV3TWNgYL*gv2#CY1`>e!u3e^;lk9R8(H
zIbszRUETLWkd3tl$?^vEGR+w>vq>Cw57|sU*a`yC0i#c{<Q^Y+vz{_4`d$FI=)DEm
zA5-GJN4NE(p|XSH?&fV!^Cp#Ckz0t_+dK81hbO<%QPw6Ulr7-E7r>->i1f*peh_2c
zg3w1Q*M2)&W9NZ*z6eAZ^o*TBx(y8$^PF^bY1ecfsiCL+^Roy_7=RI6T#Qe*f{M9$
zfIGB0)pIc8!L!QZJR&OZcdl`vZx_QWH-HHdsx0`do(Z;D&_l{5bJn7WYC4|e>w<7$
zJ}--kds}pz<#uJJbT9)QV8ZrijhKBkUYhxOV+JsDm#Gl2W?ulw6BpzX6I_C$>S956
zu+hLSw^-gw0<ex0a`~D7AN85B7X}r0qXtl8pAFg&L4kIh=y6jj3g9g*;^WN2@<xr$
zgH_s`u0!;v+8zj{=or5FK7h3m$aYkHH{dS7f38d~);Q{5<D@?~*)KSLaQ^4?tH<;s
z1{lHQ4>i}vD$LGqRm>1riX$u~`0=Jk*P*d3-(>ZhV|uU#*2SRDRXj^!;C0Rh_31Kt
z!?S}r>hg94ec*-uW-U2tK@8hT%~KciYO`g0hQ-ZYvU%vn<6Gm|`ViRCU5flcBu(PR
zR6ZB|R6)pX$b!%}er^YNYDLMl3Z?zrEaAZxj{O(C<!lIELHmRkUg~>XYd|8F^WIl@
zTxc?XF<tJg^whE?KA#uba96!{6m7Gwti<ucj85`d{K`zbH+9p6p?GcLsvVqhQUD~2
zI6bVXjDGF<oDaTW!A!QXm`Aq-^vZ3?^$11ocfVbRe?qF#gcl;iFU2~CiiOg5zNe5E
z%2#}z{(yOsg2_kB|0Sj5X69BXNK{)dvPszaflK6RZ3l8Bl(;Dq#s0C?l3P`4<at@N
zGoA1Gm>0-xh+WRr%yJ_s?jsS{CF<fuU79_Q`1*ZvC&yru*+w}(!au#~E=|AS?X6&9
zFs9UrVSB-Xg&GUwi+n|9%->ztP|1f%UFx~L#IWyvH|I^8m|c@O2GV>bEwdk0(?nL)
z#(}5PX9m)=`{~Z(p|4O`j@pN$y8An&*{PN<pS>`i{k`K`Fk-m#lMtk|Y12&!7E-HI
zUhO~KdYX;Bvd40C@Po=w7rR$R#(@hxgcDCDEH_BS^#Bu3D?)cMfsrS>EB?Lv&&aUB
z;}Ka1wO8BWVRA^Nz#FWd$Tt)FsFi2g@fm$%V*TT0QESaoI^EY-X`$MbYKCPTGQ-Qt
zLPMJ8U$bs-$nntJI4XI14HG(Noq3^1!>&Gb5c_S)T^Iy(dG%Q4dv1h-3aZ9j2k*|x
zV?loJrM@UlE8QglGYyPi!L}~GWBp>AP2)|Dnk3GFX?xde@Whz!bpJ+KvxSBp6|zA@
z90Pq+<Wv+u;4NtBCb=~mSo%z91|!fhCdP@LJLZEN5@2U2<;ho0z!53i_A($aDgRNJ
zme6LkWoECNt^3D#C~f_P;wdmCS00)$2Nrc$n4wh9nX??%-H_Lyo6}_8q8)bD5_hFR
zf%>sfb1t;!-Sa^>6$f)kn%K$eiUFNnA;G%lbhSAKvePqqI58Dd)~nSxevQK2`$_1i
zN=;Fss#pK>ffd7hPCGqam9MX=Fzoo3FyN{`EkF1@AzlyGTo7~D5xQ4sB(Rj`uet?^
zYfjmOFpjfCKuL*28QAhV`5{RkYab>wPN8z>wDQDq?E7FQzKzmTyL6c&T0*iYDe><f
zc0Mn-VG0?DCTx*ONdp7h@YE0gM*%AxT|%q}zpp*kbSXJoOO}#MBmYIa&K}Z)viMV$
zy0`9n+8LJp+95{D)N|$Y3XG!Y^Ry`R!SxSI9<i_WjHTg__QKhw{cDkZRXsGVRUs*(
z0AK@oiO13fTl`umJJzzFzVCX(ZS*A(h(Z97gcdlzcxK%LV#Ejr2Cy$IoC!_}XiCdl
zq;2oZJ#=+^>m?rol7G!#L;ja9{8ugmW&4}S;DO3t4(VqX`3Jc&nN8I8iU0wgTl$;K
zIuk&yn$suu<TDuKyjKq4iGvt%<1$MhpRc&p$5$aNksxDA$dG2;Qkqe)I5tv$|4jVG
zsm`8E?NZC&$7DMMi)OZVxqVB``v8OJKvwPs<+WF(L^IrLr*Fv<%rN5Woyl04{YGh9
zinHGxoDOsJ_A<9vO?idO6AN5Cd=oVIX03T6kQ%-)O^Scm!{xr;d(OR;>T3I85+IHn
zn5Blg-=E5#MozhvNxmK!|1&O(<52aX_5x{~#kEIU?=@sT=AG9o^l=U$qnf|52fIF<
zy4(kMHOkLJ|9Fe&U7anwk9u|}!}&3D568&EF8s?U>#@5z;ll>b9xb+w`_9$Y8uP~{
zrBTKCinT(dU!oxHCuy~JzK_>f%YR&DKxxo`m{AM9NFNQe0e^59K9(V#dj2bxeU#Wu
zautThOEl3PLTp^vParpLgIS`_@>iYzVu2A{Bu{R#=Hj9jDj78~yhxonKV8s&hpCid
zYB@Pi$J^8PKw0$hDP$dPZ)b2QD!_>S60u&SF6be$7h7@g7L;l<zh0R7A*TAFdYlxj
zIM~gu@c_UW2&!devjJP#SyAuT0)HQL0H6vyrfFvZ+si&OVLt7iKhT!C0;wwQMw<VP
zS5#W_OCuvAy8$Q+h+M<k_bT{j*!)5k3{AY0mDMnWlHp0a6?g^w^YOySF3e>rby?X!
zhXp@J*rb1Bcf~Pn4et=<=V<Z!J6}^SBc_IwNIz^0NEa~k@ZD$o_TdM+1AT?OP@~Ag
zudC|Sk&LakN^)iuNz<;sENE`h(<06t*}f?lP?I{h<QOZBcvgKN1hAd%`whQc`vYB4
zTW!6*N%eOv`&`1IpCUgBl~Y%rZmIE#_@QwYdk$ZWBSD9K4h+i;&(TrW9jAR2s2?`#
zC#uafIaQTuM<{%tzhp}B)b1^{dc`TJ3XgbY$z4LtHKbPUURWaNKj!{1<?WssTw*m1
zdCIXBkZ!%-oUko1dj0i8Q#7B|{o#_nS(%yg?S~GBQUONBN<7K&Cg!=WS-8@8p5L|2
z#e>s|uSJ%V$K6Bd&`wpMEB*Bx?!RTu2BgDjJ-vTk<Z9dt7D~t9^n1Nvn%(h*INvwl
zGTlwAu#8v74dQ5Hcw@A(ZqXkd=~x`<BKsaay~bDS<dvm~;!!}PMk+=$&z7nfo7z%=
zXX|FmB~ZPCH;q0!_+LAnTJw+#q6uV1+U+z={%$pQTEF2JTuM1Iw$8c|J;e!{Tkv83
z`SrMreKE20f}Tu?8B+3ACPyWwe0Fy_re~EMdtrVR?QDT6c`Wi_J&`1P)o%4kY|E<B
zz3;V(qm*F1{M4$XZs&3iT`V?J(XSv#cc}A)Yy_12Orv4DU^usIFPi0`L=TqRH>T9$
zZ^Q#hYyj(=`}K^qOIA$&SmADo^fjk4K5XfeK8aCC-e1j|{NOfAjuI_N^N9T-mHY9Q
z>vuBoY%=j10;+Gf?~rjV4|NEo<{@oS>K^ppjv3UBCVXxedMFsEHjjF$+u0X=IW_5F
z2>R)*b#y3t(mFY~Y<H&aa5AAs!K;fEGZ9Dkyr1QVgqOxVVOTY2{pFb%>;r_Xqr)ya
zXx1+rXKjteIhsz)k5Nf*WeY{Few%u8je)M3(*_mekid*&D55ETh^^htaB--(|G7|x
z-2I^*1)u5TBXov8++lo<SNmJq#}gFI0Y?NV#n~6`N(d>MaK{Q}j=+?!7NKt7*?49G
zeZfh;7>2<4ab_i+?9JzD0%Y<OdQBb0Kb*s~l2rys<ws7P8f-ZzjyubLX1NP=YVG(H
zr%=f6Lx48hg*{sEd`#$AXihSG7k4W369eE%yDf->I(tc!#?I4I)SYS0r_rEze_pP_
zF;TRtbf-o7s$KPcbFN}5U7_a+G<*&_Pu;}}zkBU_IZiyN|M*Cml3N8Tn2S*rI;a&v
z&*A2#V%{awgLi6;GPT-<$8f6wZHVw^cslK<!dZ2+s-Owdj(T)evshI6Dh<0|>DJ=S
zvB6NBN(ILvWO*>r`dxfeqd>xrZIYMZ?DbJsF4z7izqklXt2V5@>y)&CepcXIn)m{O
zCUSS-?I`=)%{9B-!s3*Uv4dH1DhjUWr>NO?{<i*uk$udR3*=M)*O&FuDY)ir_Xh$&
z-U_;L#hS`J<lLaH@sNh)vgIfLU>(UQ<O+B>E#OkEYwXZ9E(&phvxDqoHR=28dV#kd
zYBBx|zq4bL30knq(PEr({x&T5KZY|#0Nn#V?<xdM5CV|0IDd2#LXy^9KRDe~v9m?I
z`3>?l-x<r&_qw{8z-<y_oGXCj6VY^JyDMkf`fZnF!HhtnWOg6o+3;KP1mgXTx+Qw3
zffdK(qTO$v%vCd^8UPKJENfsN8od8U_h*);AH8YaQ<o;V_fR#eZK9zl!tp{l1YT#F
z(OcMWOs90FZk!<z0@_RK6~g%?nttsrU(Ew6<|V=`G*gF-xc>wYoHJ#=WO@q8%rAre
zgmxaf{z5BLZEaWcZ_ZW=GstQkCWG!2m38(bQ@?oj!;(}Mh#*zw%;3A~TaXJYE^i4H
zjJ-!kCVvfBvOL;#{**F6y*7R3<nFWCaBXaX(RA0?D9Z?y$G+CZaiH0vz{+>m$A_X}
z(*6AUR{Czwwb4GS=Z@9GD}CU^$wFSW!k5^+_$41({iixu`|bCN9c30MkFw4;i3kq^
zQy^}ng+O28yO6Y+2D>+O1-mzRAN&E@z<UEA8c@rVqd%~ECK{-W|D0nE{8QF>2mP+C
ze@b0E+24(c5uQJAOSNsda-f<BTqB}J4{i~uP;YyMswrVGEu3B6Dkn=;Z6g5xRBuKt
z3-Gw=zh2QZK~H>dDztFXOy%+b+6>-+*eY!c%Dy^GCa0ne`CS+*Gg;ffJ8XdLyow52
zDXNK(%pky5MPbSkZVqnmv;Yb>_xoORDEjzs1@-?x=i+Bg1l1cGY%WxhSzZo5jsB^(
z?uD-bSvxg8YtNo?O#_|neKLk!!vm#_)xOj)ggXln-&(`7mP*U2Gz&+6SXdV4Hm@#D
zKPcOTYF9ZRU)9~q$;2?Jc4$PHE{WZ|Z(x613LpUU+n$%n+EX<yS|lwJwT;($|6tTC
zTG>y}+{76j?-Y4GP^DC!(ntPE&t6;h&(=QVBwfZW<0M4TvUeKa(}kJC)W?{BYAAyB
zKRmw0Kjl;@<S)Xz$0>ef#EXV*?p{*TocE}R9N}6yk`dyiDp@beA)a5*nvN&=u=m&H
zL-0^Y;4JQd7W_VM0Is!s$LY_~y$-iKY`g#tYRf;#U#(KP5O&b5nq$F<?_G*d-6K}e
zJv~b<ld-Botm>C^C3a|?o~+;iOcemLc6XS;Fk$C$^?w>5>a8FK)k6>EAsox0yY#F~
zIuQwN2y?q<@D8rI7nA6*S9T_|`D#p9UTV1^5j_s%_q@qenE<z6-St1!RJX@}zrA1Z
z(2V*4<Z3Rm?gpeb=B(HQ>>VU_wiZp3f$^FHcVb2Y{VzjtYNwAo>|XETLZKd(@omtP
zcMqeUCy-zz*ucM^81#X+JN*&93je`IRmHtjr~HQ)<Vg4YNU(4#uug>!Tl{k1RGwig
z6hJl~h3JkM;%0>Z1D%oKKjF*Z%ZsyMV%HFPH;MCqYXR`(*LuB+$9uvdbimCm;x#}W
z+;AlL<;7dX=Bj}}$@(mrQnQ(UYukg$M61HSC(+WG<5~k`{yN2Z?kyYB7$!2lxe70a
zwzr@eZqYxV<X`ee>_6G|;268a+M$raX+xJ6l80yX0RI&F#Xjksne{Yb5Ezp9h+e?z
zQCx)TdL$-lPzihs_Oh@33M4F;CMXo-j0Gxju+Up^MV1^K5hQkcUJvluym~%HF9Q#a
z>i-z?*E0R2-Wj%U5srX9@9+#wPZ{dpv2u?OSX&6DEPo|7y|57M^Xs8P;zxbx@P5ta
zmY9A7uXHx&;z04y`>~?WR#_9;0p>gJMspZ^?wKs9+A}=i`PjX4R+#rt;W@3imh<hK
zL$}KAFe`m)wZho9LW4l|TivUYmSae-Uvt41N1zyxGZ68%+WXet-^eIk?dTG;o!fqI
zFUO#m^djB_<)CgT#87%afEZknIjCSDc$HgyNZ>_L0OwsT|4bt-qk&a!>S-ip?5fvJ
zZY)_{_A|HQyTO#;3tOoMJvuPtma%K&6Ft*hU$DThUA>q<@wAEP)@@SsdoKDpipBiZ
zEjW)HcLy@5AwP81^7Sf~78ZOJh`)ALWE50PMGt-yD+x8bi^Jh8t^ue<YO`hWc=Im@
zankn>s-Ae3l4)A#&wZ9MJ-fddA{}q8aIGwZk!4DC&sgs4RawcWE}^6g4ZW?fSi5+Z
zjOEEjGr5jCv1N7Xq*|<yO``pLYz;DOzgzDU4N5w@$5rcap%35z#`@xU{#1>OXB0ep
z7gp9)b&Dirn}rH&&>8Nq)r8)T{NUiJuCf(rSvzo|iRiv(Kiw}B10u-?8ClDg!9ICA
zU)rlqA^$W6Dq&qJo%iczqN4fT8uT2^x*0o#g1W!pHIGpTREf&Ga>rOZmEh~M(Xrhh
zU0R`97|;R0Uz?$L;vVA?Wfb%8Q<grjd)~jiHR7<E^v>R|!!Fvq>k9i-D0h-9ZUH`<
zE(EX6UxZ@ZCbt$ORI4c=MWykeU?vR&f47#cTddRkyF2>a^+d2cat%z_R?4;}^GyG9
zEtj2Z9R41<Lb4UKid4g>KhUm0&sx)dB514=yBHPB$*H(TEDQlhD_J$}mOW+>bw7R>
z0R^d4&;<IME%k(_ls(U{x{nrP(6iO$qW{s;VaGwU@~5L1u$*hp(EtK=hQQ;7Ce)*G
zgF9iyy#>qKDcHQN7S0nZwe-&hiy2h%;#|qL5?{!WNkwFCd6eAl4E&5*#yQDcnc&1b
zg6<wAPCHyGx<W}$KkII#DcZCR-#p{i{5hpU489~fKY4dg({U4`C*N6;s$w+j`Bgr1
zD#j0_2tLUZ>fL?dF}HN3F*pK&A%yMO_&mGJ+TEmB!@auSlL(dK5qBch#bk@{d893|
zgog&NgnYZ(j97~5N;-%JQrU;ON6xxAb}kL?RKBVP<ysU<Wsp;43Qvbo<Us0ql44=o
z9|XK-0Tk%6-u$$qWlCA-PHgx|=i_M&o5|=!3dyI+^?&wGhF?s{W|C8#21RaIMG`|f
zMEOSB>hEJm#v^1B?>so=TWaz0YFzDkgR}}>Q}(arFL!H`hjlf)gI_={1zd=TAh1t`
zJZUGWEUm{Eudp*aHv!*a-c>q>Q8nnUH2QOQt3e*J>vbJZWdAL5{HxjxtlobL;{OCo
zAhezyp=u=kaos(4@Nt%I#^fgvK#Ws`K#kkp>3b(48Z*PyhLI;|iEW&UtIKA<he{tc
zLO75Y2i(E#?QpdcOh8^#k*EB+LKXNfm~kDF<k22`#th_}H(<vk1%D=u0nnfa={|ti
z?%*nJ<8MtL*t|hQ`}D}e`_GchN-@kgem&w1c2WxOh`~%?Gv5${tH-DqvfT?f1)!fo
zoDo5f`^vtdJGTCSCBuOp_yq6tl$)*U2(?ZruIp<9gp%Mrpi~ChQ)mO;`iX&56#vI-
z9xIl75{?!-onyY0K$uVn)A~!E1p5EQnh&t6g#Xk6{*ovEQRn;vDuBWKk6h>9b>uE(
zAiijQ0No%CurOu<Gu}8&&bf;U1Df9eI`sg!`QJm}2KYlfaKRq}P#1rQmm1&?foK0c
z#JBi+_^<!}uc!WB?#my8e~}kQ_(y5|`(gi|pZh=G{Qt-M=Qf-iB<b)l&CuVj0I{Y8
zV2taK_I}zstNYg=Ra`TRJeua0;=DNxzvCm2KpGH+yIqEaVHm*lKG$nVdhtbibpcsP
zw%2dw?p;?-E1Wo%41abJuU@G01g)1e;fE?Ufq1=nIX@4Nzi+>9K3D;VycjQcZxWf=
z2|I#$t5F<6+7jiiUxifdb&s8k&r4SzTU&zUnir*?9rDGEx?V0U2<0Fy>dd7-n-*@H
z=N}D4E^a<d5vVgiIUNgzwIzp<(DuRiwHamZ=TIRpdeGB8qY=Te>J+Wh->D=R0uG*d
zi^{v|1-nK)b}B??EGOH&H>vlVgY?``D(dd><C8N)I9%@=FH<OS-h?a~p6h*BrbBmZ
ze)VH2wEUvle#0GQ9f-axrDdP_HQ-p?GNk1HMw|I}JI<#s)ARGCuw!5ay6wGO9UWOu
z&KC=Qd4wSCsTo33P+j3JK-RXPgD(~q5dOLemtL1Z#}|1@p28Jsb^}|~G-=6>VYBk^
zgJMY#?8@Fic_Ym0i*W!3Ng0Fb9(`5I3`ylf-nq)38UflHpg_w>l3$~(9<+HviAt@f
zWCY*k$?ZZuI;D9b-*E8BnXgBSiaFErJ5{Pzune->M$a40%A8<jrL2-?U4s@bxMBaQ
z(d*seWe;nO*DsWA9K}0e(heDgANV)5<+qq!PfoAkT^vt=y$xJB-(Rv({Kfk5{iP-;
z-*L%tq-|jLJ@e4UMgKL{8|uhk)ZKmw{$O6Ev^%~Gz(Uw`ju(VZ+DLnA1q4O~8a6r6
zq*%|FQbWW*i@&e)X>a>9$ma8@tw>(G{In?Vzk3a8<mAZWDhi-B!|wUsECK+rIZq>U
zjDf}U(;6e!9Pz;}(3cPJ0Eg$IqVoTj1&C+D{=HoA3o`2i!n*RD2)NHbE757~kcEgT
zq|9cwb_Pftgh0ORGJiEcS0NA4g+p&`4~<>Imf5f(p~N+4%O$;^>gFnbdf09Z>msMB
zLB>wQ&f2=aA$XoeGl}o&sKWo8L=@ZyQ4EsMNb_d3jlW{{4#?+pc!?!eRgbS7Bq3}?
z1R+v=$<3xne8CW+*(xj4F3nSbLjCVmzYPWBn42YQ^c|c}vpC1+kviW(T;L+FPW^0*
zc3GF)j&xM6cW+(AzJ<n{rv*;stoo>Yvr29Q$xU2@eL^@>4iFOWjp<+~^1|Nnf6BA1
zxl8ADs(kD&r}&&~I-b{g7|$~dok99$3JcM780QlRF4Y$-D1u_O(IpzZ2A<pFfe;3?
zc8F!`Jl3chro$u);<GMSK*FPuf>9L#ihZ9|Lbd)|v2R-}k&4r_LrcQ7FmD*Af%4P%
zTuRGJ<tq_2hDW<js0`+oTDs&<j<n)DlM;fmU$NV5Pst9O78WA<;zhCz`uGN)RG3Y@
z(l-9?YJ)XnFawm80@q*6^icV<$*N<`6lhNU7WnXy119kgi%|6vE9mWWd2Bm-65rBN
zyqQ>Sm}4qY`A9i;8k}3u<9GByEyyKh?3v~_(ef#5HQ&hL+5mQ0T0QHawbE^YdvO_K
zgiJmTc#ZL(n446O<(ogi5swU*U5=~8WV9_3oPB><qJoO5-&^>xa&WFGEMWT@U|YLZ
zeH5&RSu9TCotZQK*fFgI%?R3m&~dxePA2xnU3&g7#!4G~T^!FG5n5cm9bEsBY2766
zY<sG%v)DV)Ig;wA#ILDI$aBgYDS5w8YkjZ!rq?@!sLKnC(}mj}oY<wqQ>fTVngCJ-
z4F$!EGv%?K*Ke(uwfmYU_r=9MW-D2xdgl3S7F@dn;@;u<!iaP<+rBA>Iep%iP^-pq
z&dG{l*g<?qo|n^9PgKXq`kB9i8EEFD;qEP8I6V#x>TA?3s*=pruBix^yaU25QY#ys
zTj!Y_<G9_vj|c@rs)b(WY(LD=SZJk~K!oQ$R%WZcx=ey`@PNhnUy(WRH4aJK64CKX
zmUxApWGoMUCG>eMDc+njwT#A#bLYMPnmQ|{ct@&<?vG3|>YzK7n&Hn=x$!xNd!@Cw
zx%Xes)^O2Q#?KZ#U74LAD?(&z^93uqSD-SVw=R?Azlzqv$9xj}DSJB{NdT~tjA~g<
z9AbM<Y_>otOQ_VhG3PM%BrZqSSfjV-jp{{y`PxP2Fm5U=J;TU2@;Tdu>~W`(gMxZV
zu{gSJY<T?{Splw2^MUU@`C)d2=fxCEO#zdiKqK=)R5|RqMy=At(gW&;EmgX5q5)Ha
z8u$lJwt`|kRh{i+4KD3*DIe5(mh+1gZ&QMdM!{0?Pvbj<z|8lueK?VxXMF})Rf!))
zqXcXo>vp)#4qwu$T^cL2Ra*UOmR05Uf;32kSpUq+{2f~Rb-7RIWSB4Mj||t$@B<vB
z8380^D9P}};=rUZrN?wEAIx<UmXXs#wGjTmAlA#(oVlc3X8lS4X5#LP<TMjsDVaJZ
zvd88RDdg$G;^B)iVOk(CLya`nNx1w-A*=n<TuugAQrKtq`WM8odS}$$)b5xBr}8fo
zXZK!mjycJeAL+|G{C!$5Gb4G3!)T#1cSHuI+50nHY4<}uNcuXV_*ia-5W@D5oG1X5
z7K7lXV$3S2CF*CClMyH;Dkx!~kf$hQ)}xlbhpxTNXyl|nRm-0E6~O+1^Dpx(7f$V1
zs?kiGqsP^e`*87o<unqg4rfp0nZs#7SAulF(#FQJBu~oqoAY<f?J4yd-qo%~v<y+Z
z88$U1TlZqVZ8>RwrZ!lAO&9=%e`;H42=X&|3zZGqF!6mbSrkX<7m(Ot>ieMo%`Lbm
z1Dn|A&pZkB&)TI}tc^sTf6_El!#eyf9Rb&GbSg0is*xu9uMh{Az5dNUGWv@L$fbJb
z1zlgY%sTsNN}#dsrFQm7iY_8q6!J?87G1MqB*%(vpyXRo42uf}E@W<xC1PZ{)ml%A
z+)Hd|!Gfy6(?`z!kxr<Wiw?Bt_%40<+Uu~MQTMJeEf0Z5?Z31phW0kATVfu_0DC6{
zTY?)Chr?S4EGqAt1bdbTxfB`<oK%PB9Jv)f5=1rW1jo^a*S?RnpFT(XT>S~r(v@yy
zuoQG^t%OKaI2R1ex<dC-E=2?8mbBV@1>OY1dwSAX0;yT=2DA@Of2I&&Vt#1L9a#HV
z5*KB*he~dHp~PxgbrXC<(4}dY6*T#h9%e|*!OSEQy}I^Ocl^C}$=*0j>i2{sCG6)i
zIRKSW#vs^z&7!^Q(X`rvUGdB0vd9Kr2tY3Z3Ti6($poDm4zUnpU<hlQ#n1&j1+)cn
zDs9VK^?<018Y|^&Re>l8$X_Qfwn4w#5J{@l$n^hgr>N&357c|Pc^DTS2+CS~i_$cA
zvJ!@fB-8xizq`^>8TdSu3MZe@hWai$ae22`NuA=dGb{pXwn#-5eq4=tsHn9VRr^g{
zpxll=e{pCZ&+h#f5RWjICHNO6kBA4-3p_0U7f1*8T*T^1`HOTZU&Hqd58;6vhb0>E
zoni3R;jbQjm?=b-kFl};AP(prK9CDYPJ3S}SX1}{@)p<pLu(r6vkH-EpZSCQsN@Pd
zXP=~M&1PWVL^{!8-$3nV?NZq9j(2qnel?Pr8jq*FXXk_RZ-74TetoabMRmSRDE`*`
zLkA%F;S<#SE7+xX!V7jMT>c~2O%!YSN2{X}BN0(srrtx`>?ia3Im#i|Ao98QN24!V
z>BJ;h(9?zp6d<y_F0Z%HhTk(GOs9DYIaa|?h5i-lGFE}r57lERsjJ^cXO6soF*OGo
zXNg2kDdJK`$uU^`a4e@C{<qlOO&Rbvc5}%{gp@w~IFh@{P}Rqx(Zz#g#&LyzktH0^
zu*R1mp*``NkZ#(5!l*0^=~L>!oyGWz7Wq=uL<JFz;;6to+hmYxKR!B}gW`^@pHoE{
z`NO#W>4}cAuJLJMd0rs)ip-M!>6IzBaHQ?=0`u3sD@@h@Uir|QX$<2OoA;fHoWkm}
z!s1D&jko2PV}>a{SZg<g;}O?iQ~jgM20$6!sC(Z~94VVLIArK_$_7j{)ztek@y3zE
z%M10P3PZ~xeWSa^yG;7%af6FTbZ-&leepIw9I*(ts2phZ>N(GD5wzgav}&gbyERw=
zT*_DeK=(hFvoV7cFW6(U84Y_ob>L=YwHd<s$g}`&w}Hr1f%;hemhiI$6Xe!5W<*qY
zApf4hYa3E<-XxPyTFo^`I>x!SQB2iN<Su`_!^u*av7*so*HU4>quJ8Ppkq>kZCy8A
zlhN{!BV-{>S-Bo-E-sSw?U>FSs6f^%-iujHRl}=oSz<usV@lUJn4A~&@y=y<a3*W8
zFjcjua63LFKSt(gb>fMxp19N5X*s!#f)DX*e{0R-kCY$8WdAmXMyp5codfC@iT+ns
z>*+bDamuA*ZvSsxTBkZp<|dh@EEtJ>9?v5UO0_bR+#P^jA;H4ClcL7`nDg(;$BloY
z_^dORAMCbX=z1IStwS<@U(iPE(S}%jj*R<URe=r?FaaS<l9G3=_LWur4e%8{R4d{N
zwlS;st6IgfUEqD-ExsdT8Fch}NG6C}98f&tJAfv2;j@VMvkX#sO+{Mt%2qwgk;g(0
z+HJnOk<-g{weHtLxiS-_Bwkfrp<|7S`-SII>e0|5vsdh@O^hyYsi=Jx35(r*S<rM<
zKf8<gCB89&GX_Y5Qq)hL|DQYtD6rRCdO)=8{lOjTa96>xJ}ZxmD|{#4KOxhaIORp{
z@Ci2XrhlCPn&2>o<lplQpN9T(4*ezMuf7jdyEJ5I$A+JH|1Kb$+5_VM&l>dcW`OvA
zqpv13BzK9`&VR)P<p9iBNuYY5>wI<+yT16>l^op6vTyN8DQTbd25Dw{0{V&Mj{+q%
z9*LFK)NerC><bn12MXsFipn<s@*O^PPsiIH%BmEl><ZI8UqX|L>vqNWS_qBI(52nO
zmkB`R^$kogL5Bva`M?hk_IwaCgJJdm8}D(;coUELacNJNuYpe?lSUqm#pt>fpyF^d
z@b`=Izk9BznE?k9s&ankuU5j65K}`7tNnH7E;*6VoRiAa9New8kY>#YbM1QPp?ml#
z77so7Z~o)o*q^IKR<&L%qPirJ%Ubd)MbS#FFDG31(>x{EJs}8~V{f6$${t{=(nYN#
zz=LEEB>tFc0^xjuUL>=Jy-I&ZbN=?w<=+m3+j)s-{R(#%{MXL2^n7=`ZuTvdR9@FQ
zt=@{-Gd8dBAfhm}YHETEod~V|zc`SaY3~7ZkOT;#z2LiTK{>j(p_&-r7aV@JU0`zQ
zn`9iqA}zBK40ahQdnyUiIXd0jY90-us8}5+t>h{$>;aM_3-DDiTSXbwT(#pb1=Mcs
zP|Tt6Pp<>Vss_SK#36H~&B+lVr0V1lQ`@p2=;Q5!I0BK92V1VV>98SiM}~czR0bFM
zrY*e<VwXQRU!TO&@F;DpYj0&ael3Dmo^5Nf?#{D;R&5K@R+Z@=xL&w%dzl{1PR&Fe
zPhh45&w2&)WzN*SpN%!XJAtr1v@cz#Fjbb^Bsv!lTu;_j_8oKlY{e=apIoC0>2;oW
zK?efP@iQtvBv4^(&=>YcnK{G`=_pbWYc2MTdtbnu@j+&A?UZ$E<%xU_S>bRrB7M1!
zWZKR?fc16GMWY#xgRVevL}>oKWA5&yU!Ve4R`6|)ud~?Ba#-bD5^G-A84tuH;ljyl
zvTimpyXzYCmGQ;TTY^CXMqfEJhPFNIuvgZz*~CwYAS^cnMdT=9G)xH>1<_psH13Bh
z!wGV?sySCV46(gLFww~mQG4qlQYp$VTcMx+guOox|D#grw=n#4uu_0$t7x?D2!hmQ
zzENaqCry34@W)wky8P1U*hoWoAx3)T4@rgROfK{)AZzJb>FfHCJInQ8D(V)60c$mF
z@ct&{OUex?_pBbRFgb;q6!~nRbVUra_P8@C3-b1O7Dq6dbR|I9YMAnAmG@xLblt9o
z@{5mSm&1X|UoMTXMy-|9<z0xow=WNV4?UDQFFd4i_PVuH7M&{KSQTItP%57)a6q~&
zC^EBXqW!@bWwSE-x*>rs2Q@qiMV}O0LH5PNj(n!M4&Q9RMg>VcVj{kh3I}1~2DB}D
zs4RzEO1hEk<YmXQGviQbd2T!i3R^2RZ9l6+qup*hnm>9rznRvfRc}amRJ_)(0~bdf
z#kX@}HBj46KioTAzuPQkG1Q@D=NS_^Ru2kf8x<RSNkbE0_J#$ZKM(ePhiUmyFzc~Z
zi^7m~zHO-Pv9`B;adN@Zkk*tq^O;d6!yXO65uNnI23EJEz#lrgdW4!BrA)s=GOSX{
zZh_UvOCyKKvhrG)GQ2q)luykZP5Fe!GINd0Ii+E@AZ`KX(b28NzOdB@7MG%Q{UB0w
zTjkuxyo`j5o7xizP^s3n_2I4Igp?2OnVMf>*CPp&`)WrbebGTHSo;NW*TeiDCr{?m
z)(0#2cu3huwM=)ylhaQ3Y;}Zs3rSs)bS*Ev5RQpcF{@i<Z#P3gXVqQSYuxa$ou@KL
z<^0@rr>7-LjZ%jhGKrJ5bjUP;-odHGXj1u?lQ}1aFKsjJh0RhHR=~Qm{?gBDB~J8I
zBon~AgR4_m?$@)%uD(Z4ePNqv;P`DMUopagf#O*%_K^R_ySE}ZQu&<0&&JWuWm<{_
zYdZQgDyAfC1zU94Ypn%e1-dlt5;7qr6CDZa{USgfg&xmJG3|evY}5zql7_=cHpgE`
znqpYJI6u@G&~^t41PB01z*Qg1qB{4I)%8Rn8Cg{nk7!+Kr$v|+^S%xov~zd^GG`_7
z(7KZd95O-9RcE@S9<E`^(wDR=BX&}FeOB8N{XW}(S3>CbZ<q+AhHp41aB)gey3EKQ
zs#dg)Ef;Lu-V4wbx;-|s%)mlmiy}AmQw@sz5kLv4H>8Jop3<u|D=$p9SrWqxcVIPW
z)msnwxWqNKi6LM*Skr9|RDeCQk8phu?KejqDrC5fbNUvDRm}J*&?Cf)J_$igF89&M
zEuSr;dGu2WR=+$q6h}|V2~IWvC7K@hFfG-uaGF5d!=SkiZiq|EEpUTotOwn-0lP1t
z8w0U`?DDxpK~adhZbqi`3cW1W=^G%q^#5#1L{liZr7Oe(nGn@`bK<-c9^-D?r{0F$
zL0f){8ZmV0l*~1W3f7f;+?A<&=B?kSUC6*@e-yY--O&>3n7jwu<WzTNuXit*z13<(
z4|3@+@x6ad#OB5+$81F#Dq)rTDY`SfWQ?wI4m0i*3zS)i!O~I0sYam+2qgFX&RIV`
zCAf;O?Bjz05c31?{Zsg*`d>7YV?Vt6)Q<3H|Ly<;T2(1`xh|92RQn!Vl_3Pd@*Ip`
zz(m&L+a~#Ohl#-b8cIv*F{Lvk{}K+|`>%a{+@=64#A%b|S=c`-OxhTq>@eccLb4G?
z%9=6)w-=$%TQJ>LtDxLgO+&FHgvv^af9fofELC<#qBj`#uFW;CPT<+Sw-z0z5^J+u
z`=<(7@weXN4i=33e$22x*=d|+aTwoB@b)VC`AE`L8Bi#V91Xr;%%5I~ql`a5ucWUp
zlK}DF@CEjYFW470LMiW1IwRApi=`w@0Mz}&;V7~{OPdL|Exupy_Xr87U3>^+q7%=e
zDEU$Y&Xct0{ervI^vLV8YS!B_5EHf;7(Hhx$P9+nI4yN`_Ml-JGfo@V24Y}B$0eEO
zavEno{!9DGRpKN6W-G!CW}HU)sUtq?3c&oW9p*QIg!K-%2f9aa@7PJ@y$+NwO+kOv
zkwueF<P$sr*041tTI3AS2wQDIXsfHkZV-W;$pDKHK_Pib9HVp|nPm+Bl{mx~*%|PW
z^?ZF!i?;l%z%LfrVg}g&QU@Wo{~>h<cy`5_J^Rxi2zlN6&Exmk_srr7|3Iid5xUj=
z+I-CMAa&tHr>&qSIi?n_s29_xKLKp`as52=BOCrB2%VB@@eK2CEx-^}7{W?nXmK;G
zjhKA#lC?4vF-Hm%EIhID-!eH%p0{rSZm~tEMTv59P}e8~*cU3+9=`Fa#3-jn>gClm
zE}jg8YsI%re;AxQrC)si<+S>CAv%#xGAnpd)pQnn(r3!y&c|NMX+L0<ZZ<HwJ@=t?
zb1SvnrNx_dDV^p;tnbVSXM^`$8Qp8orbp<)e`o+YPs{*%{L#H@^Dj&?!%g(=%}XoM
z1XOEadJaCY{lW8-yq(5#b_@6rpL3tFOv`x0j^6EJQD@)Nxl4TP<Wg3D<d=1v+)LB8
zv#6fJx>pf*R)b0!#c*>wHLDXw;bVwWr5a;vWZI6FBguYssb#S^KJ%(u(jpQJ*6CS+
zk`kW3AqLaEN{x)S$e8p7i;kpU*J88(RMvQ0aw|<jabj-MS(JeXR$q`9q>nw7uM=H;
zH}6%%p@4|2)Ac$nX7~UTaK}8isVE7d5`Yl{w7m#~(^D||fSPfKGyZ+q>&&ufe@cj*
z5<w6>nBr8&Mk7ed(XMVOek4TWDDdaV!-q~9>STMYQNpVAOPWiy&E7fNk<q`;p&7{Q
zqZ@{Mg^_eQh>iO*mEQ<gCkic|nR(Rv#x;ium28#4;jSfvwW4MG5|al?YkhH+2By>i
zPTSp6D@cujGFbfqA{(Q^Jl%f+Hi5%`3)nrClY(}Kj+n%H^R=EBb%rO4zoQO~e;g>0
zK+U@Ct+aZbEm01W#Wfvvb5Ed69d-*;@>F)2Tel;l<hTS|xzV0>X`sMC#~;f_2}?%z
z(6TE`pGkv<AhEy~I5bQsjLoM|XqnXvs%7vyy(BySl&AlZwJ80%N%is9<_WZs`og9m
z&(Z4waaEop7CxK$GrJTK@Z!fOCrf%uhFJKlliK(P6`Ct*%)e<Oe6q98vpcjzn2Edi
zA@1F82i6-sm7}4rSQje%VnE>)+=K0$2HvKsswfrT9UY<U$T~a8WPjm<m&+fgVqS>>
z;;m;44$WM~)@!IChBVu24yj%)QW-)OmNB;=!YLv<<Mo~$wIkxZX^E+|(&JwRgW7Y(
zqu~BsSy{WdO!EubB3NZ0Pl&f0b8gX-J!XyT_qQ*XlWl*w@+j@^<u=P+1Bu?sb{;nI
zE>2t$W)K;s9Wonx19xRlqj5T-1aGR@S-dz4I`J4v{piRAxb@-u5|`#vnH?2IV+jT}
z&NL1OgG&=M->ddsC1NPGCi5*Htp(G;tURnmOt^6nZ`pG`ht>e;@%s1UQS{6Y(d+ET
zPnthj!)i4!R}r4|DE4D5QJU?FH?vU!4};6dU8FJaDRPn!QFK&9naRj1L#oa-U!bSq
z)C#5YfjnW*a!V9VZ^6~muWqzOo>yR75eO4Bu&-<$L+6v%2?SK0)Ef|F`vH-IT2J5D
z6afUr29X`V3ZaUFTJ?09KKg1RK~_c#Z7zNQ3T*!-+Qo!*q9B6ew_jc^N{ByuL(55;
z2YIkgyD3+~a82zsa~^<;0wcK-Z=^@yADujy<i8@zL$h0GCP57bQedVSO*DPlG4I>e
zKK@^=`-{V~?0{0vIoH+rlW)VxTQ~op&^C(=k%SC0jy0SUMGT0c$rh<>AYv;h%ZM#7
z<*y?OYe$ULWbdMZo$&ZCAo=HuC;pWZ|0_V^KL-k6K;rudPsrdu{eLR^3b3a8w|j$>
zQb3SaX%U8`QnToimX^+ebPpv&KtNhRm~?|QNQ_2uBHi7!Q5!Pg|DBJ|FW&d}UjO%%
z%WGc9c5UOk`#$H~=RTh|a|b^?n{)qFL`!);*F2VQv2*;Fh*mgOSCpPfFU31wQ->*A
znXj29XpzJe+YXaLg$R6Xs!M7Q{~1IQa+KLP*v>7>!X}>*pA}m|eIlmf5Y^dT$sv7W
z{X*)~54DNy2#%qzQw;2(B~m}c#W)-v%H>swg{zHmE~W1#zYxT!VJXbM%-0Rt!dgmI
zsjL3oKNn93;eDDFsoxk)10lE3Nem-%J#ZhsTitiiQ<;M~N|L@e$4C<uNfr&k?R;TS
z|B)5H`HK~Eoe1xH5gOJ{d<+viW%a&l5#hTwa;NH}fuE$nbM?yKlBvt=-uSmlYPdVR
zcs2@4`$t^+n;hFS;T<-Je0nz|x&O}ZU9|k@iIJ*14whj1a85aNtoh<9l;bg*(Er#W
zW9MT%RKEEMq7`#GSSv_ym?jtJjr*ys6i}i@J$Cl>C!MyK{$+4lc5!XcIlc5-V2`z3
z3|70fqGPl|e_XCp2aw`FfT$(SXin8tQPapJeR%BibYkpSUzw)S!DY6WGzAh2e(>p%
z#GZKG_<=(<<Ihdi@wJ4|uU%b;^{J8&<2o!qhF9Bb00N!BapBT?sobXfXn!)m<cVHF
zhYB0ZZyZTp+yqbiO$ggoYHy8fPW>z~T+)BppHwiSOOnWhr`RR{pEEEMK7ux?cKTcU
zXsc;^b3@HrrdC-z)W?MV&z#1rmBQzR9x-W`94P=C*m4*GuCaHUs@hub{CpcupjLBJ
z_EQgXlMj-4?w>h>jt9%hc(nH$Y=_a8h!{iZ%RJ`Mt*EJ+HV2whsqs@<*)zBfnN}v@
zbFZmncF!+DdeDnaf5Z)Fk(^;0+Obg`bH!<5;g9@jypC6C|8A1q$7b$gz(h{WuHLSj
z{7K8HI>h5w#R$-ds;<G{gYLAl*2tv;8eVU$v{L`!#Lme8gP7B`#5R9bDxWKGvO#wb
zOzL-{LryJhqhr%4u4Rt6C%%s&C<Ms2hh_2uwE~IjxdpjU+sc`UNT2FI95`POl^ZrU
zo9iyapjkiQ%C=r}G!;}JD8~#n*bC(PUb7RP7>P+)h+0Y$Qk^==z2S2)vG|j%MznBG
zRNvQ6o`BO$|GHY)Z61EEyB7EPw4JY51jmouZpayO5ms*?QQ?pke0^*&kldiC9jdHV
zzEbo|&E&v%7CV$w<E@PKWb0`j{@A<Bcvug6S~&x(vm=*oJJNt7wtxD*lltTY9TmYa
zrCd!~J^7mA;ynH-fqGn=(#)MJpek0ZxCEf=85zFkR;%IxoKCyX*^^hUyXu&3Ji=1H
zusvL?#O}9elVpUQ%wu>N)<<{;TSm@g(hg4BUm6VgELmiHo(qQ^GEuqx3RYWjjDF$i
zi-&EfWTDWZE3fxw1|gwVM(;P4x~THCQ2&ukcc^}@do(DZx-%&<QAY}|h@}l>am>CN
z=cnElJ65z`BUNaUa7FTymR({@bixuP>L}ZdqJu)zAd%#wHKbrnzIC@X<?`(hjL@8u
zo)I}<l|NxN`WSMnV-x%g_1I>}yTm!c^_r6pj7{83(l2+!X5exCw^{B`qV<z%&8m)j
zL$%Z$W8zJTCHs#E33y!siuxI#Q#M%*p@eJa9PEMFE^C@u$zjnYEWX}1GD9WlYJyvG
zm0<$}FbgWbRRS0UjFI?klUBjOaojL3vP&#AGqFMlqj|LZp2;iBc;cC-Jo4mu*&6Fo
zB8X2}PWQ-tDN>@!-KIxwywkGb0jqeyBgv`TN9^%y$cla)K349&fI2Nx@%tMhTP7h&
z8aXy=Js37!`kH&vL6;rIsfrSsqtT%yZu49>y?hSn8$E0s=lpnu3`9-X1_Ks3CnxTN
zU#+kfxw<u6o&DXz3*4hM{$JTXDKut~|CS{xmX$z>qs#KS1h(llv~nl82BWs_ow2Rx
zY%vxehZhx;%Xico`qIZ;FrRiQ4PQmRkw`9vWm3|Kn^k##b>2z?r0O!UARnN*(DJ_4
zXL474mih?klFk@yZYFK=oDgjvm~Qi8i%6%l?$c_qS^UgKW~J;|ztB!b?>G@+h>8Ua
z!cgBc7k2;*=Re1^DW^VvkaHk3vZoVW7S`)}`PKOOejM{oFP0DcFQ{bjMS`Y8ggn)i
z9#U?M>%9;MFcK;0mP96X+>~I0110HG04R~FnLc{+0i9Ayd`ol>X;$JoAn!J(Lws37
zy(He8PhvZ*b~DEgo*5ZbX5q5%gwsiaH+wHCeC9BtOFj+FlR`p)dtqz2M&s;#^PJa{
z?B9hLzf`z6zw@zJVK{pdnH`MrBD*G_mGq)N%gFwq+9tn!K#jR3F5)2t*hUwr(Y%dX
zR9PL#CultWb`6Rj;ZI?OWW7jOq&=WhB&<X<^;IEL43jpO%n(iu^-45zxiQ>-z>L(M
z&UENCo~5-24pDQjAeoIzjkMrc2Z(1kMfhA_rL!Bhy>xY+Gghz_sOZ<L??U%wECN*{
zX&w5vA{5n6gBL{;w=Y4#kuddnnGhvkZBnVm=TF06aY9#JgXc9A+quQ@!4(Uljo!$*
z@23-js6a&Oyb<;(r2DffqlG#shD@37D(%R*HS)v&wG_&X^m&bCGrp}$z{GS%*>P8~
zas5YJvgHd~2e$GJ%CyJ($5*gF3Hp(Vqn5y>n=7xC;!TW43O*{g-p$20DSl3SU_-+K
zwh7*J(bBi40YgI{aJnyVZJ>7m5r&w?T}ZZPO>KH%I6Nm{yLZ_m5aErFMY>EyVCo>N
zddYRk_A;`4OPr}A!P(#Ik+<7=$(3gzlDAcV{fh3(HrLz|a<~k&3FN4g3v?p~Px&ge
zS=cE0BF?vi3AbjR)~%Zez__6T7WGRdN75ZRjvJh#zSnewJ5~b_;|9i|J00$O<vv*;
zsjrS#@H5Ejt}hyT&WG*zNmGR@1LIBO$ppiAIQo~!A3<WN23rDbzF&m`zU~z?u!INr
zkQM}gFZ2P+E&pkkp-}=`@QY!%^_pnR{g)eW9k-GlO^yes_SUYF6k!l|a5D*DPJ8Nz
z{l)^;WxWDpwhu(c;>#`bt-hO8u;05@l7MAMI~esuX*&{ctLiXRXYkpZPG$N;a>5-!
zy3{hGhINjOthjxd*(iT9mnI0U6!*9==Xy=euGRK|T|@2Mh&3`FTtjRxy`@$7ZMS>&
z{Ny-B+QhY`iN7_MaO(T~&>6X~19gMNnE=LO%+ty4Ar};iS9sIj=XfnwktTSsXT&1}
zcxen_Fhfkc(kR~}iM|#DU#mbMEQQXt;~t1EXGfl4LO98iHdqa-{fPze$|!aq7|w!J
zzBZo*@2-9I!c2r|9n@<nj*vnH!&|LWPUIQq38&uA4;f#R(qr_^3HMmVgH@Xf8~TGd
zF`o^o31%s(H!u^ys`n|r4Fug^jH&7DC52++a$Ku3D(xmohK73sq)qtIfe<!m!=+ID
zgWmhTrlX2c=9f7P+u5xmXdQQs-!&qy*M*gT4TVH8mqu9i8dJ-lo~=^7OBqP(fz}D%
z1=#S)d`P{~tLD9YQnYXD-yYE4<D=hRv44Q+<M2f^Y5dUNq7pE5!oC7Az@N<b-eTd6
zB`N`wB_pZz)jhcQz+uK{eJb}HBk&$@Ed2$YdB4u8F+-m-;D#@uEcz$&9P;0KG~rq-
zoMUaj24}5-s0jwE1hyS#7p35=?_*BRK0+!v!rVQwxQTRRkENqf(z}^iE_uC@<B<oK
zM;V#fhI)=Zg)v6N9KRKL?e<XN%A?CWGE+eg54Oi}If0j3go|!rf3-hJL2V_R&isFb
zr+v%6W=u7GU37oVnB*X6nYSW87->Q*czI{!QjpNE{Xo=O#OxqoHS=^;lDqzAV4WE7
z#M|6IVKI@0iOu}&JUdQ(T3{Pw$eVJ-;9J<FjAs($buVv%h^11VZR9*Ty#ZteUITBP
zMHVY6qU_Mc`nI7!%*53>wensb{WrD(EoNAvdJ_mgS#Ad_D)RD3T1OPaR~K*rq;c*N
za6!mp28YA{2H8)e@nB-ynHMEdw(8~|Nr!CivhdF;|K&gf%nZdTZw%(m#~BP~ERdN5
zF*Z)q?o}4MqHlpKM*E+3v<^4;5x9}Fmod%+EMV?W1m4#WS@MDv1F}?c#N1YEA?E`@
zqgPSEEW6%b37AIjWb`>MX9Fju5#VNzzv&g=PCRJYGfmt%3-cH^l4}7#-|pamZT}@4
zEg*${P}&>f#wn4xEv3_Uu$wF%9!aeghF;qS{?n2hew2vu2C>*@QqXM?RnHXWDfQEX
zpvZwyev#-wwOSy31c>tUhC7909^EJzu<pWtJ909uJ}{ut+Yj2&-Sa?k&P1KcDq=Zq
z7W-$NUV}H3_K)x%?j%@yQY+Mp0(ZU)PpV^C>KrII37KAL=5l7^t{eeZz84IHCCoz5
zQmMCcxvTV)Sap&LP2Q=5Vq!1e%*8I&)WD)gDgyi~L`wZ^g3h!VO~WS};lXujeoQ~=
zR`0?;ao2rmElPH{#S8I9DQY}%(3;6ftf*EoQ9;V{?J3n#hEdCk{fPF1Nn!!xmz>)e
zej!X>U?(%vMOfmT)USDu7zn}BjhM*(G!6EKfuKB1Z}!?99sTb%*o*<ufFaFM){g`=
zs>ttHH^Ta}mlr%Td<Lv@WJ8#s75{jEaB0S&9w{ANF~R9c+7ZR`r&f3R{bjOwwcQd+
z(QnuV6z_kLpDO6fr%aktVrL%nNX+J)M8s74KD@VF)f+Ov83xlz9sPN?%_ja4X8??7
zQNiQFcP6R!m%;efBXe{cCG2o|Ue@#*_PX(&TsYhIi9?q9zW8cK9<pSZcQU7r?4aY-
zh^#K<@Mnp!_objJ)0NG_$AuWJ5^@$`R&_P<c|0Emd*FE)Dsm$4WGRCAT)cp?TE7Za
z4PmLfME9#H%;$SsOean6RG2zs+4s7C9ju}iqWQYuC)wbK>Ui^42M!4}TK=u;%hkOK
zLv+~MthgM?1|Ai+{5H9zW!v`tiuNkV<d&}DgP66cFk?U`2q-(=LU)7SY<amshP2Nn
z+oBjAs82Y1mj!<)knbk!h%#W|R3-W%xfoWS7zSh0exK)s?V(LhGI_DZ0<Q5)%rUaG
z#k3L9GN;kQ`L!UbC`Cd>isxRM*y-<KOwdK~!tKdfYHS^is6s^dm*oeK=1PQUfCQ})
zm6^~n!5TGe$Z^-(_^N7UAIbXp*n9G-H9;whxuwynf$1U`8~=og@7$J(52!x>vVwSY
zlIhDcvBEN3`?t?;LwC!44#JHDzJ$EFP3ibuLqgeUz!1H)j!#%{agy*oJH|h9echhS
z0PQ1#>3&?(WJv&KLYIZG)W<w+`CiL_UGyTNhQFJqRc!yY%b#nAFUsJn&Az%+`|*BE
z<GU-~c`_z}nh$wdt2ex`rjZo*bW|5&*k#XkB#*aAW)!S*VoeIl=qmGTlD!(pCnNds
z9b=*ns@(uuaA889wH`h=a@zb7K^nTA0?w7<T}KGEkt*ju!8irWSm@D-$=DB7U^?30
z96`x^UMpi8f?iBYH0qKi5(zZ+KG#?c=i35Yx^rQe4iUo|1!Vq{6w->D0jeDc^5u~L
zRdHWsfl&%6k`c!xNY52~mk$8KtkuI_Nlh+c^7Y2ENS<@9Q`3+~M7CW43dv|Yf|P@<
z=yUA%`NSMK>VOv^T3qsRfYCw<y7-{q-ZsaO`IL_=V`eIj(CQgmVN8zEI={|>Qjtl!
zh-5fyS<ZelIAtGMFM5=rtoW<*6<c?P`aGrNDrrOehgM*LWG)#)m%(Q8_#gqwc6BVm
z%4MNtKG#G$u&ww#PiOW!|Ajj&;H3NA>2>aPIdw!YzRsll6o|H6zrQ=_3GTQ4#_==9
z5Bo{2Dd90U?UvONF9o;}`RZ{x?L2^`z8OP?uo(u)`I@$STSp0Uu!JjHXF|-hGJv@P
zFtYJ{@_;bgHNGmQokv@1SIsi=q?%+4&ZE~YpUM^;5C_%@k-`9_9;bP<<^E+R!c|~k
zx8S#&#j=f0^x?_CpFIyiO#xbSRQP`pw1{!~SZ~*#eBIp^M<yRKAcIR^$Kcn0>BWn2
znG`Wu{R%(j{}GU(7n|WL#Koeto@ak76KgZR6A{y1v^umlsV7%mD=2wi76~EVtC?t7
z`_p%ytNpL~E^gp+?LkjuOmZH}8T*c$mC0k&j*e40ruNO;yQROjKjCexdhdWS&A&Rk
zzy3F8cL8FFqh~VGRb(-y_^K!F9r%nEujb?JD4lUEL~qr!pE^aq-Q${AkuT5w%OUpT
zVDc5cir3hBsY%3nuP69{Eh!5va_TkKT1-X>Wnd48Sh)UbIgr5iC(r3$E#6AILKsE_
z;!MvMv$=I^7T09@+^)FW@NhgC<NAilz>_M$ht29|U5C{-`gvlx+H3^V&=Y`?H3zB~
zrnEnj&VLOg=q8K>Nt*c_{ab!6gb2!ZqgsjGewD+J)!nWGLQ9t)V+hFgIOw!>Hrln!
zjD0SK_L&40efQWGyEc=9+I3HdcGpIeh%C#SION9$Ji!V5=4$;zg89wR57$P()9;gW
z!lrkjX<3+w7^^YkmsocXwC1Fz@u0gG;*=g(E@AjE7knc_k~MCC2$T?f?)((+XIh{N
z!{0zs^2~17<YJ93^1Ocrv9MTpZ3qnv$5;*H(+<L^0;`CYW3q%vF%Ui|C8@g#KAue3
zdAdd5_xn&vEp=iq3GoqUtGhb`UF*?>r!BeM8_9emt~6k^{OZOQW)koXMI+h6$8KZr
z-U1at5eMur%HXKorWm>a4uM~RvPe(N@VEAClLocF2Ndm0+jFPsM>osw8E0ig!L9%y
zusyfOwr`EAW5v`j1d%?P*bnADOHQc5bMxR*Ml94DMiDe8uaMXhHE)OTf$L)XqW8Ke
z4w^WdRXcQxwJkE|+XXUTrkZM{W<Dy=TO~W0BVFqe%ISZhbx*fpKhn)gGQKD86?1`h
znX_X91U->(Psii%`-psXMWbp&$Im-xyA_ZbXHU2AHeFb)81eSG;NATGg6~Ckva5Y{
zlgsEGmXk@(zWEBt5ZHBBN2E>d+4=kd!tBS<Iz|gJpC8lrHa3h;`1#k*M@UW1nVv-y
zzh%1ajTGKnW8HaLy6^O|Q#4MjZkSstTb>tsi|tv$Afax>T9V(?-iM0bNb~dfp8K_?
zbmZyHa<{t(?{@`Wy;pulZ$3Vd(NgWY_OnpR?bg|~{6xg(Kzo2~^YgjW<{IIBah4rQ
zWrj{Gi5z9H*KITmhi6kBzjpy^JJATQxqdkK9^ds)J@JN2+FkZN%9G`=FsXy9g;@td
zD#u*_d0gbt2|0~WQo7~cx{;IJvv+TG0C1$e)bCGAPJcfsWVOEPzDsJ>0&-b(F0iwc
z0(S=!rUh0B&PEA*sow*@kI}oIa3u0P*2wc=EDsGJ0xlw=9SYDxF_hJt!GwTTKyfJf
zWL2Y8Lhz%Rcr7a(l5ssW%WFMAnR!g$kc>%&-_U&S<}5Y*rMse#b!2UOID)!Lvuq)~
zBZ_s5f<tB`qq0M#ui9n+8L|DS27^j^?tRUB^=VqAc@rP>C}kkIMQm(jf=@-8m)IwU
zgkt#?%>r$fNkJ-hWgcC>mg|eX3u>X)#SZrt2eCXE{wi&eyrxq53KbrzvUQf1*z5`R
zS>=X~CY>*0I*Nr+TM<!j=MLH(RokA@X97-^PWxmIQH+q8;c<u&a>L^G#;3hA=Rm|G
zY=M!1y=C5U(xYcv<CVSNNu(GYRP6TaL2akS9y${q@j;Rfo53<g-PT$8iI0bl)~3FR
zf6W`nHuBUAk<gkVt|iJf!n||}c|Z;36kg&IL<^o8Y+77~#<VEG>6E->e~bzaXMH4=
zViz}?E_&oLo133#{AxD@Hs#QcfLMX*MW>6pfkes4u}Z(ZkV1CRlO@!SvFG(%O1lKu
zniW-JSPSj#tii*#51hDf3FcSOGSl>(<;@fqj4sBkF3QNqeDQwgYPnV;zK@?C5&VJc
zrjXTuvcbi<qPbMrc)R6&5hr-CAZ^Lm*V96&@9ed1h!=b!ruppSrC;{Y8YrKS;x9%e
z+l=Q+Xm25XNU_X|X$WBiQU?h5`bX>fJ(~Ha!x<=YfBcO8cOpUrf>?h0od4=__6JA?
z3_Qj1kJH&#rOk0ybh2&xK)j;pNd+*?nIl;E9eV&67g@g2VPBFP6*;2X9Ccs8OZ-Br
zeSobcaR_>_U4AT#LtK7>!;t%F@-`6v^xS+(Ybw=ziqln7#3!>`NE6~=p-5j4e!YY`
zUe8zJW9A_c`xHLx&HqI}9S`7OPbPPNFD;q<tF7VT|Hsx)IU4&e&)Vf>Tt-g98e#Y8
zP5Hi8FSlwcg#iuVHul@|W*o0<zx@wddE*h$xN0^gTbfY5mAuGKltEq1%Ky1zbM#6J
zua-*5?()M0dEVoEbyx!v*!hO{XG-WKJu(pT<zKp9rWf6x(ak9j&eup-e$4Q<7odDX
z1AFDzGSKGX$h%*LPHqNqB7_k6J;oFv3a9%=5$I=|_|<B^qYq3eaM6b8GXH7YN%n89
z8Mmex*N{S;-QWGuDn<ew+co>1Y3cC2fr(<+CHR_`BvExwRrwy#zuF%G;y8Ehce1?K
z-cjI4_-_~QYao;-P!fcFg`k9AoWY0BL;i#vTpW<$Vh_{s;Qqh}ANUzE=mpQ%?|%_P
z*}6jJsc`=Z{<f8V8NfN)gDATf!@4{d6#0q$&4|3GiN2^~tv&^<&aI7v>C)GAlU_l0
zt?Tt*X(i(nn^UXT1TE$+^OZM!unL=VT$yxSnfrJ$&A68vXse9fC!8}|tZ{~c>EI`K
z!2y4got!Yr3hW8~79)zeY0TkoEPVaEnu-NJ6})B;ef}er4aniwVQrYbAvv%Zl47r@
zr8R4w)ElbJBdk8BDE2A7FdAspw^v1Zx=XT6wPx=_YwM|#1`5S@6dPeXcSgxcWL5?5
zc`64@SGu=%1UArqFO3KTk`dH&r3`JAqk`2FqAFxcsC%09q}njvvc~DuS!l})P*)SO
zYW1%iLn>57%nudmWEnn1X~N)7GMP8ul54pojErx{RmF`GX$88Mu#dW0YMb8l(tfc1
z_+*}vR5mMMR8wH|vYnzX)*W*_ak%;>c&x&DCJg*RS4(UP&kH<t!w3GEmP=sb4vfBc
zGtDJQZn#RfEAdy^<TzHPze%qpD%&;Q9|c`q8K-Ts+|0g=6%oRiceuKf#uq-LUF?wA
zP70xY*5$n?fZ0*gZzBk*;FUi}SK%WQ^cs4Y;N@65Ka}8%!7uTUx>*bax{E-ol*i`<
zHL?3fUqZu&G{TR3I=PGrX^ul6(A?EuLVHmQefTh}b3kiY*l6t*K89PU%-r;_(BK{U
zUU;8e{GIVv5G8t30ejuhnc+_zi0zASnRQHbaRTRt+g3+2{hq>`+XVDf+LQAx`t&sR
z)P7P|hXhG_#5t+Hy+;V$DSav~V2W}9y)Yd;fUL#UWz2hYIKWtcP_nGKr1({Zqj-{O
zBYl9Fl1+@XpnNzT);jP4jS4T{_?VPXr09g{{+wqrZ|6A+3WRZ2F~Yh0$Y{9I9}GRe
zRTqf|Z=ikY+;YE-_8|~4E?BCBO!2DfMUo%^3wMnras%JltA+Dy#`@)IfU1TWA7*&X
zJ<VcCwzLS(?W84_w@LzYIH0xFZI@&daI1o8W2|eMgt`_2GFirlg&B`5yRl(D1CJMg
zAONcA)<V~#tK!uUPjAap$)DS71~Vy#1p%Rwbg!-S7Y*LYe;gkUr%RG3Dg<2ah{oY?
z%|%0lQ2Hp=Zre}Q%cMWkZr+fR;rs-->&#@cX|aoM8`Fsgi|OhnfbD<FCsS@TH{LPD
zUONuH3fRc*K?M$+=8&h}3wHz_9et0S2&hATWoK2j>swsYyQWBQ|Fd!<nM!mc=>4(%
z;O(lVcts<IF$)E!(i)cPmGbuwXF~lKS`M3o`<A27c&E{G&sX+m(l_3V*)KOfzUKw4
zAL1Vbja+kcwnD}xu`cl@{n#!{ZHWrUfO3bM)fHdbZk$SOy74(&81yRLW*JE9CBa1>
z1H<KinB;$JmVamy&Jpmt_xzz%gcvi-Mq}s6SX+aBQvV+1vXtD3Zp5?!&4SA%Ah3yr
z7JQcd1P`b!Qq5H;k|TGE3YoAD$2sGx9Yv0<7?dixGctCL8qm9dq#jA^a?QiT*h|2V
zw1Daf!p=X0_+M`h&%vo-KDV&gxy+>O2w)?$<gF>xL2tTl#^yE#$W97r1*IZ3=(!2N
z1l)#KJCyJn*|k>HL28$Q*WmkRE)-_S${r5Wz1p!bhSZTnHNZ-~;nX)NKueOEq2~s|
zJWAd!1|YszXCi7%pkFg@ckb)I2AB}?a!IQ9oz`u7ZjmEOqyoD;8FfWp(fwW1R#h+a
zTSL;`I1);TVWMUBY`KGb&U^ZnWYqNv9E1gB#9-+ZcEejAL2~QPpSFsS_*bE|+vK<=
z9fC_Q`oll}$0iOua^TrDj3hW%=yx6g@N{v#ew?Js@wzA5aFng$!~DO5<D98KCk_}h
zL+ydZrJ5(NDWG#!|8sPa1$Oj*wROBVw)QJ9$d;7D;N_W_%Xj7KEH<5j1s|$eN2)-?
z)d0Jf4=_ie8Gt{L7hV5f0vsRQ$dpcbHaU`QdUd9Osfvj2ph2McD6*-%FpGXA@D+ct
z)15$AdmiEC;BO(C#6ZycloIyaa^@~I{8@5=Fkt0m-2oHf9Ex{LK=FV=%w8(Pto%CW
z@0F&HXmNgF!kx<%+IM8RSGKm#ei?-R_8L|+&Xu{@aQ{99#u&~HoB~7YE4$$(_)mLc
z9K$`djPb}RK1boRE<(uFyne)d;BRRiNN~&-c$D#<H=LS11%G=KGb>uw9;Tk^Vy!1d
z>71RCP7Patd=O>wzx#7`MlBMV`Y-(TJIJt@sPCS%Po@nS#*YG8N>cg?F-e1W53poN
z&!Y=SeMXNrg>eC^f366m4+`Vv?xC7M7WS))>f>c#2LT^Go9nZF1^7%JU&pwqAlgS#
z4gF81H~l7O{EQ3zmoGr>7XE9$mUee8BKmeU+#=@Gu|e$vr}TU0)26O<0yEN{)jr-b
zZgml>w2!neUZXA0eyGei!Tz>4b23XcifC59N8GS8FQxS#WY?{77ti?Cy$+(Z>)NJ$
zCA0==ABT{C-WgcvTG>E|3}RcOG!w&I4jNVaKo^5jVh$-Gm*EkeQ3f{;9$)m(HW*$!
zRzW^rLJZ_H>a>p^2wyxjZ`x#WLGk1&6X{LoSQNFbr^YFR0jtBf*-}kS>1Gm--U!!+
zo9am$n(4pp@b<ZDzDV_g&rR#8tqwQP!vW#To}Y#qyzBf)ZrdrVuD2zpZBNM^dlFyM
z*bOk4z=7Dx(ECvO0b4;}58gT@L{bDgQe1_1!b}Ed1SVs~uXooL&`p*apaFO`CN-ya
zWnRbfG2kSjl7iwHiyuJ=z<sA_MDTI0>WWvEZIWLzEQL;AT<=hJPAICcD}MG_0mwlr
zALHR@3NI7tFFWQK;W`(*2hl2#DH@fROw96}p3OBYi(5J-of{6|;a=0dr+f?k@iYb+
zET{imm3x`f_v`S-yQKFWpBr@>b7F=smEUi%0@9DJYCAqb+C)xp_+r^^_b=910nZ$8
zK+f~2NXKVg-Fs_pi+=7pDfMu#>*r6cUgO(8fBLXR*xft9B&{xUZ@i@SxU1D_VQ5R!
zQ(XQ<xQd!eNh?Reyod>!ll7y^kN;J>*LU{7fcTM>yT@_gPf_{QPe<Dm=3`;|u(@#;
zmB!CRJRcPHVg<PJX%(X7ayk}uF2>zsB|t~5ZVz)!ow=(+Nui(PfnFs%C9xfiGUNAb
zPRUR3d*5Eccu%Rx$Tj}KeC`Fj@xV!ef%vrcfeUgpoPC}+;M0@f>IY0d8J^kkX4}*K
zQz=as7jp+vV0TdlyfAJ3D|34WDIX>3yU9)tz1(#Uv=j_b-D$%)gQU=&+GX7nu1bbZ
z%%#2Z4hejDi^7%wV`dxu9_@2!qJ3|n$Z6h*MU7f2Y^~kwuSCPO?c6|-d|s~)9D-jg
zsS`aXR1+xJqDHnnjCSNgz_UXr5<_`@L+Vbb>n7wtW2_6|PH|>{U4F32IV|zXomFbb
zic?u<Vxqj*MrpP`aCgay;iSVVFL<u%b8?5O-wHmM96qh%gF(9>he#m;!fz!4VfE~d
zg`dP9V1fxY%IC*gpEXHhgn6!Y-iPi!V0X^&tzd-bebN*zv3d6jN<Q>lYr(eiJxo-@
zM-1vDoqPpsJ%burizd((?8xnUqH&NkbDvu(99c^@_!_Z$f+2n^h!JiS{>VuSQ*TJ9
z!T3@_8wPH-l3FGq1r0u}B{Q4W*a%*-yw?u9ktBYUfk~2S{h}18xlJ9Z^l3c(i!7<K
z0u3@&H#UdI*w3^TUjxL^p5i^Ykrtu>VsEB^JJjEVJEY{^@*8%u{6RL<_wFN?1NBSj
zkDW^qU5?Qm2#Tczou>$Y4O&`remd%K)kyO7R%U3qtBJroDRjCmRp0aD)-TM2et}`{
zo1?S1bM7zK{TEEmP;I>&)k_vs*Nv+1TIMKPJ+5GH&l3VI*XKGi@C^&D=i~kL9o%<`
zFi!wb@r2#=p&sYL6i$T&`WY^B-<kp0>zk=m^~EqNb7TJizpZ&>M;PdTQv%qRE=Ya8
zBX@tgg_@UN%D0GTcl|8xxy|lomQ|G8bo3}Mha9p8HB9C<>O0$d%<eup@>H_2@ZhIc
zeR||xGXd&voatihGjx`y%Eip)MKjttx<0`!g>KhCW^qK+5^2_U9E946_3%kRKFYYe
zb1_(88T#&ee$7ma+%xfKV#B##l{|7Y`EJ5iT_8W{51U>WWYL)8!IbqFHH&*r481o-
zKk^CP!k=VFZL1-~R+GV{R`Ps0_OiN^u0t!cm%5%z?vWBFzB$m1G-g)Njc^`!n%k|;
zPLDi)Z`9+E+m&OH@FLh}xKM2|7IQDVgV^x>c;;-Lzk)yJ_|06kC0ru~NGFXE8r)8F
zXFqk4Tjf-U?Z3r2!Ndi<oLg>BDPZLK`cS&U_?4v_o6&hW#>w#$5DpAv=tclx#40jo
zqQ_KWS(xE6mNU08J9)X$TdQr)rA#X5_EfUdKb+a4yi%e7h=EF<4ef}M4WOciH9L}o
zBMd(O)c%ZT$W2W`;W<KSR8=VeP1P4&I*}}<6uYIY*GvJTZx1IxX@FAZcgS02Xs$r7
z18Dj8ZydO7rnmzAaqy7QuaOd_Sax5bKsFH#+cIxd5!tbgKOrZ&1YT$F&+gvPRZ2%p
zyiHL40uG%Jsvm5<M2~p_+S>ClZ^-B-(j)sa7kc^dMEsHaH6jsWc;GX{(Eh2dH*<0m
zd@j(aSnX5A4+BG&49Ts5B=N5T2}nM+&n(*X*za!}*Wu7R=SeJY=VTVfrm3vPtvXBH
zT^98{&%c(=E}?ilj_dQ_kh*OvWLvG{RaE%YFYAgaiz&$Xnn3bQo`$%EuvKaIXuNr_
zxOQ*v)0f#yvIC-HdYyBPmWj%BL~bwY>v9PW-!h1Hycx0tGvs5nXQMibk{yd}$R0x8
zPg?Ev5bi$53L{i77d_LtbGna^;@`HtJ8~BZr_f~WQ8Di@O$F>O^N{u@jXMyU6vYZu
z#W%4j{sE{9Qp00?QkXEtXUC1ry>j|JZ}y4|DYR2oZ{1EK&RgezC1q0Sy>Qg(c9&??
zsaSbOZlh{xMftq!I4UkYYHpBlGN7fuH7XXb&7?rQK9u@S@J2I_YRU(_DY75FjviCi
z#L&^@N1{;)1Fdq6lh0^ZrNhR=JrFfAER0b4ySXO<)tC>w&|Rss-h?a+HdY2YL=hTg
zTy;=qMCiv543jv<;`zL}#pABg+5HUWQ!V<4Y$XqanULX`@5;^q2JN!GUrZIp?mh@(
za&ufyYf)99@(F|K4e<aEsTjmksf7_<$<Mt57&sgXg3{Kw=I(ca?x{51Z;yIuw>E*8
zr=_-(g1uvzvG`~OApPP;&>m@fh58A4*RGrXCzkT44Pm`7*d@(&M5!ap$hQYfoXsbd
z4rxWOF<m8=EOlsO74Unr^xd9DwUG;&Gq^_sPTTpS8}$g&y$r16ZXg6+vb~EMNcA4P
z?!OrfV%BC>X^g`MW54ZaW4}S9P#N42EXGX2Ck)>2!Wr-rU^ey0uWhRJKwUJ$dP=|Y
ze&o0<o7pb8*xD5(7IQNy1cQ2vvR|fQJ|u4#a9w!YRS22LzThNB(K0Ipuo#JyF@aLv
zAPd-u&Y{<vfb~^em0OtlT@Zot_*X&1)xF;Z5r^vTrMIcw+$G0-bZ{RfT$KbCw)#YS
zG)X3<#gh5J#{8rPEk+uRuBgV#a7bH}FmSM#x+8jxS}<(R_^rq@RiyhKk4FB1J4-~W
zTd`+-Y&;|rbZ2=)YG)>fqW-|0qM*x6jHf<u(37&Drk<VWPhC8psXbXs*q*D>F$bH&
zcaGdSYu^b6vM^M0elUhLOjQISZoIR(h|(5T6bh1S+##2tpQQVlE){I?O`ORsA0q^_
ziyi%f4%T3=y3LBQ|GD_(p7FltPcd?(Qs5;(Kv2IPHFVe<@!KDC_pZBQAIhDk-dUi0
zE!B(aea2m=CX@N1Vk+UC*e}3K-2?q+Eo_Y~$qy551XQh%Z4X-wy-4F2j^wkSCCl98
z-Pq?g<#bD&^;bJUUl7Iilq$8Eo3H+q!28e~9pLS)rUlcV-q6sZ&y1KESLKRX)aZg9
zjv1D+-_bSuL_u{DWL^=u`!59$urC^U;JVG`qM**bS4COzPjy~;Hh*IQDqmx%-n~Ux
zmuOL*D-{asuY`b$sloa>Q2$gLo2Quc>c_Tm+FOeO{qNu6W$1FX{Ke(V^Mq%~+c<uC
z7=wu}wKTjhT)GMSMtda2+ge_{n#)%XP&=bra4<McA+rAVEZ=*{U(+Yp9I;yODcs|D
z>tai|4zv(+TA*1i{EkdT{9Q)iYFW=loxZT5!;Y_|qQrkS=j=8+QlZ2jYDU3tjvU^%
z_w(tuiY@y!J&`n3YW0dqX0GuGd1$8k0$K)cMF9=~JvpAz#3uVRl^&FKIbQZq?JPC#
zu-d-_p1lND?f^LyvIyx9RnNRjHP4(N15d|?J$$B9R3jw4*Tmeb22$#CNV+@3<TIuo
zK64?{d7j{%ciqg%S+2{>!y=5^96r+vui9d2Y!fVB5Z0lHh%F&eJJ4@@vKhVm{Hdwi
zKz3m8z^L11aE<{%`<Eydvdb6GQFTd}X!dUyz5`YS!l&tus#~=dLNvT_1`Vb4aDyx_
zS$&I*QWo(OaV@W}uT`oz5PRn0u3o=7YKqxiu==L`>q-ERvyNy!FWlSVj5)l_^;NiP
z^$(ifjfRRUL(hk$y{3WS<II(intoNo`I@(w2e)Ew3-L@SXPs|f8+xmgCUSDap<dv}
zP1x`ck>nOtx<m=PLWKveYvHdsmF1OAj~#&J%CH(5+1*WYu#20NvL66G^JuYb0m&z+
z3n2qvgqu|#zq-`-rN`mkeeZ;-RzZe9*v}hM%?OeGaKwuqwGtj4^&A2MvJ-pc(vMys
zbq)_)SH<tF18V_^AbFta)HT2+jt2=C88}J^x0G%HRJM5Q=PGfI2|%8CY(eMX&B<$z
zrE(Wnf%7?unvQ>NqlvJs*AkPPDfC>h)JfyR4i&<A47pw@>>at_wRPmuneMiM@YVvS
z?v_`Ws{Dq<eJRvdwLb8-LIb-REgF?)KZ(ui$#h7=Jk*mo%8076$r4Nv5VgsDZNAUS
za&6N_YIliKus{)bq&f}I$w>cjxXR7`ByU|8EV4Xw$8+L&T9!~Y%J+5@qL07de*For
z!=cSu?i`;4@-~liR26M!X4f+R$3+o=KzaXQ{<yFj{^QJ#lC8FPpwnkY+ceDUnbQp<
zgTaJ#Pnx11pTh=J8iGUIx+ntRe__P`P!@63u#Fa%Px%`~VtbG=UJVw^z-Qri6%BEu
zm;_SR=D0L?t!X!`zhQk__+MN2DC24X8F-Wto1oY@19%ScX{=cf@f^`j0`X#w=)rN_
zv9KC(-3gIjluwOzhGuymRf#*Izj#aJRFsR~ir`H5uAkaYT%FxDBVWbqQQnAkf4=7M
zYBzGbCi_2t#;2_R7tokhjg(LLzEBBsSM$9BFYYK+eY9zW5>HRp3#nj%Y+#%|9*aLy
zcyoCTAQKXC0<;!F*M#dKHhG!AQs$R!4|_dJVy#-)M!mq8G$Atck4gBplu;mZ48-kN
zyo#H*3nWj~4~<KI_!m^{w+w)7lT*XrNY#|fKU|0`2ppvChrUf38QiA*wB5yohbz*Y
zP@!YioB|;khWawt3$~8j$g}m*dLzZB<(>R29Q&a%#>m*2e4)597_XG$K^d$=wF`>f
zNEpbz1;`!{J}DO`BRwZd*X$oBBox*8;NUP2d8yuHs}Ao?)R5D-f*!joe{yAl5I)p%
za6SQUeI0xhFt+^^zAcP9j`7Lsnqb@@;%}<(#rPeIm(6T+%W22Vn(9o87JwR4Obg_p
zDQkP{Y+i5=sqm|uc-Sv%9ebZYXMx_AkxY`8%yzScusj(%!LGhvUj_p(G>sO{)9v6m
zY><4tNKetGGpaAghU5^a#sZk=`1&l7PSw|}F6ahKQBR8tw|sg;^WOXm<xXwQ3hN&$
z*fS%|CdXZs-ML2>3D=q?Wb9v6M~<4RwnpvWCGbxPFm^%c^_PI4E{C32k!(zyqt<cy
z{t|7?k-Vj1PxaJS9Sfm)wOn_n^x~H;`eCzvk_nkcp9B*{X3ARFtH#e9&9S20iU*M@
zT^?h5=(<?B`|c4ou6^2{OY$w@nB6Kyt-1c5(=x%~Vf{rrUrAS5aq(z<Dj(J3s_g1C
z{M>MZxqRA;K9xpBzj<!jG;gmqA!lbsgFB}XJZK#4a-Eg-ht#5pkJ1(2gr@pUU2KkB
zBHfE(D??x#DpDeJfm|LV5urJss;4!#-FTsRGCPyPRhY8WO4Cl7pH*7{sg+KBWW#QH
zjaet77*^w9YFKq}guzfSVZmee?xbMC65+X=&u1m(3vZ=Nku`UKlDY^lLVTU!=cr1d
z`VBWD+`chIoy_i51BAZhIDCqRGoOU`fpDT_-h0Uqmbs^lC+xgSRtK3j&0|ZCf6W8O
z6>wiz<CRpkAgaICc}XVDMDf+Tz<sDc1IPAAWMU;!CdlgZHM4B(3UuoyZeb5w$XMoo
z6ZQ4ai@5T7^5O&dAreBFu&6N=QWBHeqIxG|i*DKqIg~d(pKEkP0G=}SLoH=E->}4;
z1ZAg9{XrKyt;s6cq}Bv5GEJoddRZN71_yWMV3^3+1MGVBRnTcM7>cFh4d((h!4TM8
zs+4c`)dVw6RYpy^>b~9)SVD<umvPAq%;B0S%)s|r&kFb7h4!R9Tq^L;AjONSX5pko
z@-lB^pCt+iG_ay4CK13_FVlD^zz{=$-<Y3h-KE^P{y~B5;O+@oe>c?Eb$2+N*YhBs
zR*D)2O^Z08o)hiv4fc0c)sugkFQO)Kls#>5QRc11@pkJ~RZ$rlF!+OP6tSwLwkuxO
z(o_H7kF?B0#3qyXCB730u55d7DUw!iT*Z2x%-hF-Sike0(1{M;;F?KxEiS4#3l2GI
z2kP#e>QF{D^5|@XdY%w+1*)#e*GdXd^gZd7#C+hx`47VWH!S@Jr`L22$-HO8Me#Sa
z2MY9|1`0>v=iK+wBXfEYw4_&y8*|3|30Q4_YD}|KW3ai?l<|8YO@cHFt?@BVQb?^i
zwcakW>zGQ#S~K_&-zh!j)-6}n8<>*JV~*M=+9sD-lFysnrGcAOJ0Nx)xcR73&|kvl
zZU%~IM+xJCZ~&xQUxGubq~rfPr0TH`@~N{5vfCrcZe6-GK>>Ur(C#dUyEoxfSF+kB
zqMqDo2&kN+Q@=v`5VnF@NsmKtt*PZrKop-b0XaCAEx_`h4SaJhei*U-w$@7aL32g2
zS1{~0855u#h2y1<eX4Pv_sz?*1><JkF4F#3(-tA-B#hhFi;*i#KI1<Ipgp21suS9-
zDGU+nblB#kmPh5Afq!k4jKzE`de9dV>YFi0i#7MSM`p2Y6|OpYA^zRm^*b?T2PZ%a
zf)@p8b1QFhK4G~L<_2!CB`(#|1CC|Ro1jDNZQMxzCof03hm3ChTY(*=hF_k5@a;QW
zRp{^EsedyDtQ|m!p(D8Sz<;<*+KmbqN5}3+o!D^5vUDDaohq^TebiVpKH>73iMbhL
z32zzc()e;2`-P=rFF>jNTxj*DIa~3>9z;<xXGAkuGUoz2+#jwgMGT-+uW1OlZyqhv
zaF#W`jdkl0@%Qap@VGn&^lV8AsHW!V+G3Xlw@!Km#)<t}{P0Y*bsqoLH;em?t4TNL
zNSabpEp}*mKCBWT9(W>^U095sU<nj=uPrQisQB`Jhq^~v(7<b|;NLEpk)V7$SwL^+
z_Id1YL4&4R7l(#FQG_Ax6(Gu&x}@T6RzsNzkFKA-5PPP0ejSsRydC*ybepzkaHjWk
zD-2a+j?O@zF5XE<Q79~28GE)hs?vYFY`Pt2!)J-Apfx2?Ir5L%TPCmMX?$iTtz2e>
z{u%CVyK8h_{Dlvka_JJ`iTv{?ntlm4;Xye%c^HY@y1sB#d~Bo?8+qGZs58Mm5Y*nW
zo~nuS%Q$g@;ir*_iC$=0rjRTnqqA$X)Yf5_U01>mVaR5tgSSW80BPCA({dJ%Ox+)o
zavD57cMxyHL|C#xjWKQkH4})33R6<OVa97Njm!opy{C;*jaeK0zr=w<Wiul>N)Jw!
z@^#(ULSN)9cjPkl4~i@k*1EgIEam#HKkSpC!-mP;m!1}KSi8wC{VQ#t8k1#qY)Wqn
zY9HMe?{gm1oiwr`06(&C*ic-%{+<Om5cNT#ufX?A*-ypeb?<vo8umfd>`$VY@+j&d
zoN5M&&g9p~9nc5eREu_(p~t3Su*Q!&&NN^bPXe$c!&PwJ2TaFJuOKGq;Px<Zlt`9M
zWHDB@O`PEN2iw>=omS9(E^z*4B?Qy`Y=;)MdimS|W%GIR%sDQ_`E;^BudzZMwJ}&e
z)4>Uyap!@~9N&Q+4(~Rtc2kQp{B*xs`$z+1VzMdyH4|!jM}fo4(;<d++w^UccTyCr
zaXbb%iWZI~w;OZGF;e*OhlV4Ou}-v-2SWQPO%A;clHi60?^n6#>}GoepTxAy@zPuU
z`Gl)|(UJ>7xy^hMo|usmMAJ*nzK&I1iR<W!j@-IuVUvoi2T=q=1tb&}ow%wQE96lp
zX@B7fcNslJ<p>gC{Aj`AdneDkZ}HzhK~!7<&!g>tRs-cf@nYxx3)}p6)^B_p_sN^|
zsn<azc>OJz;+X$0U5rJO8b^vOXmrr^<Rrsn9@~aV04k^cn>pwFn$sn~tOK0$qgvKJ
z)mW;OJuu}b<UU%pxTB(79nlozTgQGCJ=K}D(l8UaS@y8zVE2_!TF~Z>!z<wdWN4Z1
z9!rE{>^-P1>7=IQs6p~P{U|BaemspI>bLKJpp=rmm2(Ex8@WGt{q9k<_$?c2E4h$g
z)Cn8AuEXpDeQWfB3h5Vew9c43bhby>b_np5=u=POjpO)bgA3cT`eIPVth0fSl&_jY
zdAdLp*~>DIqMr6U=+oP#${*UM78rhCXjvy=X{iCEVdDp<sgrRDONm*bmheiRiKu4+
zU^VBSSQA4lu7C1-_YD^@UP~O{e**(j(EhD-+7LKIbpDgrKhFeVx_33{d&X765Rc6M
zx{tB%>SA2=BHKFa)3V(V9o_{kMV@(C!Ox;R-!i4{Qez~~r2{X{35u)E&sYEl+v*~E
zipRS62)AwXq7L;NnSRm5o;Ug)Y!;ktY8jMX7$-`_48D9icM3M=8$GV(o=_UHVITl1
zA06^^&A(phmC|cNKh|GOH=H29VjI3)Y(-4vz_@~H1x;|+^eX%?<+`UdH|T8KV)zqi
z(yyayJ0UvLMTFD<P)6yHh2dN^joubR^j6@6FY6F94Y#|%0aEKp<t!1Wi_h18wlI;M
zH*p6E5V%ea^V_xpSJoLnRMWGkueV&N<~Gk$i}uou52+r`puSX=V>-&EjW4gxn`ipA
z&eFj_N5U!oiqoZ^934DS+^phJAo1@N`hn?WfeP=9`__Z^&@cvYVD}I*Wsqh;RuF{t
zG3>W*kN+rxk-w5fVObAqH}tD8na{|=2n(ai{Ii{^4oUfz>bKCRwvlu%!<E9XK5Jus
z?#or#nesHo(?rD@{c#{{FURQFH)1ro)udeJRWbVf!odkSCAaS6$%AQ$W$~|kDTjBW
zjf(8n#-4fDSpdD!Z$nh$_0NJUnJXZvabB|xkksRqcGdn#{O4O6pQpsTa=2D1Eyyw?
zvBS|~FJ6&#LY(|Ltdw<p3ur5Qp+V7gVG!2nL6zNG#TY}`lcRf(t^EPa#P*s*p)xGx
z4GZW*UZDP`o12lP72_UwYrlS`Gv}$W$qQ~26@{W>6f^QQVn<KJaK!oz3h9z<GcBTx
zs!Eyia~?hHg64Qu&b-zrjX(ujeQmdq(#CpXtQ;Ost}zeMfPEC3tc0QKr1w~%zp(E<
zz^0B+v1gMJQ7p6{qbFZ!D;>#RHW4QWN?_vBT1|Qs<>TBoIUiUDf-$WHF-wUI>@o5M
z&gZ5BRiD`?WZWfBR;y?{V8S+t;27G;aJY_BiIHz|>sRD*h{r|hFh}Ou-n`DI>(Z#Y
zK;xR39OD|lugF&%Aj@1M2`o0Bmbeg4%tBs+WjNRmn<Avo9SiD39ZcQ-<c&gA90(6{
zK`&l!T4*5u3~z#^h3mJatQK0dbDX4l9i@hb{crOeM?;J7MB=NeQX|P&S-`uU=`l54
zUy;{$`WDezw9F4}?+xWfW6MY=QUX};{NctW{H-Yix98CZBZoaNfqDjq@sxhR|7$4l
z-^M@-zwIUe)H-nhvzfwJ_^)DFO$R0lNYmw6B7E|Lg!9=vAuu%x02t!``35Hw{GacH
zyTd3R@C={@64={Bzwm*l38)W%RExW@K0uxN_kPt>7060RxCH!>msWXR^7K`}{{sy)
BsL}uc

diff --git a/website/integrations/documentation/dokuwiki/index.md b/website/integrations/documentation/dokuwiki/index.md
index 349507c5aa..2dd3bc1cb0 100644
--- a/website/integrations/documentation/dokuwiki/index.md
+++ b/website/integrations/documentation/dokuwiki/index.md
@@ -35,7 +35,8 @@ To support the integration of DokuWiki with authentik, you need to create an app
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID** and **Client Secret** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://dokuwiki.company/doku.php`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://dokuwiki.company/doku.php`.
+    - Add a **Redirect URI** of type `Strict` `Post Logout` as `https://dokuwiki.company/doku.php`.
     - Select any available signing key.
     - Under **Advanced protocol settings**, add the following OAuth mapping under **Scopes**: `authentik default OAuth Mapping: OpenID 'offline_access'`
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
@@ -68,6 +69,7 @@ For **oauthgeneric**:
 - Set `plugin»oauthgeneric»authurl` to `https://authentik.company/application/o/authorize/`
 - Set `plugin»oauthgeneric»tokenurl` to `https://authentik.company/application/o/token/`
 - Set `plugin»oauthgeneric»userurl` to `https://authentik.company/application/o/userinfo/`
+- Set `plugin»oauthgeneric»logouturl` to `https://authentik.company/application/o/end-session/`
 - Set `plugin»oauthgeneric»authmethod` to `Bearer Header`
 - Set `plugin»oauthgeneric»scopes` to `email, openid, profile, offline_access`
 - Select `plugin»oauthgeneric»needs-state`
@@ -75,6 +77,7 @@ For **oauthgeneric**:
 - Set `plugin»oauthgeneric»json-name` to `name`
 - Set `plugin»oauthgeneric»json-mail` to `email`
 - Set `plugin»oauthgeneric»json-grps` to`groups`
+- Set `plugin»oauthgeneric»color ` to `#fd4b2d`
 
 ![](./dokuwiki_oauth_generic.png)
 

From 8554427d3f84c4da39f1c9b6503b538b25ab8c3a Mon Sep 17 00:00:00 2001
From: "authentik-automation[bot]"
 <135050075+authentik-automation[bot]@users.noreply.github.com>
Date: Thu, 11 Jun 2026 05:35:35 +0200
Subject: [PATCH 50/68] core, web: update translations (#22983)

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
---
 locale/en/LC_MESSAGES/django.po | 10 +---------
 web/xliff/cs-CZ.xlf             |  4 ----
 web/xliff/de-DE.xlf             |  4 ----
 web/xliff/en.xlf                |  3 ---
 web/xliff/es-ES.xlf             |  4 ----
 web/xliff/fi-FI.xlf             |  4 ----
 web/xliff/fr-FR.xlf             |  4 ----
 web/xliff/it-IT.xlf             |  4 ----
 web/xliff/ja-JP.xlf             |  4 ----
 web/xliff/ko-KR.xlf             |  4 ----
 web/xliff/nl-NL.xlf             |  3 ---
 web/xliff/pl-PL.xlf             |  4 ----
 web/xliff/pt-BR.xlf             |  4 ----
 web/xliff/ru-RU.xlf             |  4 ----
 web/xliff/tr-TR.xlf             |  4 ----
 web/xliff/zh-Hans.xlf           |  4 ----
 web/xliff/zh-Hant.xlf           |  3 ---
 17 files changed, 1 insertion(+), 70 deletions(-)

diff --git a/locale/en/LC_MESSAGES/django.po b/locale/en/LC_MESSAGES/django.po
index ec23cf2ce9..6f636c5735 100644
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-22 00:36+0000\n"
+"POT-Creation-Date: 2026-06-11 00:42+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -3399,14 +3399,6 @@ msgstr ""
 msgid "Google OAuth Sources"
 msgstr ""
 
-#: authentik/sources/oauth/models.py
-msgid "Azure AD OAuth Source"
-msgstr ""
-
-#: authentik/sources/oauth/models.py
-msgid "Azure AD OAuth Sources"
-msgstr ""
-
 #: authentik/sources/oauth/models.py
 msgid "Entra ID OAuth Source"
 msgstr ""
diff --git a/web/xliff/cs-CZ.xlf b/web/xliff/cs-CZ.xlf
index 5515cebdbf..e0b633b284 100644
--- a/web/xliff/cs-CZ.xlf
+++ b/web/xliff/cs-CZ.xlf
@@ -6187,10 +6187,6 @@ neprojde, když jedna nebo obě z vybraných možností jsou rovny nebo nad prah
   <source>Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.</source>
   <target>Volitelně omezte, které typy zařízení WebAuthn mohou být použity. Pokud nejsou vybrány žádné typy zařízení, jsou povolena všechna zařízení.</target>
 </trans-unit>
-<trans-unit id="s11274960b13cf21a">
-  <source>This restriction only applies to devices created in authentik 2024.4 or later.</source>
-  <target>Toto omezení se vztahuje pouze na zařízení vytvořená v authentik 2024.4 nebo novějších verzích.</target>
-</trans-unit>
 <trans-unit id="s24bce955914b1f0a">
   <source>Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).</source>
   <target>Krok použitý k nastavení WebAuthn autentizátoru (např. Yubikey, FaceID/Windows Hello).</target>
diff --git a/web/xliff/de-DE.xlf b/web/xliff/de-DE.xlf
index e07cd9f2c7..7d7b38120e 100644
--- a/web/xliff/de-DE.xlf
+++ b/web/xliff/de-DE.xlf
@@ -6213,10 +6213,6 @@ Beim Erstellen eines festen Auswahlfelds aktiviere „Als Ausdruck interpretiere
   <source>Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.</source>
   <target>Optional kannst du einschränken, welche WebAuthn-Gerätetypen verwendet werden dürfen. Wenn keine Gerätetypen ausgewählt sind, sind alle Geräte erlaubt.</target>
 </trans-unit>
-<trans-unit id="s11274960b13cf21a">
-  <source>This restriction only applies to devices created in authentik 2024.4 or later.</source>
-  <target>Diese Beschränkung gilt nur für Geräte, die in authentik 2024.4 oder neuer erstellt wurden.</target>
-</trans-unit>
 <trans-unit id="s24bce955914b1f0a">
   <source>Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).</source>
   <target>Stage zur Konfiguration eines WebAuthn-Authenticators (z. B. Yubikey, FaceID/Windows Hello).</target>
diff --git a/web/xliff/en.xlf b/web/xliff/en.xlf
index 53c95b2ad2..299855a203 100644
--- a/web/xliff/en.xlf
+++ b/web/xliff/en.xlf
@@ -4781,9 +4781,6 @@ doesn't pass when either or both of the selected options are equal or above the
 <trans-unit id="s1f4df216b56de4ac">
   <source>Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.</source>
 </trans-unit>
-<trans-unit id="s11274960b13cf21a">
-  <source>This restriction only applies to devices created in authentik 2024.4 or later.</source>
-</trans-unit>
 <trans-unit id="s24bce955914b1f0a">
   <source>Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).</source>
 </trans-unit>
diff --git a/web/xliff/es-ES.xlf b/web/xliff/es-ES.xlf
index 2d8e26c5f6..57a0f06b07 100644
--- a/web/xliff/es-ES.xlf
+++ b/web/xliff/es-ES.xlf
@@ -6153,10 +6153,6 @@ El valor de este campo se compara con el atributo de pertenencia del usuario.</t
   <source>Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.</source>
   <target>Opcionalmente, restrinja los tipos de dispositivos WebAuthn que se pueden usar. Si no se selecciona ningún tipo de dispositivo, se permiten todos.</target>
 </trans-unit>
-<trans-unit id="s11274960b13cf21a">
-  <source>This restriction only applies to devices created in authentik 2024.4 or later.</source>
-  <target>Esta restricción solo se aplica a dispositivos creados en authentik 2024.4 o posterior.</target>
-</trans-unit>
 <trans-unit id="s24bce955914b1f0a">
   <source>Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).</source>
   <target>Etapa utilizada para configurar un autenticador WebAuthn (es decir, Yubikey, FaceID/Windows Hello).</target>
diff --git a/web/xliff/fi-FI.xlf b/web/xliff/fi-FI.xlf
index 908b56d2af..64c19da239 100644
--- a/web/xliff/fi-FI.xlf
+++ b/web/xliff/fi-FI.xlf
@@ -6328,10 +6328,6 @@ läpäisy estyy kun jompi kumpi tai molemmat vaihtoehdot ylittävät raja-arvon.
   <source>Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.</source>
   <target>Valinnaisesti voit rajoittaa, mitä WebAuthn-laitetyyppejä voidaan käyttää. Jos mitään tyyppiä ei ole valittu, kaiken tyyppiset laitteet sallitaan.</target>
 </trans-unit>
-<trans-unit id="s11274960b13cf21a">
-  <source>This restriction only applies to devices created in authentik 2024.4 or later.</source>
-  <target>Tämä rajoitus koskee vain laitteita, jotka on luotu authentik 2024.4 tai uudemmalla versiolla.</target>
-</trans-unit>
 <trans-unit id="s24bce955914b1f0a">
   <source>Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).</source>
   <target>Vaihe, jolla määritellään WebAuthn-todentaja (esim. Yubikey, FaceID/Windows Hello).</target>
diff --git a/web/xliff/fr-FR.xlf b/web/xliff/fr-FR.xlf
index d0b4174309..831b3d0501 100644
--- a/web/xliff/fr-FR.xlf
+++ b/web/xliff/fr-FR.xlf
@@ -6318,10 +6318,6 @@ doesn't pass when either or both of the selected options are equal or above the
   <source>Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.</source>
   <target>Optionnel, restreindre quels types d'appareil WebAuthn peuvent être utilisés. Lorsqu'aucun type d'appareil n'est sélectionné, tout les appareils sont autorisés.</target>
 </trans-unit>
-<trans-unit id="s11274960b13cf21a">
-  <source>This restriction only applies to devices created in authentik 2024.4 or later.</source>
-  <target>Les restrictions ne s'appliquent qu'aux appareils créés dans authentik 2024.4 ou ultérieur.</target>
-</trans-unit>
 <trans-unit id="s24bce955914b1f0a">
   <source>Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).</source>
   <target>Étape de configuration d'un authentificateur WebAuthn (Yubikey, FaceID/Windows Hello).</target>
diff --git a/web/xliff/it-IT.xlf b/web/xliff/it-IT.xlf
index ae785e0830..70bea2cf10 100644
--- a/web/xliff/it-IT.xlf
+++ b/web/xliff/it-IT.xlf
@@ -6110,10 +6110,6 @@ doesn't pass when either or both of the selected options are equal or above the
   <source>Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.</source>
   <target>Facoltativamente limitare quali tipi di dispositivi WebAuthn possono essere utilizzati. Quando non vengono selezionati tipi di dispositivi, tutti i dispositivi sono consentiti.</target>
 </trans-unit>
-<trans-unit id="s11274960b13cf21a">
-  <source>This restriction only applies to devices created in authentik 2024.4 or later.</source>
-  <target>Questa restrizione si applica solo ai dispositivi creati in authentik 2024.4 o versione successiva.</target>
-</trans-unit>
 <trans-unit id="s24bce955914b1f0a">
   <source>Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).</source>
   <target>Fase utilizzato per configurare un autenticatore WebAuthn (ovvero Yubikey, FaceId/Windows Hello).</target>
diff --git a/web/xliff/ja-JP.xlf b/web/xliff/ja-JP.xlf
index c050ecbbe8..938133e8c1 100644
--- a/web/xliff/ja-JP.xlf
+++ b/web/xliff/ja-JP.xlf
@@ -6322,10 +6322,6 @@ doesn't pass when either or both of the selected options are equal or above the
   <source>Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.</source>
   <target>どの WebAuthn デバイスタイプを使用できるかをオプションで制限します。デバイスタイプが選択されていない場合、すべてのデバイスが許可されます。</target>
 </trans-unit>
-<trans-unit id="s11274960b13cf21a">
-  <source>This restriction only applies to devices created in authentik 2024.4 or later.</source>
-  <target>この制限は authentik 2024.4 以降で作成されたデバイスにのみ適用されます。</target>
-</trans-unit>
 <trans-unit id="s24bce955914b1f0a">
   <source>Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).</source>
   <target>WebAuthn 認証器を設定するために使用されるステージ（例：Yubikey、FaceID/Windows Hello）。</target>
diff --git a/web/xliff/ko-KR.xlf b/web/xliff/ko-KR.xlf
index 4c3f600733..f8d0affac6 100644
--- a/web/xliff/ko-KR.xlf
+++ b/web/xliff/ko-KR.xlf
@@ -5880,10 +5880,6 @@ doesn't pass when either or both of the selected options are equal or above the
 <trans-unit id="s1f4df216b56de4ac">
   <source>Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.</source>
 </trans-unit>
-<trans-unit id="s11274960b13cf21a">
-  <source>This restriction only applies to devices created in authentik 2024.4 or later.</source>
-  <target>이 제한은 authentik 2024.4 또는 이후에 등록된 기기에만 적용됩니다.</target>
-</trans-unit>
 <trans-unit id="s24bce955914b1f0a">
   <source>Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).</source>
   <target>WebAuthn 인증기를 구성하는 데 사용되는 스테이지(예: Yubikey, FaceID/Windows Hello).</target>
diff --git a/web/xliff/nl-NL.xlf b/web/xliff/nl-NL.xlf
index d47029f2d6..35dcea3012 100644
--- a/web/xliff/nl-NL.xlf
+++ b/web/xliff/nl-NL.xlf
@@ -5665,9 +5665,6 @@ slaagt niet wanneer een of beide geselecteerde opties gelijk zijn aan of boven d
 <trans-unit id="s1f4df216b56de4ac">
   <source>Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.</source>
 </trans-unit>
-<trans-unit id="s11274960b13cf21a">
-  <source>This restriction only applies to devices created in authentik 2024.4 or later.</source>
-</trans-unit>
 <trans-unit id="s24bce955914b1f0a">
   <source>Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).</source>
 </trans-unit>
diff --git a/web/xliff/pl-PL.xlf b/web/xliff/pl-PL.xlf
index 55bf4aab79..b9082faea9 100644
--- a/web/xliff/pl-PL.xlf
+++ b/web/xliff/pl-PL.xlf
@@ -5896,10 +5896,6 @@ Można tu używać tylko zasad, ponieważ dostęp jest sprawdzany przed uwierzyt
   <source>Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.</source>
   <target>Opcjonalnie ogranicza, które typy urządzeń WebAuthn mogą być używane. Jeśli nie wybrano żadnego typu urządzenia, wszystkie urządzenia są dozwolone.</target>
 </trans-unit>
-<trans-unit id="s11274960b13cf21a">
-  <source>This restriction only applies to devices created in authentik 2024.4 or later.</source>
-  <target>To ograniczenie dotyczy tylko urządzeń utworzonych w wersji authentik 2024.4 lub nowszej.</target>
-</trans-unit>
 <trans-unit id="s24bce955914b1f0a">
   <source>Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).</source>
   <target>Etap używany do konfiguracji uwierzytelniacza WebAuthn (np. Yubikey, FaceID/Windows Hello).</target>
diff --git a/web/xliff/pt-BR.xlf b/web/xliff/pt-BR.xlf
index e9454e0fc0..345b3dbad6 100644
--- a/web/xliff/pt-BR.xlf
+++ b/web/xliff/pt-BR.xlf
@@ -6322,10 +6322,6 @@ retorne uma lista para fornecer várias opções padrão.</target>
   <source>Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.</source>
   <target>Opcionalmente restrinja quais tipos de dispositivos WebAuthn podem ser usados. Quando nenhum tipo de dispositivo é selecionado, todos os dispositivos são permitidos.</target>
 </trans-unit>
-<trans-unit id="s11274960b13cf21a">
-  <source>This restriction only applies to devices created in authentik 2024.4 or later.</source>
-  <target>Essa restrição se aplica apenas a dispositivos criados no authentik 2024.4 ou posterior.</target>
-</trans-unit>
 <trans-unit id="s24bce955914b1f0a">
   <source>Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).</source>
   <target>Etapa usada para configurar um autenticador WebAuthn (ex.: Yubikey, FaceID/Windows Hello).</target>
diff --git a/web/xliff/ru-RU.xlf b/web/xliff/ru-RU.xlf
index e685331bb5..87eb455407 100644
--- a/web/xliff/ru-RU.xlf
+++ b/web/xliff/ru-RU.xlf
@@ -5946,10 +5946,6 @@ doesn't pass when either or both of the selected options are equal or above the
   <source>Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.</source>
   <target>Опционально ограничьте типы устройств WebAuthn, которые могут быть использованы. Если типы устройств не выбраны, разрешены все устройства.</target>
 </trans-unit>
-<trans-unit id="s11274960b13cf21a">
-  <source>This restriction only applies to devices created in authentik 2024.4 or later.</source>
-  <target>Это ограничение распространяется только на устройства, созданные в authentik 2024.4 или более поздней версии.</target>
-</trans-unit>
 <trans-unit id="s24bce955914b1f0a">
   <source>Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).</source>
   <target>Этап, используемый для настройки аутентификатора WebAuthn (например, Yubikey, FaceID/Windows Hello).</target>
diff --git a/web/xliff/tr-TR.xlf b/web/xliff/tr-TR.xlf
index 150b9b802c..e30d5d4895 100644
--- a/web/xliff/tr-TR.xlf
+++ b/web/xliff/tr-TR.xlf
@@ -5944,10 +5944,6 @@ Belirlenen seçeneklerden biri veya her ikisi de eşiğe eşit veya eşiğin üz
   <source>Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.</source>
   <target>İsteğe bağlı olarak, hangi WebAuthn cihaz türlerinin kullanılabileceğini kısıtlayın. Hiçbir cihaz türü seçilmediğinde, tüm cihazlara izin verilir.</target>
 </trans-unit>
-<trans-unit id="s11274960b13cf21a">
-  <source>This restriction only applies to devices created in authentik 2024.4 or later.</source>
-  <target>Bu kısıtlama yalnızca authentik 2024.4 veya sonraki sürümlerde oluşturulan cihazlar için geçerlidir.</target>
-</trans-unit>
 <trans-unit id="s24bce955914b1f0a">
   <source>Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).</source>
   <target>Bir WebAuthn kimlik doğrulayıcısını yapılandırmak için kullanılan sahne alanı (ör. Yubikey, FaceID/Windows Hello).</target>
diff --git a/web/xliff/zh-Hans.xlf b/web/xliff/zh-Hans.xlf
index c2c7379fed..f686ae61eb 100644
--- a/web/xliff/zh-Hans.xlf
+++ b/web/xliff/zh-Hans.xlf
@@ -6379,10 +6379,6 @@ doesn't pass when either or both of the selected options are equal or above the
   <source>Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.</source>
   <target>可选的 WebAuthn 可用设备类型限制。如果未选择设备类型，则允许所有设备。</target>
 </trans-unit>
-<trans-unit id="s11274960b13cf21a">
-  <source>This restriction only applies to devices created in authentik 2024.4 or later.</source>
-  <target>此限制仅适用于在 authentik 2024.4 或更新版本中创建的设备。</target>
-</trans-unit>
 <trans-unit id="s24bce955914b1f0a">
   <source>Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).</source>
   <target>用来配置 WebAuthn 身份验证器（即 Yubikey、FaceID/Windows Hello）的阶段。</target>
diff --git a/web/xliff/zh-Hant.xlf b/web/xliff/zh-Hant.xlf
index 569e92981a..7cbccaf305 100644
--- a/web/xliff/zh-Hant.xlf
+++ b/web/xliff/zh-Hant.xlf
@@ -5707,9 +5707,6 @@ doesn't pass when either or both of the selected options are equal or above the
 <trans-unit id="s1f4df216b56de4ac">
   <source>Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.</source>
 </trans-unit>
-<trans-unit id="s11274960b13cf21a">
-  <source>This restriction only applies to devices created in authentik 2024.4 or later.</source>
-</trans-unit>
 <trans-unit id="s24bce955914b1f0a">
   <source>Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).</source>
   <target>用於設定 WebAuthn 身份認證器的階段（例如 Yubikey、FaceID/Windows Hello）。</target>

From 269a89708cc884d2a2a48d73bbc0045b3f4a6afb Mon Sep 17 00:00:00 2001
From: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Date: Thu, 11 Jun 2026 06:10:36 +0200
Subject: [PATCH 51/68] web/elements: extract mermaid runtime, modernize
 `<ak-diagram>` (#22980)

* web: Clean up diagram behavior.

* Add accessor.

* Fix import.

* Fix theme colors, consistent patternfly colors.

* Fix spelling.
---
 web/package-lock.json                         |  20 +++
 web/package.json                              |  25 +--
 web/src/admin/flows/FlowDiagram.ts            |  15 +-
 .../admin/sources/oauth/OAuthSourceDiagram.ts |  24 ++-
 web/src/common/theme.ts                       |  13 +-
 web/src/elements/Diagram.ts                   | 103 -----------
 web/src/elements/Diagram/ak-diagram.css       |   4 +
 web/src/elements/Diagram/ak-diagram.ts        |  88 ++++++++++
 web/src/elements/ak-mdx/ak-mdx.tsx            |  10 +-
 web/src/elements/ak-mdx/styles.css            |  27 ---
 web/src/elements/mermaid/mermaid.css          |  59 +++++++
 web/src/elements/mermaid/theme.ts             | 164 ++++++++++++++++++
 web/src/elements/mermaid/utils.ts             |  76 ++++++++
 13 files changed, 462 insertions(+), 166 deletions(-)
 delete mode 100644 web/src/elements/Diagram.ts
 create mode 100644 web/src/elements/Diagram/ak-diagram.css
 create mode 100644 web/src/elements/Diagram/ak-diagram.ts
 create mode 100644 web/src/elements/mermaid/mermaid.css
 create mode 100644 web/src/elements/mermaid/theme.ts
 create mode 100644 web/src/elements/mermaid/utils.ts

diff --git a/web/package-lock.json b/web/package-lock.json
index 5ce5d55e2f..3c30a7932e 100644
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -37,6 +37,7 @@
                 "@lit/reactive-element": "^2.1.2",
                 "@lit/task": "^1.0.3",
                 "@mdx-js/mdx": "^3.1.1",
+                "@mermaid-js/layout-elk": "^0.2.1",
                 "@mrmarble/djangoql-completion": "^0.8.3",
                 "@open-wc/lit-helpers": "^0.7.0",
                 "@openlayers-elements/core": "^0.4.0",
@@ -2037,6 +2038,19 @@
                 "react": ">=16"
             }
         },
+        "node_modules/@mermaid-js/layout-elk": {
+            "version": "0.2.1",
+            "resolved": "https://registry.npmjs.org/@mermaid-js/layout-elk/-/layout-elk-0.2.1.tgz",
+            "integrity": "sha512-MX9jwhMyd5zDcFsYcl3duDUkKhjVRUCGEQrdCeNV5hCIR6+3FuDDbRbFmvVbAu15K1+juzsYGG+K8MDvCY1Amg==",
+            "license": "MIT",
+            "dependencies": {
+                "d3": "^7.9.0",
+                "elkjs": "^0.9.3"
+            },
+            "peerDependencies": {
+                "mermaid": "^11.0.2"
+            }
+        },
         "node_modules/@mermaid-js/parser": {
             "version": "1.1.1",
             "resolved": "https://registry.npmjs.org/@mermaid-js/parser/-/parser-1.1.1.tgz",
@@ -9387,6 +9401,12 @@
             "integrity": "sha512-PwfIw7WQSt3xX7yOf5OE/unLzsK9CaN2f/FvV3WjPR1Knoc1T9vePRVV4W1EM301JzzysK51K7FNKcusCr0zYA==",
             "license": "ISC"
         },
+        "node_modules/elkjs": {
+            "version": "0.9.3",
+            "resolved": "https://registry.npmjs.org/elkjs/-/elkjs-0.9.3.tgz",
+            "integrity": "sha512-f/ZeWvW/BCXbhGEf1Ujp29EASo/lk1FDnETgNKwJrsVvGZhUWCZyg3xLJjAsxfOmt8KjswHmI5EwCQcPMpOYhQ==",
+            "license": "EPL-2.0"
+        },
         "node_modules/emoji-regex": {
             "version": "8.0.0",
             "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
diff --git a/web/package.json b/web/package.json
index 39563a776b..b873955a52 100644
--- a/web/package.json
+++ b/web/package.json
@@ -112,6 +112,7 @@
         "@lit/reactive-element": "^2.1.2",
         "@lit/task": "^1.0.3",
         "@mdx-js/mdx": "^3.1.1",
+        "@mermaid-js/layout-elk": "^0.2.1",
         "@mrmarble/djangoql-completion": "^0.8.3",
         "@open-wc/lit-helpers": "^0.7.0",
         "@openlayers-elements/core": "^0.4.0",
@@ -212,14 +213,10 @@
     ],
     "wireit": {
         "build": {
-            "#comment": [
-                "`npm run build` and `npm run watch` are the most common ",
-                "commands you should be using when working on the front end",
-                "The files and output spec here expect you to use `npm run build --watch` ",
-                "instead of `npm run watch`. The former is more comprehensive, but ",
-                "the latter is faster."
-            ],
             "command": "${NODE_RUNNER} scripts/build-web.mjs",
+            "dependencies": [
+                "build-locales"
+            ],
             "files": [
                 "src/**/*.{css,jpg,png,ts,js,json}",
                 "!src/**/*.stories.ts",
@@ -239,8 +236,12 @@
                 "./dist/poly-*.js.map",
                 "./dist/styles/**"
             ],
-            "dependencies": [
-                "build-locales"
+            "#comment": [
+                "`npm run build` and `npm run watch` are the most common ",
+                "commands you should be using when working on the front end",
+                "The files and output spec here expect you to use `npm run build --watch` ",
+                "instead of `npm run watch`. The former is more comprehensive, but ",
+                "the latter is faster."
             ],
             "env": {
                 "NODE_RUNNER": {
@@ -255,9 +256,6 @@
                 "build-locales"
             ]
         },
-        "locales:repair": {
-            "command": "prettier --write ./src/locale-codes.ts"
-        },
         "lint:components": {
             "command": "lit-analyzer src"
         },
@@ -270,6 +268,9 @@
         "lit-analyse": {
             "command": "lit-analyzer src"
         },
+        "locales:repair": {
+            "command": "prettier --write ./src/locale-codes.ts"
+        },
         "precommit": {
             "command": "prettier --write .",
             "dependencies": [
diff --git a/web/src/admin/flows/FlowDiagram.ts b/web/src/admin/flows/FlowDiagram.ts
index f2e93d7650..dcd08329a7 100644
--- a/web/src/admin/flows/FlowDiagram.ts
+++ b/web/src/admin/flows/FlowDiagram.ts
@@ -2,28 +2,29 @@ import "#elements/EmptyState";
 
 import { aki } from "#common/api/client";
 
-import { Diagram } from "#elements/Diagram";
+import { Diagram } from "#elements/Diagram/ak-diagram";
 
 import { FlowsApi } from "@goauthentik/api";
 
+import { observes } from "@patternfly/pfe-core/decorators/observes.js";
+
 import { customElement, property } from "lit/decorators.js";
 
 @customElement("ak-flow-diagram")
 export class FlowDiagram extends Diagram {
-    @property()
-    flowSlug?: string;
+    @property({ type: String, useDefault: true })
+    public flowSlug: string | null = null;
 
-    refreshHandler = (): void => {
-        this.diagram = undefined;
+    @observes("flowSlug")
+    protected refresh(): void {
         aki(FlowsApi)
             .flowsInstancesDiagramRetrieve({
                 slug: this.flowSlug || "",
             })
             .then((data) => {
                 this.diagram = data.diagram;
-                this.requestUpdate();
             });
-    };
+    }
 }
 
 declare global {
diff --git a/web/src/admin/sources/oauth/OAuthSourceDiagram.ts b/web/src/admin/sources/oauth/OAuthSourceDiagram.ts
index a1151ffa61..ec5008999a 100644
--- a/web/src/admin/sources/oauth/OAuthSourceDiagram.ts
+++ b/web/src/admin/sources/oauth/OAuthSourceDiagram.ts
@@ -1,4 +1,4 @@
-import { Diagram } from "#elements/Diagram";
+import { Diagram } from "#elements/Diagram/ak-diagram";
 
 import { UserMatchingModeToLabel } from "#admin/sources/oauth/utils";
 
@@ -9,22 +9,28 @@ import { customElement, property } from "lit/decorators.js";
 
 @customElement("ak-source-oauth-diagram")
 export class OAuthSourceDiagram extends Diagram {
-    @property({ attribute: false })
-    source?: OAuthSource;
+    @property({ attribute: false, useDefault: true })
+    public source: OAuthSource | null = null;
 
-    refreshHandler = (): void => {
+    protected override syncDiagramContent = (): void => {
         if (!this.source) return;
-        const graph = ["graph LR"];
-        graph.push(`source[${msg(str`OAuth Source ${this.source.name}`)}]`);
-        graph.push(
-            `source --> flow_manager["${UserMatchingModeToLabel(this.source.userMatchingMode || UserMatchingModeEnum.Identifier)}"]`,
-        );
+
+        const graph = [
+            "graph LR",
+            `source[${msg(str`OAuth Source ${this.source.name}`)}]`,
+            `source --> flow_manager["${UserMatchingModeToLabel(
+                this.source.userMatchingMode || UserMatchingModeEnum.Identifier,
+            )}"]`,
+        ];
+
         if (this.source.enrollmentFlow) {
             graph.push("flow_manager --> flow_enroll[Enrollment flow]");
         }
+
         if (this.source.authenticationFlow) {
             graph.push("flow_manager --> flow_auth[Authentication flow]");
         }
+
         this.diagram = graph.join("\n");
     };
 }
diff --git a/web/src/common/theme.ts b/web/src/common/theme.ts
index 6bc5717d79..6966c50111 100644
--- a/web/src/common/theme.ts
+++ b/web/src/common/theme.ts
@@ -261,26 +261,29 @@ declare global {
  * @param hint The color scheme hint to use.
  * @param doc The document to apply the theme to.
  */
-export const applyDocumentTheme = ((currentUITheme = resolveUITheme(), doc = document): void => {
+export const applyDocumentTheme = ((
+    currentUITheme = resolveUITheme(),
+    ownerDocument = document,
+): void => {
     console.debug(`authentik/theme (document): want to switch to ${currentUITheme} theme`);
 
-    const { themeChoice } = doc.documentElement.dataset;
+    const { themeChoice } = ownerDocument.documentElement.dataset;
 
     if (themeChoice && themeChoice !== "auto") {
         console.debug(
             `authentik/theme (document): skipping theme application due to explicit choice (${themeChoice})`,
         );
 
-        doc.dispatchEvent(new ThemeChangeEvent(themeChoice));
+        ownerDocument.dispatchEvent(new ThemeChangeEvent(themeChoice));
 
         return;
     }
 
-    doc.documentElement.dataset.theme = currentUITheme;
+    ownerDocument.documentElement.dataset.theme = currentUITheme;
 
     console.debug(`authentik/theme (document): switching to ${currentUITheme} theme`);
 
-    doc.dispatchEvent(new ThemeChangeEvent(currentUITheme));
+    ownerDocument.dispatchEvent(new ThemeChangeEvent(currentUITheme));
 }) satisfies UIThemeListener;
 
 /**
diff --git a/web/src/elements/Diagram.ts b/web/src/elements/Diagram.ts
deleted file mode 100644
index 12b4fa686e..0000000000
--- a/web/src/elements/Diagram.ts
+++ /dev/null
@@ -1,103 +0,0 @@
-import "#elements/EmptyState";
-
-import { EVENT_REFRESH } from "#common/constants";
-import { DOM_PURIFY_STRICT } from "#common/purify";
-import { ThemeChangeEvent } from "#common/theme";
-
-import { AKElement } from "#elements/Base";
-
-import { UiThemeEnum } from "@goauthentik/api";
-
-import mermaid, { MermaidConfig } from "mermaid";
-
-import { css, CSSResult, html, TemplateResult } from "lit";
-import { customElement, property } from "lit/decorators.js";
-import { unsafeHTML } from "lit/directives/unsafe-html.js";
-import { until } from "lit/directives/until.js";
-
-@customElement("ak-diagram")
-export class Diagram extends AKElement {
-    @property({ attribute: false })
-    diagram?: string;
-
-    refreshHandler = (): void => {
-        if (!this.textContent) return;
-        this.diagram = this.textContent;
-    };
-
-    handlerBound = false;
-
-    static styles: CSSResult[] = [
-        css`
-            :host {
-                display: flex;
-                justify-content: center;
-            }
-        `,
-    ];
-
-    config: MermaidConfig;
-
-    constructor() {
-        super();
-        this.config = {
-            // The type definition for this says number
-            // but the example use strings
-            // and numbers don't work
-            logLevel: "fatal",
-            startOnLoad: false,
-            flowchart: {
-                curve: "linear",
-            },
-            htmlLabels: false,
-            securityLevel: "strict",
-            dompurifyConfig: DOM_PURIFY_STRICT,
-        };
-        mermaid.initialize(this.config);
-    }
-
-    firstUpdated(): void {
-        if (this.handlerBound) return;
-        window.addEventListener(EVENT_REFRESH, this.refreshHandler);
-        this.addEventListener(ThemeChangeEvent.eventName, ((ev: CustomEvent<UiThemeEnum>) => {
-            if (ev.detail === UiThemeEnum.Dark) {
-                this.config.theme = "dark";
-            } else {
-                this.config.theme = "default";
-            }
-            mermaid.initialize(this.config);
-        }) as EventListener);
-        this.handlerBound = true;
-        this.refreshHandler();
-    }
-
-    disconnectedCallback(): void {
-        super.disconnectedCallback();
-        window.removeEventListener(EVENT_REFRESH, this.refreshHandler);
-    }
-
-    render(): TemplateResult {
-        this.querySelectorAll("*").forEach((el) => {
-            try {
-                el.remove();
-            } catch {
-                console.debug(`authentik/diagram: failed to remove element ${el}`);
-            }
-        });
-        if (!this.diagram) {
-            return html`<ak-empty-state loading></ak-empty-state>`;
-        }
-        return html`${until(
-            mermaid.render("graph", this.diagram).then((r) => {
-                r.bindFunctions?.(this.shadowRoot as unknown as Element);
-                return unsafeHTML(r.svg);
-            }),
-        )}`;
-    }
-}
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-diagram": Diagram;
-    }
-}
diff --git a/web/src/elements/Diagram/ak-diagram.css b/web/src/elements/Diagram/ak-diagram.css
new file mode 100644
index 0000000000..f21bc9f9bb
--- /dev/null
+++ b/web/src/elements/Diagram/ak-diagram.css
@@ -0,0 +1,4 @@
+:host {
+    display: flex;
+    justify-content: center;
+}
diff --git a/web/src/elements/Diagram/ak-diagram.ts b/web/src/elements/Diagram/ak-diagram.ts
new file mode 100644
index 0000000000..a0ab870a79
--- /dev/null
+++ b/web/src/elements/Diagram/ak-diagram.ts
@@ -0,0 +1,88 @@
+import "#elements/EmptyState";
+
+import { AKRefreshEvent } from "#common/events";
+
+import { AKElement } from "#elements/Base";
+import { listen } from "#elements/decorators/listen";
+import Styles from "#elements/Diagram/ak-diagram.css";
+import { EmptyState } from "#elements/EmptyState";
+import MermaidStyles from "#elements/mermaid/mermaid.css";
+import { loadMermaid } from "#elements/mermaid/utils";
+import { SlottedTemplateResult } from "#elements/types";
+
+import { CSSResult, PropertyValues } from "lit";
+import { guard } from "lit-html/directives/guard.js";
+import { customElement, property } from "lit/decorators.js";
+import { unsafeHTML } from "lit/directives/unsafe-html.js";
+import { until } from "lit/directives/until.js";
+
+@customElement("ak-diagram")
+export class Diagram extends AKElement {
+    static styles: CSSResult[] = [MermaidStyles, Styles];
+
+    #diagram = "";
+    @property({ attribute: false, useDefault: true })
+    public get diagram(): string {
+        return this.#diagram || this.textContent.trim() || "";
+    }
+
+    public set diagram(value: string) {
+        const previous = this.#diagram;
+        this.#diagram = value.trim();
+
+        this.requestUpdate("diagram", previous);
+    }
+
+    @listen(AKRefreshEvent, {
+        target: window,
+    })
+    protected syncDiagramContent = (): void => {
+        if (!this.textContent) return;
+        this.diagram = this.textContent;
+    };
+
+    loadingPlaceholder: EmptyState;
+
+    constructor() {
+        super();
+        this.loadingPlaceholder = new EmptyState();
+        this.loadingPlaceholder.loading = true;
+    }
+
+    protected firstUpdated(changedProperties: PropertyValues<this>): void {
+        super.firstUpdated(changedProperties);
+        this.syncDiagramContent();
+    }
+
+    protected renderMermaid(): Promise<SlottedTemplateResult> {
+        return loadMermaid(this.activeTheme).then((mermaid) => {
+            if (!this.diagram) {
+                return null;
+            }
+
+            return mermaid.render(`mermaid-svg-${this.localName}`, this.diagram).then((result) => {
+                result.bindFunctions?.(this.renderRoot as HTMLElement);
+
+                return unsafeHTML(result.svg);
+            });
+        });
+    }
+
+    protected override render(): SlottedTemplateResult {
+        const { diagram, loadingPlaceholder, activeTheme } = this;
+
+        return guard([diagram, activeTheme], () => {
+            if (!diagram) {
+                return loadingPlaceholder;
+            }
+
+            return until(this.renderMermaid(), loadingPlaceholder);
+        });
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-diagram": Diagram;
+    }
+}
diff --git a/web/src/elements/ak-mdx/ak-mdx.tsx b/web/src/elements/ak-mdx/ak-mdx.tsx
index 94d100d833..cbc50c2dcc 100644
--- a/web/src/elements/ak-mdx/ak-mdx.tsx
+++ b/web/src/elements/ak-mdx/ak-mdx.tsx
@@ -11,12 +11,12 @@ import { remarkHeadings } from "#elements/ak-mdx/remark/remark-headings";
 import { remarkLists } from "#elements/ak-mdx/remark/remark-lists";
 import Styles from "#elements/ak-mdx/styles.css";
 import { AKElement } from "#elements/Base";
+import MermaidStyles from "#elements/mermaid/mermaid.css";
+import { loadMermaid } from "#elements/mermaid/utils";
 
 import { DistDirectoryName, StaticDirectoryName } from "#paths";
 import OneDark from "#styles/atom/one-dark.css";
 
-import { UiThemeEnum } from "@goauthentik/api";
-
 import { compile as compileMDX, run as runMDX } from "@mdx-js/mdx";
 import apacheGrammar from "highlight.js/lib/languages/apache";
 import diffGrammar from "highlight.js/lib/languages/diff";
@@ -77,6 +77,7 @@ export class AKMDX extends AKElement {
         PFTable,
         PFContent,
         OneDark,
+        MermaidStyles,
         Styles,
     ];
 
@@ -113,6 +114,8 @@ export class AKMDX extends AKElement {
             mdxModule.content,
         );
 
+        const { activeTheme } = this;
+
         const mdx = await compileMDX(normalized, {
             outputFormat: "function-body",
             remarkPlugins: [
@@ -132,7 +135,8 @@ export class AKMDX extends AKElement {
                     rehypeMermaid,
                     {
                         prefix: "mermaid-svg-",
-                        colorScheme: this.activeTheme === UiThemeEnum.Dark ? "dark" : "light",
+                        colorScheme: activeTheme,
+                        mermaidConfig: await loadMermaid(activeTheme),
                     } satisfies RehypeMermaidOptions,
                 ],
             ],
diff --git a/web/src/elements/ak-mdx/styles.css b/web/src/elements/ak-mdx/styles.css
index 025074820d..7db3238078 100644
--- a/web/src/elements/ak-mdx/styles.css
+++ b/web/src/elements/ak-mdx/styles.css
@@ -59,21 +59,6 @@ pre:has(.hljs) {
     padding: var(--pf-global--spacer--md);
 }
 
-svg[id^="mermaid-svg-"] {
-    .rect {
-        fill: var(
-            --ak-mermaid-box-background-color,
-            var(--pf-global--BackgroundColor--light-300)
-        ) !important;
-    }
-
-    .messageText {
-        stroke-width: 4;
-        fill: var(--ak-mermaid-message-text) !important;
-        paint-order: stroke;
-    }
-}
-
 ak-alert + :is(h2, p) {
     padding-top: var(--pf-global--spacer--md);
 }
@@ -81,19 +66,7 @@ ak-alert + :is(h2, p) {
 /* #region Dark Theme */
 
 :host([theme="dark"]) {
-    --ak-mermaid-message-text: var(--ak-dark-foreground);
-    --ak-mermaid-box-background-color: var(--ak-dark-background-lighter);
     --ak-table-stripe-background: var(--pf-global--BackgroundColor--dark-200);
-
-    svg[id^="mermaid-svg-"] {
-        line[class^="messageLine"] {
-            /*
-            Mermaid's support for dynamic palette changes leaves a lot to be desired.
-            This is a workaround to keep content readable while not breaking the rest of the theme.
-         */
-            filter: invert(1) !important;
-        }
-    }
 }
 
 /* #endregion */
diff --git a/web/src/elements/mermaid/mermaid.css b/web/src/elements/mermaid/mermaid.css
new file mode 100644
index 0000000000..4e66674c8a
--- /dev/null
+++ b/web/src/elements/mermaid/mermaid.css
@@ -0,0 +1,59 @@
+/* svg[id^="mermaid-svg-"] { */
+/* &.flowchart {
+        .edgeLabel .label {
+            padding: 4px 10px;
+            border-radius: 4px;
+            background: rgba(0, 0, 0, 0.55);
+            color: var(--ak-foreground, #fff);
+        }
+    } */
+
+.flowchart {
+    foreignObject:has(.edgeLabel) {
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        overflow: visible;
+    }
+
+    .edgeLabel,
+    .edgeLabel .labelBkg {
+        background-color: transparent;
+        display: flex !important;
+    }
+
+    .edgeLabel > span,
+    .labelBkg > span.edgeLabel {
+        margin-inline: auto;
+        max-width: max-content;
+        padding: 3px 12px;
+        border-radius: 6px;
+        white-space: nowrap;
+    }
+
+    .edgeLabel {
+        background-color: var(--pf-global--palette--gold-200) !important;
+        border: 1px solid var(--pf-global--palette--gold-500) !important;
+    }
+}
+
+svg[id^="mermaid-svg-"] {
+    & > .rect {
+        fill: color-mix(var(--pf-global--palette--gold-100), transparent 95%);
+        stroke: var(--pf-global--palette--gold-100);
+        stroke-width: 1;
+    }
+
+    .messageText {
+        fill: var(--pf-global--Color--100) !important;
+    }
+
+    .messageLine0 {
+        stroke: var(--pf-global--palette--purple-300) !important;
+    }
+
+    [id$="-arrowhead"] path {
+        fill: var(--pf-global--palette--purple-300) !important;
+        stroke: var(--pf-global--palette--purple-300) !important;
+    }
+}
diff --git a/web/src/elements/mermaid/theme.ts b/web/src/elements/mermaid/theme.ts
new file mode 100644
index 0000000000..e2db5ae298
--- /dev/null
+++ b/web/src/elements/mermaid/theme.ts
@@ -0,0 +1,164 @@
+import type { MermaidConfig } from "mermaid";
+
+/**
+ * Resolves PatternFly CSS custom properties into concrete hex colors and maps
+ * them onto Mermaid's `themeVariables` keyset.
+ *
+ * @remarks
+ *
+ * Colors are parsed through a 1x1 canvas so that any valid CSS color form
+ * (named, rgb/rgba, hsl, or a `var()` chain) collapses to a hex string Mermaid
+ * can consume. Fully transparent values resolve to `"transparent"`.
+ *
+ * PatternFly 4 handles light/dark theming at the token level, so a single token
+ * set resolves correctly under either theme — no per-theme branching needed.
+ */
+export class MermaidThemeAdapter {
+    canvas = new OffscreenCanvas(1, 1);
+    ctx = this.canvas.getContext("2d");
+
+    constructor(protected computedStyle: CSSStyleDeclaration) {}
+
+    /**
+     * Resolve a CSS custom property to a hex color string.
+     *
+     * @param cssProperty The CSS custom property name to read.
+     * @param fallback Color used when the property is unset or empty.
+     *
+     * @returns A hex color code string, or `"transparent"` for fully transparent values.
+     */
+    public readHexColorVariable = (cssProperty: string, fallback = "#ff0000"): string => {
+        if (!this.ctx) {
+            throw new Error("Could not create canvas context for color parsing");
+        }
+
+        this.ctx.clearRect(0, 0, 1, 1);
+        this.ctx.fillStyle = this.computedStyle.getPropertyValue(cssProperty).trim() || fallback;
+        this.ctx.fillRect(0, 0, 1, 1);
+
+        const [r, g, b, a] = this.ctx.getImageData(0, 0, 1, 1).data;
+
+        if (a === 0) {
+            return "transparent";
+        }
+
+        // eslint-disable-next-line no-bitwise
+        return `#${((1 << 24) + (r << 16) + (g << 8) + b).toString(16).slice(1)}`;
+    };
+
+    /**
+     * Read a surface color, substituting an opaque fallback when the token
+     * resolves to `transparent`. Node fills must never be see-through.
+     */
+    protected readSurface = (cssProperty: string, fallback: string): string => {
+        const value = this.readHexColorVariable(cssProperty, fallback);
+
+        return value === "transparent" ? fallback : value;
+    };
+
+    /**
+     * Map PatternFly tokens onto Mermaid's `themeVariables`.
+     *
+     * @remarks
+     *
+     * Requires `theme: "base"` in the Mermaid config — other built-in themes
+     * ignore most of these overrides.
+     */
+    public toThemeVariables(darkMode?: boolean): MermaidConfig["themeVariables"] {
+        const { readHexColorVariable: read, readSurface } = this;
+
+        const surface = readSurface("--pf-global--palette--purple-50", "#ffffff");
+        const surfaceAlt = readSurface("--pf-global--palette--blue-50", surface);
+        const surfaceDark = readSurface("--pf-global--palette--black-200", surfaceAlt);
+
+        const textBase = read("--pf-global--palette--purple-700");
+        const textSecondary = read(
+            darkMode ? "--pf-global--palette--gold-100" : "--pf-global--palette--gold-400",
+        );
+        const border = read(
+            darkMode ? "--pf-global--palette--purple-300" : "--pf-global--palette--purple-700",
+        );
+
+        const primaryBorder = read("--pf-global--palette--purple-400");
+        const primaryAccent = read("--pf-global--palette--purple-100");
+        const primaryAccentText = read("--pf-global--palette--purple-700");
+
+        const success = read("--pf-global--success-color--100");
+        const danger = read("--pf-global--danger-color--100");
+        const warning = read("--pf-global--warning-color--100");
+        const info = read("--pf-global--info-color--100");
+
+        return {
+            // Base / canvas
+            background: surface,
+            mainBkg: surface,
+            fontFamily: "var(--ak-font-family-sans-serif)",
+
+            // Primary node
+            primaryColor: surface,
+            primaryBorderColor: primaryBorder,
+            primaryTextColor: textBase,
+
+            // Secondary node
+            secondaryColor: surfaceAlt,
+            secondaryBorderColor: border,
+            secondaryTextColor: textBase,
+
+            // Tertiary node
+            tertiaryColor: surfaceDark,
+            tertiaryBorderColor: border,
+            tertiaryTextColor: textBase,
+
+            // Edges / lines / labels
+            lineColor: textSecondary,
+            edgeLabelBackground: surface,
+            titleColor: textBase,
+
+            // Generic node fallbacks
+            nodeBorder: border,
+            nodeTextColor: textBase,
+
+            // Clusters / subgraphs
+            clusterBkg: surfaceDark,
+            clusterBorder: border,
+
+            // Notes
+            noteBkgColor: warning,
+            noteTextColor: textBase,
+            noteBorderColor: border,
+
+            // Brand accents (classDef / linkStyle)
+            primaryColorAccent: primaryAccent,
+            primaryTextColorAccent: primaryAccentText,
+
+            // Status (state / git / quadrant diagrams)
+            successColor: success,
+            errorColor: danger,
+            warningColor: warning,
+            infoColor: info,
+
+            // Sequence / state actors
+            actorBkg: surface,
+            actorBorder: border,
+            actorTextColor: textBase,
+            labelBoxBkgColor: surface,
+            labelTextColor: textBase,
+        };
+    }
+
+    /**
+     * Semantic accent colors for emitting `linkStyle` / `classDef` directives
+     * into diagram source (e.g. coloring policy pass/fail edges).
+     */
+    public toAccents() {
+        const { readHexColorVariable: read } = this;
+
+        return {
+            success: read("--pf-global--success-color--100"),
+            danger: read("--pf-global--danger-color--100"),
+            warning: read("--pf-global--warning-color--100"),
+            info: read("--pf-global--info-color--100"),
+            primary: read("--pf-global--palette--purple-100"),
+        };
+    }
+}
diff --git a/web/src/elements/mermaid/utils.ts b/web/src/elements/mermaid/utils.ts
new file mode 100644
index 0000000000..a6192cb826
--- /dev/null
+++ b/web/src/elements/mermaid/utils.ts
@@ -0,0 +1,76 @@
+import MermaidStyles from "./mermaid.css";
+
+import { DOM_PURIFY_STRICT } from "#common/purify";
+import { ResolvedUITheme } from "#common/theme";
+
+import { MermaidThemeAdapter } from "#elements/mermaid/theme";
+
+import elkLayouts from "@mermaid-js/layout-elk";
+import type { Mermaid, MermaidConfig } from "mermaid";
+
+export const DefaultMermaidConfig: Readonly<MermaidConfig> = {
+    logLevel: "fatal",
+    startOnLoad: false,
+    htmlLabels: true,
+    fontFamily: "var(--ak-font-family-sans-serif)",
+    layout: "elk",
+    flowchart: {
+        curve: "linear",
+
+        nodeSpacing: 25,
+        rankSpacing: 25,
+        wrappingWidth: 500,
+    },
+    theme: "base",
+    securityLevel: "strict",
+    dompurifyConfig: DOM_PURIFY_STRICT,
+};
+
+let lastActiveTheme: ResolvedUITheme | null = null;
+let mermaid: Mermaid | null = null;
+
+/**
+ * Load the Mermaid library and initialize it with the appropriate theme based
+ * on the provided UI theme.
+ *
+ * @remarks
+ *
+ * Mermaid is only loaded once and cached for subsequent calls. Note that
+ * Mermaid is a singleton and does not support multiple instances with different
+ * configurations. Re-initialization occurs only when the active theme changes.
+ *
+ * @param uiTheme The resolved UI theme to derive Mermaid colors from.
+ * @returns The initialized Mermaid singleton.
+ */
+export async function loadMermaid(uiTheme: ResolvedUITheme): Promise<Mermaid> {
+    if (!mermaid) {
+        const mermaidModule = await import("mermaid");
+        mermaid = mermaidModule.default;
+        mermaid.registerLayoutLoaders(elkLayouts);
+    }
+
+    if (uiTheme && uiTheme === lastActiveTheme) {
+        return mermaid;
+    }
+
+    await new Promise((resolve) => requestAnimationFrame(resolve));
+
+    const computedStyle = getComputedStyle(document.documentElement);
+    const darkMode = uiTheme === "dark";
+
+    const themeAdapter = new MermaidThemeAdapter(computedStyle);
+    const themeVariables = themeAdapter.toThemeVariables(darkMode);
+
+    mermaid.initialize({
+        ...DefaultMermaidConfig,
+        themeVariables: {
+            ...themeVariables,
+        },
+        darkMode,
+        themeCSS: String(MermaidStyles),
+    });
+
+    lastActiveTheme = uiTheme;
+
+    return mermaid;
+}

From 453a49d954f5ad28870296f7b7eacb3592a97984 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 11 Jun 2026 12:54:14 +0200
Subject: [PATCH 52/68] ci: bump taiki-e/install-action from 2.81.7 to 2.81.8
 in /.github/actions/setup (#22995)

ci: bump taiki-e/install-action in /.github/actions/setup

Bumps [taiki-e/install-action](https://github.com/taiki-e/install-action) from 2.81.7 to 2.81.8.
- [Release notes](https://github.com/taiki-e/install-action/releases)
- [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/taiki-e/install-action/compare/56545b37b57562edd73171cb6c62cc509db4c34e...0631aa6515c7d545823c67cfae7ef4fc7f490154)

---
updated-dependencies:
- dependency-name: taiki-e/install-action
  dependency-version: 2.81.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/actions/setup/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
index 6f49b82019..e14f69ac27 100644
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -64,7 +64,7 @@ runs:
         rustflags: ""
     - name: Setup rust dependencies
       if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@56545b37b57562edd73171cb6c62cc509db4c34e # v2
+      uses: taiki-e/install-action@0631aa6515c7d545823c67cfae7ef4fc7f490154 # v2
       with:
         tool: cargo-deny cargo-machete cargo-llvm-cov nextest
     - name: Setup node (root, web)

From bfe104bb69d44203718b3d7d78672fa9497a4c15 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 11 Jun 2026 12:54:18 +0200
Subject: [PATCH 53/68] core: bump which from 8.0.2 to 8.0.3 (#22994)

Bumps [which](https://github.com/harryfei/which-rs) from 8.0.2 to 8.0.3.
- [Release notes](https://github.com/harryfei/which-rs/releases)
- [Changelog](https://github.com/harryfei/which-rs/blob/master/CHANGELOG.md)
- [Commits](https://github.com/harryfei/which-rs/compare/8.0.2...8.0.3)

---
updated-dependencies:
- dependency-name: which
  dependency-version: 8.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 Cargo.lock | 4 ++--
 Cargo.toml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index b475976d63..4ec2a1c779 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4578,9 +4578,9 @@ dependencies = [
 
 [[package]]
 name = "which"
-version = "8.0.2"
+version = "8.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "81995fafaaaf6ae47a7d0cc83c67caf92aeb7e5331650ae6ff856f7c0c60c459"
+checksum = "c789537cf2f7f55be8e6192f92e464174ee55f91af622777f7f1ceb0dbccd03e"
 dependencies = [
  "libc",
 ]
diff --git a/Cargo.toml b/Cargo.toml
index 02f085538f..520f596bac 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -113,7 +113,7 @@ tracing-subscriber = { version = "= 0.3.23", features = [
 ] }
 url = "= 2.5.8"
 uuid = { version = "= 1.23.2", features = ["serde", "v4"] }
-which = "= 8.0.2"
+which = "= 8.0.3"
 
 ak-axum = { package = "authentik-axum", version = "2026.8.0-rc1", path = "./packages/ak-axum" }
 ak-client = { package = "authentik-client", version = "2026.8.0-rc1", path = "./packages/client-rust" }

From 4889d047f0041b84f34e67aad338fa13091475c1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 11 Jun 2026 12:54:22 +0200
Subject: [PATCH 54/68] core: bump uvicorn[standard] from 0.48.0 to 0.49.0
 (#22993)

Bumps [uvicorn[standard]](https://github.com/Kludex/uvicorn) from 0.48.0 to 0.49.0.
- [Release notes](https://github.com/Kludex/uvicorn/releases)
- [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md)
- [Commits](https://github.com/Kludex/uvicorn/compare/0.48.0...0.49.0)

---
updated-dependencies:
- dependency-name: uvicorn[standard]
  dependency-version: 0.49.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pyproject.toml |  2 +-
 uv.lock        | 33 ++++++++++++++++++++-------------
 2 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index aeca2ac862..11d4b94bf3 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -66,7 +66,7 @@ dependencies = [
   "ua-parser==1.0.2",
   "unidecode==1.4.0",
   "urllib3<3",
-  "uvicorn[standard]==0.48.0",
+  "uvicorn[standard]==0.49.0",
   "watchdog==6.0.0",
   "webauthn==2.7.1",
   "wsproto==1.3.2",
diff --git a/uv.lock b/uv.lock
index 78ff68f75f..c114a48104 100644
--- a/uv.lock
+++ b/uv.lock
@@ -422,7 +422,7 @@ requires-dist = [
     { name = "ua-parser", specifier = "==1.0.2" },
     { name = "unidecode", specifier = "==1.4.0" },
     { name = "urllib3", specifier = "<3" },
-    { name = "uvicorn", extras = ["standard"], specifier = "==0.48.0" },
+    { name = "uvicorn", extras = ["standard"], specifier = "==0.49.0" },
     { name = "watchdog", specifier = "==6.0.0" },
     { name = "webauthn", specifier = "==2.7.1" },
     { name = "wsproto", specifier = "==1.3.2" },
@@ -1812,17 +1812,24 @@ wheels = [
 
 [[package]]
 name = "httptools"
-version = "0.7.1"
+version = "0.8.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/b5/46/120a669232c7bdedb9d52d4aeae7e6c7dfe151e99dc70802e2fc7a5e1993/httptools-0.7.1.tar.gz", hash = "sha256:abd72556974f8e7c74a259655924a717a2365b236c882c3f6f8a45fe94703ac9", size = 258961, upload-time = "2025-10-10T03:55:08.559Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/43/e5/d471fcb0e14523fe1c3f4ba58ca52480e7bd70ad7109a3846bc75892f7fb/httptools-0.8.0.tar.gz", hash = "sha256:6b2a32f18d97e16e90827d7a819ffa8dbd8cc245fc4e1fa9d1095b54ef4bd999", size = 271342, upload-time = "2026-05-25T22:17:48.841Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/34/50/9d095fcbb6de2d523e027a2f304d4551855c2f46e0b82befd718b8b20056/httptools-0.7.1-cp314-cp314-macosx_10_13_universal2.whl", hash = "sha256:c08fe65728b8d70b6923ce31e3956f859d5e1e8548e6f22ec520a962c6757270", size = 203619, upload-time = "2025-10-10T03:54:54.321Z" },
-    { url = "https://files.pythonhosted.org/packages/07/f0/89720dc5139ae54b03f861b5e2c55a37dba9a5da7d51e1e824a1f343627f/httptools-0.7.1-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:7aea2e3c3953521c3c51106ee11487a910d45586e351202474d45472db7d72d3", size = 108714, upload-time = "2025-10-10T03:54:55.163Z" },
-    { url = "https://files.pythonhosted.org/packages/b3/cb/eea88506f191fb552c11787c23f9a405f4c7b0c5799bf73f2249cd4f5228/httptools-0.7.1-cp314-cp314-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:0e68b8582f4ea9166be62926077a3334064d422cf08ab87d8b74664f8e9058e1", size = 472909, upload-time = "2025-10-10T03:54:56.056Z" },
-    { url = "https://files.pythonhosted.org/packages/e0/4a/a548bdfae6369c0d078bab5769f7b66f17f1bfaa6fa28f81d6be6959066b/httptools-0.7.1-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:df091cf961a3be783d6aebae963cc9b71e00d57fa6f149025075217bc6a55a7b", size = 470831, upload-time = "2025-10-10T03:54:57.219Z" },
-    { url = "https://files.pythonhosted.org/packages/4d/31/14df99e1c43bd132eec921c2e7e11cda7852f65619bc0fc5bdc2d0cb126c/httptools-0.7.1-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:f084813239e1eb403ddacd06a30de3d3e09a9b76e7894dcda2b22f8a726e9c60", size = 452631, upload-time = "2025-10-10T03:54:58.219Z" },
-    { url = "https://files.pythonhosted.org/packages/22/d2/b7e131f7be8d854d48cb6d048113c30f9a46dca0c9a8b08fcb3fcd588cdc/httptools-0.7.1-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:7347714368fb2b335e9063bc2b96f2f87a9ceffcd9758ac295f8bbcd3ffbc0ca", size = 452910, upload-time = "2025-10-10T03:54:59.366Z" },
-    { url = "https://files.pythonhosted.org/packages/53/cf/878f3b91e4e6e011eff6d1fa9ca39f7eb17d19c9d7971b04873734112f30/httptools-0.7.1-cp314-cp314-win_amd64.whl", hash = "sha256:cfabda2a5bb85aa2a904ce06d974a3f30fb36cc63d7feaddec05d2050acede96", size = 88205, upload-time = "2025-10-10T03:55:00.389Z" },
+    { url = "https://files.pythonhosted.org/packages/1a/12/fa3fbf5f9517b273edea2dc982aa82a8c634091e67c590792b729017bc6f/httptools-0.8.0-cp314-cp314-macosx_10_13_universal2.whl", hash = "sha256:de242a49b5d18e0a8776e654e9f6bf6d89f3875a5c35b425a0e7ce940feb3fd6", size = 206183, upload-time = "2026-05-25T22:17:24.004Z" },
+    { url = "https://files.pythonhosted.org/packages/30/fc/5e7c4cb443370f2090a3aba0453a07384d29ff66b7435bb90e77e1037599/httptools-0.8.0-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:159e9ab5f701ccd42e555a12f1ad8ff69702910fc1c996cf2bb66e5fcb7a231b", size = 112079, upload-time = "2026-05-25T22:17:25.216Z" },
+    { url = "https://files.pythonhosted.org/packages/ba/53/771bd891eb0f236f32145d6a1775777ec85745f3cc983a1f23d1a3b8ddfe/httptools-0.8.0-cp314-cp314-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:c4a9f1707e4823d54dfec6c33fa3697d302aed536ed352a7ebb5a061ddb869d0", size = 481596, upload-time = "2026-05-25T22:17:26.186Z" },
+    { url = "https://files.pythonhosted.org/packages/62/42/94e15bc68ce3d423243c45d7f1b0c7561f13844f97dc52ae23182fb65628/httptools-0.8.0-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:d76ad7b951387e3632c8716a9bb03ac5b45c5f16119aa409db0459520887944e", size = 480865, upload-time = "2026-05-25T22:17:27.542Z" },
+    { url = "https://files.pythonhosted.org/packages/1c/7c/fe2980fc03723272e30f135b62360b075f513dfe7cc73aef36c7f04012bd/httptools-0.8.0-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:a3b7387147361c3fd47a0bde763c5c91b5b4cd4dc9989b8ece84ff436c99843b", size = 463189, upload-time = "2026-05-25T22:17:28.546Z" },
+    { url = "https://files.pythonhosted.org/packages/15/1b/47fc5fff68acd1bfa20b4734059c9a06cadb88119dcd5258b5b0d21d91c8/httptools-0.8.0-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:f256d6ce930c52ca1cb2a960b7da03548c454e7d28b06059ad41bfe789036ce0", size = 466610, upload-time = "2026-05-25T22:17:29.816Z" },
+    { url = "https://files.pythonhosted.org/packages/60/bd/07b13c93ffd9bec9546e0d43f8e19378dd696dbd278511406bc07371ef1f/httptools-0.8.0-cp314-cp314-win_amd64.whl", hash = "sha256:19d1ee275bb59ba2643ba9a3a1e51cc0c788caf2b8df506368e03f56fdd08527", size = 92705, upload-time = "2026-05-25T22:17:31.133Z" },
+    { url = "https://files.pythonhosted.org/packages/fd/c4/121648f68ce066d7bd762d6b6d97e620847642d38d54f3d90ff11d947629/httptools-0.8.0-cp314-cp314t-macosx_10_13_universal2.whl", hash = "sha256:de1ed58a974e75d56560acc7e7fed01a454994429456f65209789992e41f2568", size = 215023, upload-time = "2026-05-25T22:17:32.401Z" },
+    { url = "https://files.pythonhosted.org/packages/b9/b0/312a062ae741ae3e8baa8c8bf20be81b2e67337b259ab4349bebc7b6142e/httptools-0.8.0-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:e93c227b595c6926c1acee96891dd9da4be338cfbe82e5cd3bb9d8dd7dc4ac0b", size = 117405, upload-time = "2026-05-25T22:17:33.742Z" },
+    { url = "https://files.pythonhosted.org/packages/fc/37/fccd705f795386bb05bf413012fecff2a33e5aa8c2f069096de3e9fd8702/httptools-0.8.0-cp314-cp314t-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:2a021c3a8e65cc125390d72f59b968afca3bdcaff25bd67965e0a055a14946ca", size = 558497, upload-time = "2026-05-25T22:17:34.732Z" },
+    { url = "https://files.pythonhosted.org/packages/bd/39/f172e8003576de35f5ba77ff417cf0e34429d35dc014deef15afa337a72c/httptools-0.8.0-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:48774d39cbb70e2b1f71f88852a3087ae1d3a1eb80482bb48c13067ab080c14f", size = 571585, upload-time = "2026-05-25T22:17:35.813Z" },
+    { url = "https://files.pythonhosted.org/packages/3e/b9/f5564760af99f3dbbf3f9104dc00e5da27e96cf433c6bdcf77617f70bf3f/httptools-0.8.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:88eead8ec8680a9f146c655bc88445a325bd7921cfd8194c7337e9467282427d", size = 543297, upload-time = "2026-05-25T22:17:37.08Z" },
+    { url = "https://files.pythonhosted.org/packages/99/67/8d9f2c313618e161b82f3873188e7196126da1d6e29688df40eb3997c77a/httptools-0.8.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:2c032fa028f46871ec7e1fc59fc15e8023eab3e6bbe6ece786a1611719a5d081", size = 539535, upload-time = "2026-05-25T22:17:38.032Z" },
+    { url = "https://files.pythonhosted.org/packages/48/63/b906c01e53f50d432c0defe43ce52764a111dc1bdd028bafbeb54dcfd008/httptools-0.8.0-cp314-cp314t-win_amd64.whl", hash = "sha256:384c17174464c8e873398b7af24f0b1f44d992c820328413951a625323155d77", size = 108209, upload-time = "2026-05-25T22:17:39.473Z" },
 ]
 
 [[package]]
@@ -3853,15 +3860,15 @@ socks = [
 
 [[package]]
 name = "uvicorn"
-version = "0.48.0"
+version = "0.49.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "click" },
     { name = "h11" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/e6/bf/f6544ba992ddb9a6077343a576f9844f7f8f06ab819aefd00206e9255f18/uvicorn-0.48.0.tar.gz", hash = "sha256:a5504207195d08c2511bf9125ede5ac4a4b71725d519e758d01dcf0bc2d31c37", size = 91074, upload-time = "2026-05-24T12:08:41.925Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/c4/1f/fa18009dea8469069cca78a4e877a008ab78f08b064bfc9ab891579077ff/uvicorn-0.49.0.tar.gz", hash = "sha256:ebf4271aa580d9de97f93192d4595176df6e91f9aae919ca73e4fc07df1e66a3", size = 91284, upload-time = "2026-06-03T22:01:30.448Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/01/be/72532be3da7acc5fdfbccdb95215cd04f995a0886532a5b423f929cda4cc/uvicorn-0.48.0-py3-none-any.whl", hash = "sha256:48097851328b87ec36117d3d575234519eb58c2b22d79666e9bbc6c49a761dad", size = 71410, upload-time = "2026-05-24T12:08:40.258Z" },
+    { url = "https://files.pythonhosted.org/packages/88/fa/e1388bbcf24ef3274f45c0c1c7b501fd14971037c1b6ee23610553307497/uvicorn-0.49.0-py3-none-any.whl", hash = "sha256:ba3d14c3ee7e41c6c654c46c9eb489d33213cdd30aa1696eab1374337c13f68f", size = 71376, upload-time = "2026-06-03T22:01:29.037Z" },
 ]
 
 [package.optional-dependencies]

From 798bc77f427ce69d26d1cc70090136b92781e3e0 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 11 Jun 2026 12:54:27 +0200
Subject: [PATCH 55/68] core: bump goauthentik/fips-python from `ede0a00` to
 `94d8805` in /lifecycle/container (#22992)

core: bump goauthentik/fips-python in /lifecycle/container

Bumps goauthentik/fips-python from `ede0a00` to `94d8805`.

---
updated-dependencies:
- dependency-name: goauthentik/fips-python
  dependency-version: 3.14.5-slim-trixie-fips
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 lifecycle/container/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lifecycle/container/Dockerfile b/lifecycle/container/Dockerfile
index 3573c7d79c..8856c1b103 100644
--- a/lifecycle/container/Dockerfile
+++ b/lifecycle/container/Dockerfile
@@ -118,7 +118,7 @@ RUN cat /root/.rustup/settings.toml
 # Stage: Download uv
 FROM ghcr.io/astral-sh/uv:0.11.19@sha256:b46b03ddfcfbf8f547af7e9eaefdf8a39c8cebcba7c98858d3162bd28cf536f6 AS uv
 # Stage: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.14.5-slim-trixie-fips@sha256:ede0a006a873bfd3e66fd0e56827bc8e46ea75341e1a6a35dae6edd6ad6be691 AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.14.5-slim-trixie-fips@sha256:94d880542ff5e74bd50b874680fd68a04fe6bb34b7f25e8a081b62b7e1ae6dc3 AS python-base
 
 ENV VENV_PATH="/ak-root/.venv" \
     PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \

From 4881c3f337c017974721ab7d09437878ebfab137 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 11 Jun 2026 12:54:30 +0200
Subject: [PATCH 56/68] core: bump astral-sh/uv from 0.11.19 to 0.11.20 in
 /lifecycle/container (#22991)

Bumps [astral-sh/uv](https://github.com/astral-sh/uv) from 0.11.19 to 0.11.20.
- [Release notes](https://github.com/astral-sh/uv/releases)
- [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/uv/compare/0.11.19...0.11.20)

---
updated-dependencies:
- dependency-name: astral-sh/uv
  dependency-version: 0.11.20
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 lifecycle/container/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lifecycle/container/Dockerfile b/lifecycle/container/Dockerfile
index 8856c1b103..aaee9343f7 100644
--- a/lifecycle/container/Dockerfile
+++ b/lifecycle/container/Dockerfile
@@ -116,7 +116,7 @@ RUN --mount=type=bind,target=rust-toolchain.toml,src=rust-toolchain.toml \
 RUN cat /root/.rustup/settings.toml
 
 # Stage: Download uv
-FROM ghcr.io/astral-sh/uv:0.11.19@sha256:b46b03ddfcfbf8f547af7e9eaefdf8a39c8cebcba7c98858d3162bd28cf536f6 AS uv
+FROM ghcr.io/astral-sh/uv:0.11.20@sha256:eaa5f1a3305307aaf9e67fe2bbba1d85ebbb2d8a63bce23af21797bfafbe0f8b AS uv
 # Stage: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.14.5-slim-trixie-fips@sha256:94d880542ff5e74bd50b874680fd68a04fe6bb34b7f25e8a081b62b7e1ae6dc3 AS python-base
 

From 9cc9cac13b083f554dae150b8257a3a909a2f11a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 11 Jun 2026 12:54:35 +0200
Subject: [PATCH 57/68] lifecycle/aws: bump aws-cdk from 2.1125.0 to 2.1126.0
 in /lifecycle/aws (#22990)

Bumps [aws-cdk](https://github.com/aws/aws-cdk-cli/tree/HEAD/packages/aws-cdk) from 2.1125.0 to 2.1126.0.
- [Release notes](https://github.com/aws/aws-cdk-cli/releases)
- [Commits](https://github.com/aws/aws-cdk-cli/commits/aws-cdk@v2.1126.0/packages/aws-cdk)

---
updated-dependencies:
- dependency-name: aws-cdk
  dependency-version: 2.1126.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 lifecycle/aws/package-lock.json | 8 ++++----
 lifecycle/aws/package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lifecycle/aws/package-lock.json b/lifecycle/aws/package-lock.json
index 6dc3577f04..26d15bcf21 100644
--- a/lifecycle/aws/package-lock.json
+++ b/lifecycle/aws/package-lock.json
@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1125.0",
+                "aws-cdk": "^2.1126.0",
                 "cross-env": "^10.1.0"
             },
             "engines": {
@@ -25,9 +25,9 @@
             "license": "MIT"
         },
         "node_modules/aws-cdk": {
-            "version": "2.1125.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1125.0.tgz",
-            "integrity": "sha512-QAvsE2XQMcyNOjMMqAS7eDADR9t6vcFcMQvhOmtLfDqgfJXSyTkHvzM5zgwZCdJ4FNqWr5Y/zXvL1Cv5ECKXwQ==",
+            "version": "2.1126.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1126.0.tgz",
+            "integrity": "sha512-uNoocb3vCPiAT3j9+SwL6pn/VVggHWBsgC2XpxyhNvYQYt6cE9BM/149GWwtdcwnLrPjnwW1+CV/5nSSh5dV+w==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {
diff --git a/lifecycle/aws/package.json b/lifecycle/aws/package.json
index 51ec72589c..bc7a5ec52b 100644
--- a/lifecycle/aws/package.json
+++ b/lifecycle/aws/package.json
@@ -7,7 +7,7 @@
         "aws-cfn": "cross-env CI=false cdk synth --version-reporting=false > template.yaml"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1125.0",
+        "aws-cdk": "^2.1126.0",
         "cross-env": "^10.1.0"
     },
     "engines": {

From f40c538034c28790ea100d4766c3e5e33927dcc2 Mon Sep 17 00:00:00 2001
From: "transifex-integration[bot]"
 <43880903+transifex-integration[bot]@users.noreply.github.com>
Date: Thu, 11 Jun 2026 12:54:39 +0200
Subject: [PATCH 58/68] translate: Updates for project authentik and language
 no_NO (#22988)

translate: Translate django.po in no_NO

100% translated source file: 'django.po'
on 'no_NO'.

Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>
---
 locale/no_NO/LC_MESSAGES/django.po | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/locale/no_NO/LC_MESSAGES/django.po b/locale/no_NO/LC_MESSAGES/django.po
index b329c081a9..3b01fb6a0f 100644
--- a/locale/no_NO/LC_MESSAGES/django.po
+++ b/locale/no_NO/LC_MESSAGES/django.po
@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-22 00:36+0000\n"
+"POT-Creation-Date: 2026-06-11 00:42+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Raphael Cancelliere, 2026\n"
 "Language-Team: Norwegian (Norway) (https://app.transifex.com/authentik/teams/119923/no_NO/)\n"
@@ -3692,14 +3692,6 @@ msgstr "Google OAuth-kilde"
 msgid "Google OAuth Sources"
 msgstr "Google OAuth-kilder"
 
-#: authentik/sources/oauth/models.py
-msgid "Azure AD OAuth Source"
-msgstr "Azure AD OAuth-kilde"
-
-#: authentik/sources/oauth/models.py
-msgid "Azure AD OAuth Sources"
-msgstr "Azure AD OAuth-kilder"
-
 #: authentik/sources/oauth/models.py
 msgid "Entra ID OAuth Source"
 msgstr "Entra ID OAuth-kilde"

From 7767075b040177e8224379c4699fef695ceafce1 Mon Sep 17 00:00:00 2001
From: "transifex-integration[bot]"
 <43880903+transifex-integration[bot]@users.noreply.github.com>
Date: Thu, 11 Jun 2026 12:54:43 +0200
Subject: [PATCH 59/68] translate: Updates for project authentik and language
 hu_HU (#22987)

translate: Translate django.po in hu_HU

100% translated source file: 'django.po'
on 'hu_HU'.

Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>
---
 locale/hu_HU/LC_MESSAGES/django.po | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/locale/hu_HU/LC_MESSAGES/django.po b/locale/hu_HU/LC_MESSAGES/django.po
index 601b01c818..384418a924 100644
--- a/locale/hu_HU/LC_MESSAGES/django.po
+++ b/locale/hu_HU/LC_MESSAGES/django.po
@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-22 00:36+0000\n"
+"POT-Creation-Date: 2026-06-11 00:42+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Gyula Kiss <kiss@indi.hu>, 2026\n"
 "Language-Team: Hungarian (Hungary) (https://app.transifex.com/authentik/teams/119923/hu_HU/)\n"
@@ -3780,14 +3780,6 @@ msgstr "Google OAuth forrás"
 msgid "Google OAuth Sources"
 msgstr "Google OAuth források"
 
-#: authentik/sources/oauth/models.py
-msgid "Azure AD OAuth Source"
-msgstr "Azure AD OAuth forrás"
-
-#: authentik/sources/oauth/models.py
-msgid "Azure AD OAuth Sources"
-msgstr "Azure AD OAuth források"
-
 #: authentik/sources/oauth/models.py
 msgid "Entra ID OAuth Source"
 msgstr "Entra ID OAuth forrás"

From 21666c8c1c463ceea5e02a6eef44b292dc017304 Mon Sep 17 00:00:00 2001
From: "transifex-integration[bot]"
 <43880903+transifex-integration[bot]@users.noreply.github.com>
Date: Thu, 11 Jun 2026 12:54:48 +0200
Subject: [PATCH 60/68] translate: Updates for project authentik and language
 fr_FR (#22986)

translate: Translate django.po in fr_FR

100% translated source file: 'django.po'
on 'fr_FR'.

Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>
---
 locale/fr_FR/LC_MESSAGES/django.po | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/locale/fr_FR/LC_MESSAGES/django.po b/locale/fr_FR/LC_MESSAGES/django.po
index feb36304fe..55ecc2eab2 100644
--- a/locale/fr_FR/LC_MESSAGES/django.po
+++ b/locale/fr_FR/LC_MESSAGES/django.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-22 00:36+0000\n"
+"POT-Creation-Date: 2026-06-11 00:42+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Sp P, 2026\n"
 "Language-Team: French (France) (https://app.transifex.com/authentik/teams/119923/fr_FR/)\n"
@@ -3790,14 +3790,6 @@ msgstr "Source d'OAuth Google"
 msgid "Google OAuth Sources"
 msgstr "Source d'OAuth Google"
 
-#: authentik/sources/oauth/models.py
-msgid "Azure AD OAuth Source"
-msgstr "Source d'OAuth Azure AD"
-
-#: authentik/sources/oauth/models.py
-msgid "Azure AD OAuth Sources"
-msgstr "Source d'OAuth Azure AD"
-
 #: authentik/sources/oauth/models.py
 msgid "Entra ID OAuth Source"
 msgstr "Source d'OAuth Entra ID"

From 884904e16fc5424d1bf314c6794ad0c424a926e3 Mon Sep 17 00:00:00 2001
From: Dewi Roberts <dewi@goauthentik.io>
Date: Thu, 11 Jun 2026 15:29:43 +0100
Subject: [PATCH 61/68] website/docs: additional scim provider docs (#22135)

* Add create scim provider doc, add info about oauth interactive mode, update sidebar

* Spelling

---------

Co-authored-by: Dominic R <dominic@goauthentik.io>
---
 .../providers/scim/create-scim-provider.md    | 71 +++++++++++++++++++
 .../add-secure-apps/providers/scim/index.md   | 20 ++----
 website/docs/sidebar.mjs                      | 10 ++-
 3 files changed, 87 insertions(+), 14 deletions(-)
 create mode 100644 website/docs/add-secure-apps/providers/scim/create-scim-provider.md

diff --git a/website/docs/add-secure-apps/providers/scim/create-scim-provider.md b/website/docs/add-secure-apps/providers/scim/create-scim-provider.md
new file mode 100644
index 0000000000..7258c50f62
--- /dev/null
+++ b/website/docs/add-secure-apps/providers/scim/create-scim-provider.md
@@ -0,0 +1,71 @@
+---
+title: Create a SCIM provider
+---
+
+## Create a SCIM provider with token authentication
+
+To create a provider along with a corresponding application, navigate to **Applications** > **Applications** and click **New Application**. We recommend this combined approach for most common use cases. Alternatively, you can use the legacy method to solely create the provider by navigating to **Applications** > **Providers** and clicking **New Provider**.
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **New Application** to create an application and provider pair.
+3. On the **Application** page, define the application settings, and then click **Next**.
+4. Select **SCIM** as the **Provider Type**, and then click **Next**.
+5. On the **Configure Provider** page, provide the configuration settings, and then click **Next**.
+6. On the **Configure Bindings** page, click **Next**.
+7. Click **Create** to create both the application and the provider.
+
+### Set the SCIM provider as a backchannel provider for the application
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click the edit icon of the new SCIM application.
+3. Click the plus icon (+) next to **Backchannel providers**.
+4. Select the new SCIM provider, and then click **Confirm**.
+5. Click **Save changes**.
+
+## Create a SCIM provider with OAuth authentication
+
+There are 3 required steps to creating a SCIM provider:
+
+1. [Create an OAuth source](#create-an-oauth-source)
+2. [Create a SCIM application and provider](#create-a-scim-application-and-provider)
+3. [Set the SCIM provider as a backchannel provider for the application](#set-the-scim-provider-as-a-backchannel-provider-for-the-application)
+
+If using OAuth (Interactive) mode, you will also need to:
+
+4. [Provide admin authorization](#provide-admin-authorization-oauth-interactive-mode-only)
+
+### Create an OAuth source
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Directory** > **Federation and Social login** and click **New Source**.
+3. Select **OpenID OAuth Source** as the **Source type**.
+4. On the **OpenID OAuth Source Details** page, provide the configuration settings provided by the SCIM endpoint that you are provisioning to, and then click **Create**.
+
+### Create a SCIM application and provider
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **New Application** to create an application and provider pair.
+3. On the **Application** page, define the application settings, and then click **Next**.
+4. Select **SCIM** as the **Provider Type**, and then click **Next**.
+5. On the **Configure Provider** page, configure the required settings. Set **Authentication mode** to the desired OAuth option, select the **OAuth source** you created in the previous section, and then click **Next**.
+6. On the **Configure Bindings** page, click **Next**.
+7. Click **Create** to create both the application and the provider.
+
+### Set the SCIM provider as a backchannel provider for the application
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click the edit icon of the new SCIM application.
+3. Click the plus icon (+) next to **Backchannel providers**.
+4. Select the new SCIM provider, and then click **Confirm**.
+5. Click **Save changes**.
+
+### Provide admin authorization (OAuth Interactive mode only)
+
+If you selected **OAuth (Interactive)** as the **Authentication mode** for the SCIM provider, you will need to authorize the initial OAuth connection.
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Providers** and click the name of the new SCIM provider.
+3. Next to **OAuth Status**, click **(Re-)Authenticate**.
+4. You should be redirected to the SCIM endpoint that you are provisioning to for authentication.
+5. Once authenticated, you should be redirected back to authentik. If successful, **OAuth Status** should now show as **Authenticated**.
+   This step is only required when initially configuring the SCIM provider; subsequent authentications will be automatic.
diff --git a/website/docs/add-secure-apps/providers/scim/index.md b/website/docs/add-secure-apps/providers/scim/index.md
index 0c516b745c..12f1ef9cc2 100644
--- a/website/docs/add-secure-apps/providers/scim/index.md
+++ b/website/docs/add-secure-apps/providers/scim/index.md
@@ -8,13 +8,7 @@ A SCIM provider requires a SCIM base URL for the endpoint and an authentication
 
 SCIM providers in authentik always serve as [backchannel providers](../../applications/manage_apps.mdx#backchannel-providers), which are used in addition to the main provider that supplies SSO authentication. A backchannel provider is used for an application that requires backend authentication, directory synchronization, or other additional authentication needs.
 
-## Set up a SCIM provider
-
-Many applications use SCIM together with another SSO protocol such as OAuth/OIDC or SAML. For example, you can create an application and provider pair for Slack by using SAML for authentication and SCIM for provisioning. For this setup, use the following workflow:
-
-1. [Create](../../applications/manage_apps.mdx#create-an-application-and-provider-pair) the application and provider pair.
-2. [Create](../../applications/manage_apps.mdx#backchannel-providers) the SCIM backchannel provider.
-3. Edit the application, and in the **Backchannel Providers** field add the SCIM provider that you created.
+For instructions on creating a SCIM provider, refer to the [Create a SCIM provider](./create-scim-provider.md) documentation.
 
 ## Authentication modes
 
@@ -23,12 +17,6 @@ In authentik, there are two ways to authenticate SCIM requests:
 - **Static token** provided by the application. This is the default authentication mode.
 - **OAuth token** that authentik retrieves from a specified source and uses for authentication.
 
-When you create a new SCIM provider, select the **Authentication Mode** that the application supports.
-
-![Creating a SCIM provider](./scim_oauth.png)
-
-For either mode, enter the SCIM base **URL** for the endpoint.
-
 ### Static token
 
 When the authentication mode is set to **Static token**, authentik sends the token provided by the application with outgoing SCIM requests to authenticate each request.
@@ -37,6 +25,12 @@ When the authentication mode is set to **Static token**, authentik sends the tok
 
 When you configure a SCIM provider to use OAuth for authentication, authentik generates short-lived tokens through an OAuth flow and sends them to the SCIM endpoint. This offers improved security and control compared with a static token.
 
+authentik supports two types of SCIM OAuth authentication:
+
+- **Silent OAuth** – The system obtains or refreshes access tokens automatically, without any administrator interaction. This is the typical approach used for ongoing SCIM provisioning.
+
+- **Interactive OAuth** – During setup, an administrator is required to authorize the connection before the SCIM integration can obtain its initial token. authentik then stores a refresh token, and provisioning then runs in the background without further admin interaction.
+
 You can also add additional token request parameters such as `grant_type`, `subject_token`, or `client_assertion`.
 
 **Example**:
diff --git a/website/docs/sidebar.mjs b/website/docs/sidebar.mjs
index 8ee5468744..d32fe47197 100644
--- a/website/docs/sidebar.mjs
+++ b/website/docs/sidebar.mjs
@@ -254,7 +254,15 @@ const items = [
                             "add-secure-apps/providers/saml/saml_single_logout",
                         ],
                     },
-                    "add-secure-apps/providers/scim/index",
+                    {
+                        type: "category",
+                        label: "SCIM Provider",
+                        link: {
+                            type: "doc",
+                            id: "add-secure-apps/providers/scim/index",
+                        },
+                        items: ["add-secure-apps/providers/scim/create-scim-provider"],
+                    },
                     {
                         type: "category",
                         label: "SSF Provider",

From 978abbd734af6ac3e3a1beaf562fa91b028fba11 Mon Sep 17 00:00:00 2001
From: Connor Peshek <connor@connorpeshek.me>
Date: Thu, 11 Jun 2026 10:01:24 -0500
Subject: [PATCH 62/68] website/integrations: add post logout to audiobookshelf
 (#22999)

website/integrations: add post logout to abs

Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
---
 website/integrations/media/audiobookshelf/index.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/website/integrations/media/audiobookshelf/index.md b/website/integrations/media/audiobookshelf/index.md
index eb85cec8c3..b99aeebec9 100644
--- a/website/integrations/media/audiobookshelf/index.md
+++ b/website/integrations/media/audiobookshelf/index.md
@@ -33,9 +33,10 @@ To support the integration of Audiobookshelf with authentik, you need to create
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Add two `Strict` redirect URIs:
-            - `https://audiobookshelf.company/auth/openid/callback`
-            - `https://audiobookshelf.company/auth/openid/mobile-redirect`
+        - Add three **Redirect URIs**:
+            - `Strict` `Authorization` `https://audiobookshelf.company/auth/openid/callback`
+            - `Strict` `Authorization` `https://audiobookshelf.company/auth/openid/mobile-redirect`
+            - `Strict` `Post Logout` `https://audiobookshelf.company/login`
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
@@ -53,6 +54,7 @@ To support the integration of Audiobookshelf with authentik, you need to create
     - **Token URL**: `https://authentik.company/application/o/token/`
     - **User Info URL**: `https://authentik.company/application/o/userinfo/`
     - **JWKS URL**: `https://authentik.company/application/o/<application_slug>/jwks/`
+    - **Logout URL**: `https://auth.yoursite.com/application/o/<application_slug>/end-session/`
     - **Signing Algorithm**: `RS256`
     - **Allow Mobile Redirect URLs**: `https://audiobookshelf.company/auth/openid/mobile-redirect`
     - **Match existing users by**: `username`

From b12416a413609d4fe5a8f83aa240f66b484eb64b Mon Sep 17 00:00:00 2001
From: Connor Peshek <connor@connorpeshek.me>
Date: Thu, 11 Jun 2026 10:03:04 -0500
Subject: [PATCH 63/68] website/integrations: add kavita (#23000)

* website/integrations: add kavita

* add missing dashes

* Update index.md

Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

---------

Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
---
 website/integrations/media/kavita/index.md | 65 ++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 website/integrations/media/kavita/index.md

diff --git a/website/integrations/media/kavita/index.md b/website/integrations/media/kavita/index.md
new file mode 100644
index 0000000000..84854af511
--- /dev/null
+++ b/website/integrations/media/kavita/index.md
@@ -0,0 +1,65 @@
+---
+title: Integrate with Kavita
+sidebar_label: Kavita
+support_level: community
+---
+
+## What is Kavita?
+
+> Kavita is a self-hosted digital library and reading server for manga, comics, books, and other digital media, with support for organizing collections and reading in the browser.
+>
+> -- https://www.kavitareader.com/
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `kavita.company` is the FQDN of the Kavita installation.
+- `authentik.company` is the FQDN of the authentik installation.
+
+:::info
+This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
+:::
+
+## authentik configuration
+
+To support the integration of Kavita with authentik, you need to create an application/provider pair in authentik.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://kavita.company/signin-oidc`
+        - Add a **Redirect URI** of type `Strict` `Post Logout` as `https://kavita.company/signout-callback-oidc`
+        - **Logout URI**: `https://kavita.company/signout-oidc`
+        - **Logout Method**: `Front-channel`
+        - Select any available signing key.
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
+
+3. Click **Submit** to save the new application and provider.
+
+## Kavita configuration
+
+1. Log in to Kavita as an administrator.
+2. Navigate to **Settings** > **OpenID Connect**.
+3. Configure the following settings:
+    - **Authority**: `https://authentik.company/application/o/<application_slug>/`
+    - **Client Id**: enter the Client ID from authentik.
+    - **Secret**: enter the Client Secret from authentik.
+    - **Provision Accounts**: enable this setting to automatically create Kavita accounts for users who log in through authentik.
+    - **Require Verified Emails**: disable this setting.
+4. Click **Save**.
+
+Restart your Kavita instance for these changes to take effect.
+
+## Configuration verification
+
+To confirm that authentik is properly configured with Kavita, log out of Kavita and then log back in using the **Login with SSO** option. You should be redirected to authentik for authentication and then redirected back to Kavita as a logged-in user.
+
+## Resources
+
+- [Kavita OpenID Connect documentation](https://wiki.kavitareader.com/guides/admin-settings/open-id-connect/)

From 80e7dd0c621e11fffa1046b3d082b53debffb6a0 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 11 Jun 2026 17:43:07 +0200
Subject: [PATCH 64/68] web: bump @goauthentik/tsconfig from 1.0.9 to 2.0.0 in
 /web/packages/core in the goauthentik group across 1 directory (#22996)

* web: bump @goauthentik/tsconfig

Bumps the goauthentik group with 1 update in the /web/packages/core directory: [@goauthentik/tsconfig](https://github.com/goauthentik/authentik/tree/HEAD/packages/tsconfig).


Updates `@goauthentik/tsconfig` from 1.0.9 to 2.0.0
- [Release notes](https://github.com/goauthentik/authentik/releases)
- [Commits](https://github.com/goauthentik/authentik/commits/HEAD/packages/tsconfig)

---
updated-dependencies:
- dependency-name: "@goauthentik/tsconfig"
  dependency-version: 2.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: goauthentik
...

Signed-off-by: dependabot[bot] <support@github.com>

* sigh

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
---
 web/package-lock.json          | 12 +++++++++++-
 web/packages/core/package.json |  2 +-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/web/package-lock.json b/web/package-lock.json
index 3c30a7932e..a599d9befe 100644
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -20936,7 +20936,7 @@
             "version": "1.0.0",
             "license": "MIT",
             "dependencies": {
-                "@goauthentik/tsconfig": "^1.0.9",
+                "@goauthentik/tsconfig": "^2.0.0",
                 "@types/node": "^25.7.0",
                 "@types/semver": "^7.7.1",
                 "semver": "^7.7.4",
@@ -20947,6 +20947,16 @@
                 "npm": ">=11.14.1"
             }
         },
+        "packages/core/node_modules/@goauthentik/tsconfig": {
+            "version": "2.0.0",
+            "resolved": "https://registry.npmjs.org/@goauthentik/tsconfig/-/tsconfig-2.0.0.tgz",
+            "integrity": "sha512-HiU/U9cO4Aaik3VjUHu/3PjD0m2nhIJXlENW1kbfVRFBaqAw//9UuHIel2E3vgwyua93fht36cBb8itZVsG1Vg==",
+            "license": "MIT",
+            "engines": {
+                "node": ">=24",
+                "npm": ">=11.14.1"
+            }
+        },
         "packages/core/node_modules/semver": {
             "version": "7.7.4",
             "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz",
diff --git a/web/packages/core/package.json b/web/packages/core/package.json
index df396010c1..5b734d756a 100644
--- a/web/packages/core/package.json
+++ b/web/packages/core/package.json
@@ -44,7 +44,7 @@
         }
     },
     "dependencies": {
-        "@goauthentik/tsconfig": "^1.0.9",
+        "@goauthentik/tsconfig": "^2.0.0",
         "@types/node": "^25.7.0",
         "@types/semver": "^7.7.1",
         "semver": "^7.7.4",

From fc8424ac50cb92c36bede7c8a67b6981e7978f51 Mon Sep 17 00:00:00 2001
From: Dominic R <dominic@goauthentik.io>
Date: Thu, 11 Jun 2026 12:15:21 -0400
Subject: [PATCH 65/68] stages/captcha: add Cap and JSON verification support
 (#22373)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* stages/captcha: add Cap and JSON verification support

Add a configurable verification request content type so CAPTCHA providers can use either form-encoded or JSON token verification.

Add Cap as a preset and flow controller, including module-script loading, interactive widget handling, generated API/client types, tests, and docs.

* web/admin: clarify Cap captcha configuration

Treat the Cap endpoint as a form-only alias for the existing public key field and document Cap alongside the other CAPTCHA providers.

Agent-thread: https://sdko.org/internal/threads/019e737a-314e-72d0-98ae-201cb855df3a

A7k-product: product

A7k-product-repo: 2

Co-authored-by: Agent <agent@svc.sdko.net>

* stages/captcha: prefer self-hosted Cap widget URL

Default the Cap provider guidance to the self-hosted widget asset and keep CDN usage pinned to reviewed releases.

Agent-thread: https://sdko.org/internal/thr/ak/019ead31-2435-7e12-b933-e873155d6894

A7k-product: product

A7k-product-repo: 2

Co-authored-by: Agent <agent@svc.sdko.net>

* floating

---------

Co-authored-by: Agent <agent@svc.sdko.net>
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
---
 authentik/stages/captcha/api.py               |   1 +
 .../0005_captchastage_request_content_type.py |  24 +++
 authentik/stages/captcha/models.py            |  11 ++
 authentik/stages/captcha/stage.py             |  20 ++-
 authentik/stages/captcha/tests.py             |  35 +++-
 blueprints/schema.json                        |   8 +
 packages/client-ts/src/models/CaptchaStage.ts |  16 ++
 .../src/models/CaptchaStageRequest.ts         |  17 ++
 .../src/models/PatchedCaptchaStageRequest.ts  |  17 ++
 .../src/models/RequestContentTypeEnum.ts      |  58 +++++++
 packages/client-ts/src/models/index.ts        |   1 +
 schema.yml                                    |  11 ++
 .../admin/stages/captcha/CaptchaStageForm.ts  | 149 ++++++++++++++----
 web/src/admin/stages/captcha/shared.ts        |  85 ++++++++++
 web/src/flow/stages/captcha/CaptchaStage.css  |   5 +
 web/src/flow/stages/captcha/CaptchaStage.ts   |  26 ++-
 .../captcha/controllers/CaptchaController.ts  |  19 ++-
 .../flow/stages/captcha/controllers/cap.ts    |  61 +++++++
 web/src/flow/stages/captcha/shared.ts         |  15 +-
 .../controllers/CaptchaDisplayController.ts   |   6 +
 .../flows-stages/stages/captcha/index.md      |  22 ++-
 21 files changed, 563 insertions(+), 44 deletions(-)
 create mode 100644 authentik/stages/captcha/migrations/0005_captchastage_request_content_type.py
 create mode 100644 packages/client-ts/src/models/RequestContentTypeEnum.ts
 create mode 100644 web/src/flow/stages/captcha/controllers/cap.ts

diff --git a/authentik/stages/captcha/api.py b/authentik/stages/captcha/api.py
index cb33ff4d2c..959d30df00 100644
--- a/authentik/stages/captcha/api.py
+++ b/authentik/stages/captcha/api.py
@@ -17,6 +17,7 @@ class CaptchaStageSerializer(StageSerializer):
             "private_key",
             "js_url",
             "api_url",
+            "request_content_type",
             "interactive",
             "score_min_threshold",
             "score_max_threshold",
diff --git a/authentik/stages/captcha/migrations/0005_captchastage_request_content_type.py b/authentik/stages/captcha/migrations/0005_captchastage_request_content_type.py
new file mode 100644
index 0000000000..6c7d24dbe7
--- /dev/null
+++ b/authentik/stages/captcha/migrations/0005_captchastage_request_content_type.py
@@ -0,0 +1,24 @@
+# Generated by Django 5.2.14 on 2026-05-14 23:58
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_stages_captcha", "0004_captchastage_interactive"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="captchastage",
+            name="request_content_type",
+            field=models.TextField(
+                choices=[
+                    ("application/x-www-form-urlencoded", "Form encoded"),
+                    ("application/json", "JSON"),
+                ],
+                default="application/x-www-form-urlencoded",
+            ),
+        ),
+    ]
diff --git a/authentik/stages/captcha/models.py b/authentik/stages/captcha/models.py
index fb5a6dac28..776911b91e 100644
--- a/authentik/stages/captcha/models.py
+++ b/authentik/stages/captcha/models.py
@@ -8,6 +8,13 @@ from rest_framework.serializers import BaseSerializer
 from authentik.flows.models import Stage
 
 
+class CaptchaRequestContentType(models.TextChoices):
+    """Supported request content types for CAPTCHA verification."""
+
+    FORM = "application/x-www-form-urlencoded", _("Form encoded")
+    JSON = "application/json", _("JSON")
+
+
 class CaptchaStage(Stage):
     """Verify the user is human using Google's reCaptcha/other compatible CAPTCHA solutions."""
 
@@ -30,6 +37,10 @@ class CaptchaStage(Stage):
 
     js_url = models.TextField(default="https://www.recaptcha.net/recaptcha/api.js")
     api_url = models.TextField(default="https://www.recaptcha.net/recaptcha/api/siteverify")
+    request_content_type = models.TextField(
+        choices=CaptchaRequestContentType.choices,
+        default=CaptchaRequestContentType.FORM,
+    )
 
     @property
     def serializer(self) -> type[BaseSerializer]:
diff --git a/authentik/stages/captcha/stage.py b/authentik/stages/captcha/stage.py
index 9e582e5614..66b823e7a7 100644
--- a/authentik/stages/captcha/stage.py
+++ b/authentik/stages/captcha/stage.py
@@ -15,7 +15,7 @@ from authentik.flows.challenge import (
 from authentik.flows.stage import ChallengeStageView
 from authentik.lib.utils.http import get_http_session
 from authentik.root.middleware import ClientIPMiddleware
-from authentik.stages.captcha.models import CaptchaStage
+from authentik.stages.captcha.models import CaptchaRequestContentType, CaptchaStage
 
 LOGGER = get_logger()
 PLAN_CONTEXT_CAPTCHA = "captcha"
@@ -35,17 +35,23 @@ class CaptchaChallenge(WithUserInfoChallenge):
 
 def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str, key: str | None = None):
     """Validate captcha token"""
+    payload = {
+        "secret": key or stage.private_key,
+        "response": token,
+        "remoteip": remote_ip,
+    }
+    body_kwargs = (
+        {"json": payload}
+        if stage.request_content_type == CaptchaRequestContentType.JSON
+        else {"data": payload}
+    )
     try:
         response = get_http_session().post(
             stage.api_url,
             headers={
-                "Content-type": "application/x-www-form-urlencoded",
-            },
-            data={
-                "secret": key or stage.private_key,
-                "response": token,
-                "remoteip": remote_ip,
+                "Content-Type": stage.request_content_type,
             },
+            **body_kwargs,
         )
         response.raise_for_status()
         data = response.json()
diff --git a/authentik/stages/captcha/tests.py b/authentik/stages/captcha/tests.py
index 41bceb9f43..39a7b4a32e 100644
--- a/authentik/stages/captcha/tests.py
+++ b/authentik/stages/captcha/tests.py
@@ -10,7 +10,7 @@ from authentik.flows.planner import FlowPlan
 from authentik.flows.tests import FlowTestCase
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
-from authentik.stages.captcha.models import CaptchaStage
+from authentik.stages.captcha.models import CaptchaRequestContentType, CaptchaStage
 from authentik.stages.captcha.stage import (
     PLAN_CONTEXT_CAPTCHA_PRIVATE_KEY,
     PLAN_CONTEXT_CAPTCHA_SITE_KEY,
@@ -56,6 +56,39 @@ class TestCaptchaStage(FlowTestCase):
         )
         self.assertEqual(response.status_code, 200)
         self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
+        self.assertEqual(
+            mock.request_history[0].headers["Content-Type"],
+            CaptchaRequestContentType.FORM,
+        )
+        self.assertIn("response=PASSED", mock.request_history[0].text)
+
+    @Mocker()
+    def test_valid_json_content_type(self, mock: Mocker):
+        """Test valid captcha with JSON verification request"""
+        self.stage.request_content_type = CaptchaRequestContentType.JSON
+        self.stage.save()
+        mock.post(
+            "https://www.recaptcha.net/recaptcha/api/siteverify",
+            json={
+                "success": True,
+                "score": 0.5,
+            },
+        )
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+        response = self.client.post(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+            {"token": "PASSED"},
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
+        self.assertEqual(
+            mock.request_history[0].headers["Content-Type"],
+            CaptchaRequestContentType.JSON,
+        )
+        self.assertEqual(mock.request_history[0].json()["response"], "PASSED")
 
     @Mocker()
     def test_valid_override(self, mock: Mocker):
diff --git a/blueprints/schema.json b/blueprints/schema.json
index 03bd2a617c..602e676233 100644
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@@ -15105,6 +15105,14 @@
                     "minLength": 1,
                     "title": "Api url"
                 },
+                "request_content_type": {
+                    "type": "string",
+                    "enum": [
+                        "application/x-www-form-urlencoded",
+                        "application/json"
+                    ],
+                    "title": "Request content type"
+                },
                 "interactive": {
                     "type": "boolean",
                     "title": "Interactive"
diff --git a/packages/client-ts/src/models/CaptchaStage.ts b/packages/client-ts/src/models/CaptchaStage.ts
index 2c6b18c9dc..13430ab177 100644
--- a/packages/client-ts/src/models/CaptchaStage.ts
+++ b/packages/client-ts/src/models/CaptchaStage.ts
@@ -14,6 +14,11 @@
 
 import type { FlowSet } from "./FlowSet";
 import { FlowSetFromJSON } from "./FlowSet";
+import type { RequestContentTypeEnum } from "./RequestContentTypeEnum";
+import {
+    RequestContentTypeEnumFromJSON,
+    RequestContentTypeEnumToJSON,
+} from "./RequestContentTypeEnum";
 
 /**
  * CaptchaStage Serializer
@@ -81,6 +86,12 @@ export interface CaptchaStage {
      * @memberof CaptchaStage
      */
     apiUrl?: string;
+    /**
+     *
+     * @type {RequestContentTypeEnum}
+     * @memberof CaptchaStage
+     */
+    requestContentType?: RequestContentTypeEnum;
     /**
      *
      * @type {boolean}
@@ -141,6 +152,10 @@ export function CaptchaStageFromJSONTyped(json: any, ignoreDiscriminator: boolea
         publicKey: json["public_key"],
         jsUrl: json["js_url"] == null ? undefined : json["js_url"],
         apiUrl: json["api_url"] == null ? undefined : json["api_url"],
+        requestContentType:
+            json["request_content_type"] == null
+                ? undefined
+                : RequestContentTypeEnumFromJSON(json["request_content_type"]),
         interactive: json["interactive"] == null ? undefined : json["interactive"],
         scoreMinThreshold:
             json["score_min_threshold"] == null ? undefined : json["score_min_threshold"],
@@ -171,6 +186,7 @@ export function CaptchaStageToJSONTyped(
         public_key: value["publicKey"],
         js_url: value["jsUrl"],
         api_url: value["apiUrl"],
+        request_content_type: RequestContentTypeEnumToJSON(value["requestContentType"]),
         interactive: value["interactive"],
         score_min_threshold: value["scoreMinThreshold"],
         score_max_threshold: value["scoreMaxThreshold"],
diff --git a/packages/client-ts/src/models/CaptchaStageRequest.ts b/packages/client-ts/src/models/CaptchaStageRequest.ts
index 1c68022168..37792dc7ef 100644
--- a/packages/client-ts/src/models/CaptchaStageRequest.ts
+++ b/packages/client-ts/src/models/CaptchaStageRequest.ts
@@ -12,6 +12,12 @@
  * Do not edit the class manually.
  */
 
+import type { RequestContentTypeEnum } from "./RequestContentTypeEnum";
+import {
+    RequestContentTypeEnumFromJSON,
+    RequestContentTypeEnumToJSON,
+} from "./RequestContentTypeEnum";
+
 /**
  * CaptchaStage Serializer
  * @export
@@ -48,6 +54,12 @@ export interface CaptchaStageRequest {
      * @memberof CaptchaStageRequest
      */
     apiUrl?: string;
+    /**
+     *
+     * @type {RequestContentTypeEnum}
+     * @memberof CaptchaStageRequest
+     */
+    requestContentType?: RequestContentTypeEnum;
     /**
      *
      * @type {boolean}
@@ -101,6 +113,10 @@ export function CaptchaStageRequestFromJSONTyped(
         privateKey: json["private_key"],
         jsUrl: json["js_url"] == null ? undefined : json["js_url"],
         apiUrl: json["api_url"] == null ? undefined : json["api_url"],
+        requestContentType:
+            json["request_content_type"] == null
+                ? undefined
+                : RequestContentTypeEnumFromJSON(json["request_content_type"]),
         interactive: json["interactive"] == null ? undefined : json["interactive"],
         scoreMinThreshold:
             json["score_min_threshold"] == null ? undefined : json["score_min_threshold"],
@@ -129,6 +145,7 @@ export function CaptchaStageRequestToJSONTyped(
         private_key: value["privateKey"],
         js_url: value["jsUrl"],
         api_url: value["apiUrl"],
+        request_content_type: RequestContentTypeEnumToJSON(value["requestContentType"]),
         interactive: value["interactive"],
         score_min_threshold: value["scoreMinThreshold"],
         score_max_threshold: value["scoreMaxThreshold"],
diff --git a/packages/client-ts/src/models/PatchedCaptchaStageRequest.ts b/packages/client-ts/src/models/PatchedCaptchaStageRequest.ts
index b616986c41..b2522615bb 100644
--- a/packages/client-ts/src/models/PatchedCaptchaStageRequest.ts
+++ b/packages/client-ts/src/models/PatchedCaptchaStageRequest.ts
@@ -12,6 +12,12 @@
  * Do not edit the class manually.
  */
 
+import type { RequestContentTypeEnum } from "./RequestContentTypeEnum";
+import {
+    RequestContentTypeEnumFromJSON,
+    RequestContentTypeEnumToJSON,
+} from "./RequestContentTypeEnum";
+
 /**
  * CaptchaStage Serializer
  * @export
@@ -48,6 +54,12 @@ export interface PatchedCaptchaStageRequest {
      * @memberof PatchedCaptchaStageRequest
      */
     apiUrl?: string;
+    /**
+     *
+     * @type {RequestContentTypeEnum}
+     * @memberof PatchedCaptchaStageRequest
+     */
+    requestContentType?: RequestContentTypeEnum;
     /**
      *
      * @type {boolean}
@@ -100,6 +112,10 @@ export function PatchedCaptchaStageRequestFromJSONTyped(
         privateKey: json["private_key"] == null ? undefined : json["private_key"],
         jsUrl: json["js_url"] == null ? undefined : json["js_url"],
         apiUrl: json["api_url"] == null ? undefined : json["api_url"],
+        requestContentType:
+            json["request_content_type"] == null
+                ? undefined
+                : RequestContentTypeEnumFromJSON(json["request_content_type"]),
         interactive: json["interactive"] == null ? undefined : json["interactive"],
         scoreMinThreshold:
             json["score_min_threshold"] == null ? undefined : json["score_min_threshold"],
@@ -128,6 +144,7 @@ export function PatchedCaptchaStageRequestToJSONTyped(
         private_key: value["privateKey"],
         js_url: value["jsUrl"],
         api_url: value["apiUrl"],
+        request_content_type: RequestContentTypeEnumToJSON(value["requestContentType"]),
         interactive: value["interactive"],
         score_min_threshold: value["scoreMinThreshold"],
         score_max_threshold: value["scoreMaxThreshold"],
diff --git a/packages/client-ts/src/models/RequestContentTypeEnum.ts b/packages/client-ts/src/models/RequestContentTypeEnum.ts
new file mode 100644
index 0000000000..e287dc0fa2
--- /dev/null
+++ b/packages/client-ts/src/models/RequestContentTypeEnum.ts
@@ -0,0 +1,58 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * authentik
+ * Making authentication simple.
+ *
+ * The version of the OpenAPI document: 2026.8.0-rc1
+ * Contact: hello@goauthentik.io
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+/**
+ *
+ * @export
+ */
+export const RequestContentTypeEnum = {
+    ApplicationXWwwFormUrlencoded: "application/x-www-form-urlencoded",
+    ApplicationJson: "application/json",
+    UnknownDefaultOpenApi: "11184809",
+} as const;
+export type RequestContentTypeEnum =
+    (typeof RequestContentTypeEnum)[keyof typeof RequestContentTypeEnum];
+
+export function instanceOfRequestContentTypeEnum(value: any): boolean {
+    for (const key in RequestContentTypeEnum) {
+        if (Object.prototype.hasOwnProperty.call(RequestContentTypeEnum, key)) {
+            if (RequestContentTypeEnum[key as keyof typeof RequestContentTypeEnum] === value) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+
+export function RequestContentTypeEnumFromJSON(json: any): RequestContentTypeEnum {
+    return RequestContentTypeEnumFromJSONTyped(json, false);
+}
+
+export function RequestContentTypeEnumFromJSONTyped(
+    json: any,
+    ignoreDiscriminator: boolean,
+): RequestContentTypeEnum {
+    return json as RequestContentTypeEnum;
+}
+
+export function RequestContentTypeEnumToJSON(value?: RequestContentTypeEnum | null): any {
+    return value as any;
+}
+
+export function RequestContentTypeEnumToJSONTyped(
+    value: any,
+    ignoreDiscriminator: boolean,
+): RequestContentTypeEnum {
+    return value as RequestContentTypeEnum;
+}
diff --git a/packages/client-ts/src/models/index.ts b/packages/client-ts/src/models/index.ts
index da4090a4cf..3f9fc870ef 100644
--- a/packages/client-ts/src/models/index.ts
+++ b/packages/client-ts/src/models/index.ts
@@ -713,6 +713,7 @@ export * from "./RelatedRule";
 export * from "./Reputation";
 export * from "./ReputationPolicy";
 export * from "./ReputationPolicyRequest";
+export * from "./RequestContentTypeEnum";
 export * from "./Review";
 export * from "./ReviewRequest";
 export * from "./ReviewerGroup";
diff --git a/schema.yml b/schema.yml
index 6a3f2c51c1..f21afc33db 100644
--- a/schema.yml
+++ b/schema.yml
@@ -36333,6 +36333,8 @@ components:
           type: string
         api_url:
           type: string
+        request_content_type:
+          $ref: '#/components/schemas/RequestContentTypeEnum'
         interactive:
           type: boolean
         score_min_threshold:
@@ -36378,6 +36380,8 @@ components:
         api_url:
           type: string
           minLength: 1
+        request_content_type:
+          $ref: '#/components/schemas/RequestContentTypeEnum'
         interactive:
           type: boolean
         score_min_threshold:
@@ -48260,6 +48264,8 @@ components:
         api_url:
           type: string
           minLength: 1
+        request_content_type:
+          $ref: '#/components/schemas/RequestContentTypeEnum'
         interactive:
           type: boolean
         score_min_threshold:
@@ -53805,6 +53811,11 @@ components:
           minimum: -2147483648
       required:
       - name
+    RequestContentTypeEnum:
+      enum:
+      - application/x-www-form-urlencoded
+      - application/json
+      type: string
     Review:
       type: object
       description: |-
diff --git a/web/src/admin/stages/captcha/CaptchaStageForm.ts b/web/src/admin/stages/captcha/CaptchaStageForm.ts
index 6c962e3ac2..387f71815c 100644
--- a/web/src/admin/stages/captcha/CaptchaStageForm.ts
+++ b/web/src/admin/stages/captcha/CaptchaStageForm.ts
@@ -14,9 +14,11 @@ import { SlottedTemplateResult } from "#elements/types";
 import { BaseStageForm } from "#admin/stages/BaseStageForm";
 import {
     CAPTCHA_PROVIDERS,
+    CAPTCHA_REQUEST_CONTENT_TYPES,
     CaptchaProviderKey,
     CaptchaProviderKeys,
     CaptchaProviderPreset,
+    deriveCapSiteVerifyURL,
     detectProviderFromInstance,
     pluckFormValues,
 } from "#admin/stages/captcha/shared";
@@ -35,6 +37,10 @@ import { customElement, state } from "lit/decorators.js";
 import { guard } from "lit/directives/guard.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 
+type CaptchaStageFormRequest = (CaptchaStageRequest | PatchedCaptchaStageRequest) & {
+    capEndpoint?: string;
+};
+
 @customElement("ak-stage-captcha-form")
 export class CaptchaStageForm extends BaseStageForm<CaptchaStage> {
     public static override readonly styles = [...super.styles, Styles];
@@ -83,6 +89,26 @@ export class CaptchaStageForm extends BaseStageForm<CaptchaStage> {
     public async send(
         data: CaptchaStageRequest | PatchedCaptchaStageRequest,
     ): Promise<CaptchaStage> {
+        const formData = data as CaptchaStageFormRequest;
+
+        if (this.selectedProvider === "cap" && (formData.capEndpoint || formData.publicKey)) {
+            const capEndpoint = formData.capEndpoint || formData.publicKey || "";
+
+            formData.publicKey = capEndpoint;
+            delete formData.capEndpoint;
+
+            const presetURL = CAPTCHA_PROVIDERS.cap.apiUrl;
+            // The Cap verification URL includes the site key, so derive it from the
+            // widget endpoint unless the advanced field was explicitly customized.
+            if (!data.apiUrl || data.apiUrl === presetURL) {
+                const siteVerifyURL = deriveCapSiteVerifyURL(capEndpoint);
+
+                if (siteVerifyURL) {
+                    data.apiUrl = siteVerifyURL;
+                }
+            }
+        }
+
         if (this.instance) {
             return this.#api.stagesCaptchaPartialUpdate({
                 stageUuid: this.instance.pk || "",
@@ -117,43 +143,77 @@ export class CaptchaStageForm extends BaseStageForm<CaptchaStage> {
             </p>
 
             ${guard([this.#currentPreset], () => {
-                const { formatAPISource, keyURL } = this.#currentPreset;
+                const { formatAPISource, formatDescription, keyURL } = this.#currentPreset;
 
-                if (!formatAPISource || !keyURL) {
-                    return null;
-                }
+                const description = formatDescription
+                    ? html`<p class="pf-c-form__helper-text">${formatDescription()}</p>`
+                    : null;
+                const providerLink =
+                    formatAPISource && keyURL
+                        ? html`<ak-alert level=${Level.Info} icon="fa-key">
+                              ${this.selectedProvider === "cap"
+                                  ? msg(
+                                        html`Use the
+                                        ${html`<a
+                                            target="_blank"
+                                            rel="noopener noreferrer"
+                                            href=${keyURL}
+                                            >${formatAPISource()}</a
+                                        >`}
+                                        to self-host Cap and configure the endpoint.`,
+                                        {
+                                            id: "captcha.provider-link.cap",
+                                            desc: "Supplementary help text with link to Cap documentation.",
+                                        },
+                                    )
+                                  : msg(
+                                        html`API keys can be obtained from the
+                                        ${html`<a
+                                                target="_blank"
+                                                rel="noopener noreferrer"
+                                                href=${keyURL}
+                                                >${formatAPISource()}</a
+                                            >.`}`,
+                                        {
+                                            id: "captcha.provider-link",
+                                            desc: "Supplementary help text with link to provider dashboard.",
+                                        },
+                                    )}
+                          </ak-alert>`
+                        : null;
 
-                return html`<ak-alert level=${Level.Info} icon="fa-key">
-                    ${msg(
-                        html`API keys can be obtained from the
-                        ${html`<a target="_blank" rel="noopener noreferrer" href=${keyURL}
-                                >${formatAPISource()}</a
-                            >.`}`,
-                        {
-                            id: "captcha.provider-link",
-                            desc: "Supplementary help text with link to provider dashboard.",
-                        },
-                    )}
-                </ak-alert>`;
+                return html`${description} ${providerLink}`;
             })}
         </ak-form-element-horizontal>`;
     }
 
     protected renderKeyFields(): SlottedTemplateResult {
+        const isCapProvider = this.selectedProvider === "cap";
+        const publicKeyLabel = isCapProvider ? msg("Cap Endpoint") : msg("Public Key");
+        const publicKeyPlaceholder = isCapProvider
+            ? msg("https://cap.example.com/site-key/")
+            : msg("Paste your CAPTCHA public key...");
+        const publicKeyHelp = isCapProvider
+            ? msg("The public site-key endpoint of your Cap server.", {
+                  id: "captcha.cap-endpoint.description",
+                  desc: "Description for Cap endpoint field.",
+              })
+            : msg("The public key is used by authentik to render the CAPTCHA widget.", {
+                  id: "captcha.public-key.description",
+                  desc: "Description for CAPTCHA public key field.",
+              });
+
         return html`
             <ak-text-input
-                label=${msg("Public Key")}
+                label=${publicKeyLabel}
                 required
-                name="publicKey"
-                type="text"
+                name=${isCapProvider ? "capEndpoint" : "publicKey"}
+                type=${isCapProvider ? "url" : "text"}
                 value="${ifDefined(this.instance?.publicKey || "")}"
                 autocomplete="off"
                 input-hint="code"
-                placeholder=${msg("Paste your CAPTCHA public key...")}
-                help=${msg("The public key is used by authentik to render the CAPTCHA widget.", {
-                    id: "captcha.public-key.description",
-                    desc: "Description for CAPTCHA public key field.",
-                })}
+                placeholder=${publicKeyPlaceholder}
+                help=${publicKeyHelp}
             >
             </ak-text-input>
 
@@ -236,9 +296,13 @@ export class CaptchaStageForm extends BaseStageForm<CaptchaStage> {
                     type="url"
                     value="${ifDefined(formValues.jsUrl)}"
                     required
-                    help=${msg(
-                        "URL to fetch the CAPTCHA JavaScript library from. Automatically set based on provider selection but can be customized.",
-                    )}
+                    help=${this.selectedProvider === "cap"
+                        ? msg(
+                              "For Cap, prefer the self-hosted widget asset, for example https://cap.example.com/assets/widget.js. If using a CDN, pin a reviewed release.",
+                          )
+                        : msg(
+                              "URL to fetch the CAPTCHA JavaScript library from. Automatically set based on provider selection but can be customized.",
+                          )}
                 ></ak-text-input>
                 <ak-text-input
                     label=${msg("API Verification URL")}
@@ -246,10 +310,35 @@ export class CaptchaStageForm extends BaseStageForm<CaptchaStage> {
                     type="url"
                     value="${ifDefined(formValues.apiUrl)}"
                     required
-                    help=${msg(
-                        "URL used to validate CAPTCHA response on the backend. Automatically set based on provider selection but can be customized.",
-                    )}
+                    help=${this.selectedProvider === "cap"
+                        ? msg(
+                              "Cap's server-side verification endpoint, for example https://cap.example.com/site-key/siteverify.",
+                          )
+                        : msg(
+                              "URL used to validate CAPTCHA response on the backend. Automatically set based on provider selection but can be customized.",
+                          )}
                 ></ak-text-input>
+                <ak-form-element-horizontal
+                    label=${msg("Request Content Type")}
+                    name="requestContentType"
+                >
+                    <select class="pf-c-form-control" name="requestContentType">
+                        ${CAPTCHA_REQUEST_CONTENT_TYPES.map(
+                            (type) =>
+                                html`<option
+                                    value=${type.value}
+                                    ?selected=${type.value === formValues.requestContentType}
+                                >
+                                    ${type.formatDisplayName()}
+                                </option>`,
+                        )}
+                    </select>
+                    <p class="pf-c-form__helper-text">
+                        ${msg(
+                            "Content-Type used for server-side verification. Cap requires JSON; most other providers use form-encoded requests.",
+                        )}
+                    </p>
+                </ak-form-element-horizontal>
             </div>
         </ak-form-group>`;
     }
diff --git a/web/src/admin/stages/captcha/shared.ts b/web/src/admin/stages/captcha/shared.ts
index ce10318569..f7eb92d518 100644
--- a/web/src/admin/stages/captcha/shared.ts
+++ b/web/src/admin/stages/captcha/shared.ts
@@ -2,12 +2,35 @@ import { CaptchaStage, CaptchaStageRequest } from "@goauthentik/api";
 
 import { msg } from "@lit/localize";
 
+export type CaptchaRequestContentType = "application/x-www-form-urlencoded" | "application/json";
+
+export const CAPTCHA_REQUEST_CONTENT_TYPES = [
+    {
+        value: "application/x-www-form-urlencoded",
+        formatDisplayName: () =>
+            msg("Form encoded", {
+                id: "captcha.request-content-type.form",
+            }),
+    },
+    {
+        value: "application/json",
+        formatDisplayName: () =>
+            msg("JSON", {
+                id: "captcha.request-content-type.json",
+            }),
+    },
+] as const satisfies {
+    value: CaptchaRequestContentType;
+    formatDisplayName: () => string;
+}[];
+
 export const CaptchaProviderKeys = [
     "recaptcha_v2",
     "recaptcha_v3",
     "recaptcha_enterprise",
     "hcaptcha",
     "turnstile",
+    "cap",
     "custom",
 ] as const satisfies string[];
 
@@ -15,8 +38,10 @@ export type CaptchaProviderKey = (typeof CaptchaProviderKeys)[number];
 
 export interface CaptchaProviderPreset {
     formatDisplayName: () => string;
+    formatDescription?: () => string;
     jsUrl: string;
     apiUrl: string;
+    requestContentType: CaptchaRequestContentType;
     interactive: boolean;
     supportsScore: boolean;
     score?: { min: number; max: number };
@@ -37,6 +62,7 @@ export const CAPTCHA_PROVIDERS = {
             }),
         jsUrl: "https://www.recaptcha.net/recaptcha/api.js",
         apiUrl: "https://www.recaptcha.net/recaptcha/api/siteverify",
+        requestContentType: "application/x-www-form-urlencoded",
         interactive: true,
         supportsScore: false,
         formatAPISource: () =>
@@ -52,6 +78,7 @@ export const CAPTCHA_PROVIDERS = {
             }),
         jsUrl: "https://www.recaptcha.net/recaptcha/api.js",
         apiUrl: "https://www.recaptcha.net/recaptcha/api/siteverify",
+        requestContentType: "application/x-www-form-urlencoded",
         interactive: false,
         supportsScore: true,
         score: { min: 0.5, max: 1.0 },
@@ -68,6 +95,7 @@ export const CAPTCHA_PROVIDERS = {
             }),
         jsUrl: "https://www.recaptcha.net/recaptcha/enterprise.js",
         apiUrl: "https://www.recaptcha.net/recaptcha/api/siteverify",
+        requestContentType: "application/x-www-form-urlencoded",
         interactive: false,
         supportsScore: true,
         score: { min: 0.5, max: 1.0 },
@@ -84,6 +112,7 @@ export const CAPTCHA_PROVIDERS = {
             }),
         jsUrl: "https://js.hcaptcha.com/1/api.js",
         apiUrl: "https://api.hcaptcha.com/siteverify",
+        requestContentType: "application/x-www-form-urlencoded",
         interactive: true,
         supportsScore: true,
         score: { min: 0.0, max: 0.5 },
@@ -100,6 +129,7 @@ export const CAPTCHA_PROVIDERS = {
             }),
         jsUrl: "https://challenges.cloudflare.com/turnstile/v0/api.js",
         apiUrl: "https://challenges.cloudflare.com/turnstile/v0/siteverify",
+        requestContentType: "application/x-www-form-urlencoded",
         interactive: true,
         supportsScore: false,
         formatAPISource: () =>
@@ -108,6 +138,26 @@ export const CAPTCHA_PROVIDERS = {
             }),
         keyURL: "https://dash.cloudflare.com",
     },
+    cap: {
+        formatDisplayName: () =>
+            msg("Cap", {
+                id: "captcha.providers.cap",
+            }),
+        formatDescription: () =>
+            msg("Cap is a self-hostable CAPTCHA server that uses proof-of-work challenges.", {
+                id: "captcha.providers.cap.description",
+            }),
+        jsUrl: "https://cap.example.com/assets/widget.js",
+        apiUrl: "https://cap.example.com/site-key/siteverify",
+        requestContentType: "application/json",
+        interactive: true,
+        supportsScore: false,
+        formatAPISource: () =>
+            msg("Cap documentation", {
+                id: "captcha.providers.cap.setup-guide",
+            }),
+        keyURL: "https://trycap.dev/guide/",
+    },
     custom: {
         formatDisplayName: () =>
             msg("Custom", {
@@ -115,23 +165,56 @@ export const CAPTCHA_PROVIDERS = {
             }),
         jsUrl: "https://www.recaptcha.net/recaptcha/api.js",
         apiUrl: "https://www.recaptcha.net/recaptcha/api/siteverify",
+        requestContentType: "application/x-www-form-urlencoded",
         interactive: false,
         supportsScore: true,
         score: { min: 0.5, max: 1.0 },
     },
 } as const satisfies Record<CaptchaProviderKey, CaptchaProviderPreset>;
 
+export function deriveCapSiteVerifyURL(endpoint: string): string | null {
+    const trimmedEndpoint = endpoint.trim();
+
+    if (!URL.canParse(trimmedEndpoint)) {
+        return null;
+    }
+
+    const endpointURL = new URL(trimmedEndpoint);
+    const normalizedEndpoint = endpointURL.href.endsWith("/")
+        ? endpointURL.href
+        : `${endpointURL.href}/`;
+
+    return new URL("siteverify", normalizedEndpoint).toString();
+}
+
 /**
  * Detect which provider preset matches the given {@linkcode CaptchaStage} instance.
  * This allows the form to show the correct provider in the dropdown when editing
  * an existing CAPTCHA stage. Falls back to "custom" if no match is found.
  */
+function isCapWidgetURL(jsUrl?: string | null): boolean {
+    if (!jsUrl || !URL.canParse(jsUrl)) {
+        return false;
+    }
+
+    const { pathname } = new URL(jsUrl);
+    return pathname.includes("cap-widget") || pathname.endsWith("/assets/widget.js");
+}
+
 export function detectProviderFromInstance(stage?: CaptchaStage | null): CaptchaProviderKey {
     if (!stage) return "custom";
 
     for (const key of CaptchaProviderKeys) {
         const preset = CAPTCHA_PROVIDERS[key];
 
+        if (
+            key === "cap" &&
+            isCapWidgetURL(stage.jsUrl) &&
+            stage.requestContentType === preset.requestContentType
+        ) {
+            return key;
+        }
+
         if (stage.jsUrl === preset.jsUrl && stage.apiUrl === preset.apiUrl) {
             return key;
         }
@@ -153,6 +236,7 @@ export function pluckFormValues(
         return {
             jsUrl: instance.jsUrl,
             apiUrl: instance.apiUrl,
+            requestContentType: instance.requestContentType,
             interactive: instance.interactive,
             scoreMinThreshold: instance.scoreMinThreshold,
             scoreMaxThreshold: instance.scoreMaxThreshold,
@@ -163,6 +247,7 @@ export function pluckFormValues(
     return {
         jsUrl: preset.jsUrl,
         apiUrl: preset.apiUrl,
+        requestContentType: preset.requestContentType,
         interactive: preset.interactive,
         scoreMinThreshold: preset.score?.min ?? 0.5,
         scoreMaxThreshold: preset.score?.max ?? 1.0,
diff --git a/web/src/flow/stages/captcha/CaptchaStage.css b/web/src/flow/stages/captcha/CaptchaStage.css
index 1256ec09e1..4a70ac0c7e 100644
--- a/web/src/flow/stages/captcha/CaptchaStage.css
+++ b/web/src/flow/stages/captcha/CaptchaStage.css
@@ -36,4 +36,9 @@ ak-stage-captcha[theme="dark"].style-scope {
         background-color: var(--captcha-background-from);
         animation: captcha-background-animation 1s infinite var(--pf-global--TimingFunction);
     }
+
+    &[data-transparent-loading="true"][data-ready="loading"] {
+        background-color: transparent;
+        animation: none;
+    }
 }
diff --git a/web/src/flow/stages/captcha/CaptchaStage.ts b/web/src/flow/stages/captcha/CaptchaStage.ts
index 51859f2596..dfd3198fd2 100644
--- a/web/src/flow/stages/captcha/CaptchaStage.ts
+++ b/web/src/flow/stages/captcha/CaptchaStage.ts
@@ -12,6 +12,7 @@ import { AKFormErrors, ErrorProp } from "#components/ak-field-errors";
 import { FlowUserDetails } from "#flow/FormStatic";
 import { BaseStage } from "#flow/stages/base";
 import Styles from "#flow/stages/captcha/CaptchaStage.css";
+import { CapController, isCapWidgetURL } from "#flow/stages/captcha/controllers/cap";
 import {
     CaptchaController,
     CaptchaControllerConstructor,
@@ -53,7 +54,14 @@ interface LoadMessage {
     message: "load";
 }
 
-type IframeMessageEvent = MessageEvent<CaptchaMessage | LoadMessage>;
+interface ErrorMessage {
+    source?: string;
+    context?: string;
+    message: "error";
+    error: string;
+}
+
+type IframeMessageEvent = MessageEvent<CaptchaMessage | LoadMessage | ErrorMessage>;
 
 @customElement("ak-stage-captcha")
 export class CaptchaStage
@@ -79,6 +87,7 @@ export class CaptchaStage
         HCaptchaController,
         GReCaptchaController,
         TurnstileController,
+        CapController,
     ]);
 
     #logger = ConsoleLogger.prefix("flow:captcha");
@@ -165,6 +174,9 @@ export class CaptchaStage
         return match(data)
             .with({ message: "captcha" }, ({ token }) => this.onTokenChange(token))
             .with({ message: "load" }, this.#loadListener)
+            .with({ message: "error" }, ({ error }) => {
+                this.error = error;
+            })
             .otherwise(({ message }) => {
                 this.#logger.debug(`Unknown message: ${message}`);
             });
@@ -183,12 +195,18 @@ export class CaptchaStage
         }
 
         if (this.challenge?.interactive) {
+            // Cap renders its own framed widget, so the generic iframe loading shimmer looks like
+            // an extra CAPTCHA box flashing behind it.
+            const isCapChallenge =
+                URL.canParse(this.challenge.jsUrl) && isCapWidgetURL(new URL(this.challenge.jsUrl));
+
             return html`
                 <iframe
                     aria-label=${msg("CAPTCHA challenge")}
                     ${ref(this.iframeRef)}
                     style="height: ${this.iframeHeight}px;"
                     data-ready=${this.#iframeLoaded ? "ready" : "loading"}
+                    data-transparent-loading=${isCapChallenge ? "true" : "false"}
                     class="ak-interactive-challenge"
                     id="ak-captcha"
                 ></iframe>
@@ -306,8 +324,13 @@ export class CaptchaStage
 
         // Then, load the new script...
         const scriptElement = document.createElement("script");
+        const matchedController = Array.from(CaptchaStage.controllers).find((Controller) =>
+            Controller.matchesURL(challengeURL),
+        );
 
         scriptElement.src = challengeURL.toString();
+        scriptElement.type =
+            matchedController?.scriptType === "module" ? "module" : "text/javascript";
         scriptElement.async = true;
         scriptElement.defer = true;
         scriptElement.onload = this.#scriptLoadListener;
@@ -528,6 +551,7 @@ export class CaptchaStage
             challengeURL: challengeURL.toString(),
             theme: this.activeTheme,
             scriptOnLoad: !(controller instanceof TurnstileController),
+            scriptType: controller.scriptType,
         });
 
         if (
diff --git a/web/src/flow/stages/captcha/controllers/CaptchaController.ts b/web/src/flow/stages/captcha/controllers/CaptchaController.ts
index 6da5320f84..6c0c2820d6 100644
--- a/web/src/flow/stages/captcha/controllers/CaptchaController.ts
+++ b/web/src/flow/stages/captcha/controllers/CaptchaController.ts
@@ -28,6 +28,20 @@ export abstract class CaptchaController implements ReactiveController {
         return (this.constructor as typeof CaptchaController).globalName;
     }
 
+    public static readonly scriptType: "classic" | "module" = "classic";
+
+    public get scriptType(): "classic" | "module" {
+        return (this.constructor as typeof CaptchaController).scriptType;
+    }
+
+    public static isAvailable(): boolean {
+        return Object.hasOwn(window, this.globalName);
+    }
+
+    public static matchesURL(_url: URL): boolean {
+        return false;
+    }
+
     /**
      * A prefix for log messages from this controller.
      */
@@ -42,7 +56,7 @@ export abstract class CaptchaController implements ReactiveController {
     ): Array<CaptchaControllerConstructor | undefined> {
         return Array.from(controllerConstructors).filter((Controller) => {
             // Can we find the global for this captcha provider?
-            return Object.hasOwn(window, Controller.globalName);
+            return Controller.isAvailable();
         });
     }
 
@@ -98,6 +112,9 @@ export abstract class CaptchaController implements ReactiveController {
 
 export type CaptchaControllerConstructor = {
     globalName: string;
+    scriptType: "classic" | "module";
+    isAvailable: () => boolean;
+    matchesURL: (url: URL) => boolean;
 } & (new (host: CaptchaHandlerHost) => CaptchaController);
 
 export interface CaptchaHandlerHost extends ReactiveControllerHost {
diff --git a/web/src/flow/stages/captcha/controllers/cap.ts b/web/src/flow/stages/captcha/controllers/cap.ts
new file mode 100644
index 0000000000..47dfaa3f81
--- /dev/null
+++ b/web/src/flow/stages/captcha/controllers/cap.ts
@@ -0,0 +1,61 @@
+import { CaptchaController } from "#flow/stages/captcha/controllers/CaptchaController";
+
+import { html } from "lit";
+
+export function isCapWidgetURL(url: URL): boolean {
+    return url.pathname.includes("cap-widget") || url.pathname.endsWith("/assets/widget.js");
+}
+
+export class CapController extends CaptchaController {
+    public static readonly globalName = "cap-widget";
+
+    public static readonly scriptType = "module";
+
+    public static override isAvailable(): boolean {
+        return customElements.get("cap-widget") !== undefined;
+    }
+
+    public static override matchesURL(url: URL): boolean {
+        return isCapWidgetURL(url);
+    }
+
+    public interactive = () => {
+        const endpoint = this.host.challenge?.siteKey ?? "";
+
+        return html`<div id="ak-container" class="cap-container">
+                <cap-widget
+                    id="ak-cap-widget"
+                    required
+                    data-cap-api-endpoint=${endpoint}
+                ></cap-widget>
+            </div>
+            <script>
+                const widget = document.getElementById("ak-cap-widget");
+
+                widget.addEventListener("solve", (event) => {
+                    callback(event.detail.token);
+                });
+
+                widget.addEventListener("error", (event) => {
+                    self.parent.postMessage({
+                        message: "error",
+                        source: "goauthentik.io",
+                        context: "flow-executor",
+                        error: event.detail.message,
+                    });
+                });
+            </script>`;
+    };
+
+    public refreshInteractive = async () => {
+        this.host.iframeRef.value?.contentWindow?.location.reload();
+    };
+
+    public execute = async () => {
+        throw new Error("Cap requires interactive mode.");
+    };
+
+    public refresh = async () => {
+        throw new Error("Cap requires interactive mode.");
+    };
+}
diff --git a/web/src/flow/stages/captcha/shared.ts b/web/src/flow/stages/captcha/shared.ts
index 5245809e7f..a3613aa421 100644
--- a/web/src/flow/stages/captcha/shared.ts
+++ b/web/src/flow/stages/captcha/shared.ts
@@ -30,6 +30,7 @@ export interface IFrameTemplateInit {
      * Defaults to `true`.
      */
     scriptOnLoad?: boolean;
+    scriptType?: "classic" | "module";
 }
 
 /**
@@ -42,7 +43,7 @@ export interface IFrameTemplateInit {
  */
 export function iframeTemplate(
     children: TemplateResult,
-    { challengeURL, theme, scriptOnLoad = true }: IFrameTemplateInit,
+    { challengeURL, theme, scriptOnLoad = true, scriptType = "classic" }: IFrameTemplateInit,
 ) {
     return createDocumentTemplate({
         head: html`
@@ -75,7 +76,7 @@ export function iframeTemplate(
             <style>
                 html,
                 body {
-                    background: ${ThemeColor[theme]};
+                    background: transparent;
                 }
 
                 body {
@@ -88,15 +89,23 @@ export function iframeTemplate(
                 }
 
                 .g-recaptcha,
-                .h-captcha {
+                .h-captcha,
+                .cap-container {
                     display: flex;
                     align-items: center;
                     justify-content: center;
                 }
+
+                .cap-container {
+                    box-sizing: border-box;
+                    padding-block: 0.5rem;
+                    width: 100%;
+                }
             </style>
             ${children}
             <script
                 ${scriptOnLoad ? 'onload="loadListener()"' : ""}
+                ${scriptType === "module" ? 'type="module"' : ""}
                 src="${challengeURL.toString()}"
             ></script>
         `,
diff --git a/web/src/flow/stages/identification/controllers/CaptchaDisplayController.ts b/web/src/flow/stages/identification/controllers/CaptchaDisplayController.ts
index b77691567d..918db04736 100644
--- a/web/src/flow/stages/identification/controllers/CaptchaDisplayController.ts
+++ b/web/src/flow/stages/identification/controllers/CaptchaDisplayController.ts
@@ -49,6 +49,12 @@ export class CaptchaDisplayController implements ReactiveController {
         const input = this.#inputRef.value;
         if (!input) return;
         input.value = token;
+        // The surrounding identification form only updates its validity when form controls
+        // emit normal input events, so mirror a user's field change after the CAPTCHA solves.
+        input.dispatchEvent(new Event("input", { bubbles: true, composed: true }));
+        input.dispatchEvent(new Event("change", { bubbles: true, composed: true }));
+        this.#loaded = true;
+        this.host.requestUpdate();
     };
 
     public onFailure() {
diff --git a/website/docs/add-secure-apps/flows-stages/stages/captcha/index.md b/website/docs/add-secure-apps/flows-stages/stages/captcha/index.md
index 3f65660a9c..79ef5679e6 100644
--- a/website/docs/add-secure-apps/flows-stages/stages/captcha/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/captcha/index.md
@@ -2,7 +2,7 @@
 title: Captcha stage
 ---
 
-The Captcha stage adds CAPTCHA verification to a flow by using Google reCAPTCHA or compatible alternatives like hCaptcha and Cloudflare Turnstile.
+The Captcha stage adds CAPTCHA verification to a flow by using Google reCAPTCHA or compatible alternatives like hCaptcha, Cloudflare Turnstile, and Cap.
 
 ## Overview
 
@@ -20,6 +20,7 @@ It can either be bound to a flow or embedded inside the [Identification stage](.
 - **Error on invalid score**: show an error immediately when the score is outside the configured threshold. If disabled, the flow continues and policies can inspect the result from context.
 - **JS URL**: JavaScript loader URL for the provider.
 - **API URL**: verification endpoint URL for the provider.
+- **Request content type**: content type used when authentik verifies the CAPTCHA token with the provider.
 
 ## Flow integration
 
@@ -55,6 +56,25 @@ Recommended values:
 
 Score thresholds only apply to hCaptcha Enterprise.
 
+### Cap
+
+Cap is a self-hostable CAPTCHA server that uses proof-of-work challenges.
+
+See https://trycap.dev/guide/.
+
+authentik supports Cap's default widget. The floating widget is not supported.
+
+Recommended values:
+
+- **Public key**: public Cap endpoint for the site key path, for example `https://cap.example.com/site-key/`
+- **Private key**: Cap secret key
+- **Interactive**: enabled
+- **JS URL**: self-hosted Cap widget asset, for example `https://cap.example.com/assets/widget.js`. If you use a CDN, pin a reviewed release such as `https://cdn.jsdelivr.net/npm/cap-widget@<version>` instead of the unversioned package URL. See [Cap releases](https://github.com/tiagozip/cap/releases).
+- **API URL**: Cap verification endpoint, for example `https://cap.example.com/site-key/siteverify`
+- **Request content type**: JSON
+
+Cap does not use score thresholds.
+
 ### Cloudflare Turnstile
 
 See https://developers.cloudflare.com/turnstile/get-started/migrating-from-recaptcha.

From ab1f8a06924f4324efa1cae9c1a02f8d9082a538 Mon Sep 17 00:00:00 2001
From: Connor Peshek <connor@connorpeshek.me>
Date: Thu, 11 Jun 2026 11:20:17 -0500
Subject: [PATCH 66/68] website/integrations: Update nextcloud to support post
 logout redirect uri (#22989)

---
 .../chat-communication-collaboration/nextcloud/index.mdx       | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/website/integrations/chat-communication-collaboration/nextcloud/index.mdx b/website/integrations/chat-communication-collaboration/nextcloud/index.mdx
index 1601cad068..04dbde3697 100644
--- a/website/integrations/chat-communication-collaboration/nextcloud/index.mdx
+++ b/website/integrations/chat-communication-collaboration/nextcloud/index.mdx
@@ -122,7 +122,8 @@ To connect to an existing Nextcloud user, set the `nextcloud_user_id` attribute
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://nextcloud.company/apps/user_oidc/code`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://nextcloud.company/apps/user_oidc/code`.
+        - Add a **Redirect URI** of type `Strict` `Post Logout` as `https://nextcloud.company`.
         - Select any available signing key.
         - Under **Advanced protocol settings**:
             - _(optional)_ If you created the `Nextcloud Profile` scope mapping, add it to **Selected Scopes**.

From 783859d3c87fe0fee108465f00fe3e52c94c57f3 Mon Sep 17 00:00:00 2001
From: Connor Peshek <connor@connorpeshek.me>
Date: Thu, 11 Jun 2026 11:58:23 -0500
Subject: [PATCH 67/68] websites/integrations: specify redirect uri of type
 authorization or post logout (#22981)

* docs/integrations: Update docs to specify redirect uri of type authorization or post logout

* bold redirect uri

* improve wording

* update docs

* add banner for warning of redirect uri's

* Update website/integrations/_redirect-uri-2026-5-note.mdx

Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

---------

Signed-off-by: Connor Peshek <connor@connorpeshek.me>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
---
 .../docs/install-config/first-steps/index.mdx |  2 +-
 .../_redirect-uri-2026-5-note.mdx             |  3 +++
 .../affine/index.md                           |  6 +++++-
 .../chatgpt/index.mdx                         |  7 +++++--
 .../espo-crm/index.md                         |  6 +++++-
 .../grommunio/index.md                        |  6 +++++-
 .../hedgedoc/index.md                         |  6 +++++-
 .../kanboard/index.md                         |  6 +++++-
 .../mailcow-logs-viewer/index.md              |  6 +++++-
 .../mailcow/index.md                          |  6 +++++-
 .../mastodon/index.md                         |  6 +++++-
 .../matrix-synapse/index.md                   |  6 +++++-
 .../mattermost-team-edition/index.mdx         |  5 ++++-
 .../mobilizon/index.md                        |  6 +++++-
 .../nextcloud/index.mdx                       |  3 +++
 .../opencloud/index.mdx                       | 21 +++++++++++--------
 .../openproject/index.md                      |  6 +++++-
 .../owncloud/index.md                         | 14 ++++++++-----
 .../planka/index.mdx                          |  6 +++++-
 .../rocketchat/index.md                       |  6 +++++-
 .../roundcube/index.md                        |  6 +++++-
 .../sharepoint-se/index.md                    |  6 +++++-
 .../vikunja/index.mdx                         |  7 +++++--
 .../wekan/index.mdx                           |  6 +++++-
 .../writefreely/index.md                      |  6 +++++-
 .../cloud-providers/aws-classic/index.mdx     |  5 ++++-
 .../cloud-providers/digitalocean/index.md     |  6 +++++-
 .../cloud-providers/oracle-cloud/index.md     |  6 +++++-
 .../integrations/dashboards/dashy/index.md    |  6 +++++-
 .../integrations/dashboards/homarr/index.md   |  6 +++++-
 .../dashboards/linkwarden/index.md            |  6 +++++-
 .../integrations/development/coder/index.md   |  6 +++++-
 .../integrations/development/engomo/index.mdx |  6 +++++-
 .../integrations/development/forgejo/index.md |  6 +++++-
 .../integrations/development/frappe/index.md  |  6 +++++-
 .../integrations/development/gitea/index.md   |  6 +++++-
 .../integrations/development/gitlab/index.mdx |  6 +++++-
 .../development/gravitee/index.md             |  6 +++++-
 .../integrations/development/jenkins/index.md |  6 +++++-
 .../development/node-red/index.md             |  6 +++++-
 .../device-management/apple/index.md          |  6 +++++-
 .../device-management/meshcentral/index.md    |  6 +++++-
 .../omnissa-workspace-one-access/index.md     |  8 +++++--
 .../documentation/bookstack/index.mdx         |  5 ++++-
 .../documentation/dokuwiki/index.md           |  4 ++++
 .../documentation/karakeep/index.md           |  6 +++++-
 .../documentation/kitchenowl/index.md         |  6 +++++-
 .../documentation/mealie/index.md             |  6 +++++-
 .../documentation/netbox/index.md             |  6 +++++-
 .../documentation/outline/index.md            |  6 +++++-
 .../documentation/paperless-ngx/index.mdx     |  6 +++++-
 .../documentation/papra/index.mdx             |  6 +++++-
 .../documentation/tandoor/index.md            |  6 +++++-
 .../documentation/wiki-js/index.md            |  6 +++++-
 .../hypervisors-orchestrators/arcane/index.md |  6 +++++-
 .../portainer/index.md                        |  6 +++++-
 .../proxmox-ve/index.md                       |  6 +++++-
 .../vmware-cloud-director/index.md            |  6 +++++-
 .../vmware-vcenter/index.md                   |  6 +++++-
 .../xen-orchestra/index.md                    |  6 +++++-
 .../infrastructure/apache-guacamole/index.mdx |  5 ++++-
 .../infrastructure/argocd/index.md            |  6 +++++-
 .../infrastructure/harbor/index.md            |  6 +++++-
 .../infrastructure/keycloak/index.mdx         |  5 ++++-
 .../infrastructure/komodo/index.mdx           |  6 +++++-
 .../infrastructure/minio/index.mdx            |  5 ++++-
 .../infrastructure/nexterm/index.md           |  6 +++++-
 .../infrastructure/osticket/index.md          |  6 +++++-
 .../infrastructure/pgadmin/index.md           |  6 +++++-
 .../infrastructure/plesk/index.md             |  6 +++++-
 .../infrastructure/rabbitmq/index.mdx         |  5 ++++-
 .../infrastructure/rustdesk-pro/index.mdx     |  6 +++++-
 .../infrastructure/semaphore/index.mdx        |  6 +++++-
 .../infrastructure/synology-dsm/index.md      |  6 +++++-
 .../infrastructure/termix/index.mdx           |  6 +++++-
 .../infrastructure/terrakube/index.md         |  6 +++++-
 .../infrastructure/zammad/index.md            |  5 ++++-
 .../infrastructure/zendesk/index.mdx          |  5 ++++-
 .../integrations/infrastructure/zot/index.md  |  8 ++++---
 .../learning/absorb-lms/index.mdx             |  5 ++++-
 .../media/audiobookshelf/index.md             |  4 ++++
 website/integrations/media/freshrss/index.mdx |  6 +++++-
 website/integrations/media/immich/index.md    |  6 +++++-
 website/integrations/media/jellyfin/index.md  |  6 +++++-
 website/integrations/media/komga/index.md     |  6 +++++-
 website/integrations/media/miniflux/index.md  |  6 +++++-
 .../integrations/media/photoprism/index.md    |  6 +++++-
 website/integrations/media/seafile/index.md   |  6 +++++-
 website/integrations/media/seerr/index.md     |  6 +++++-
 .../miscellaneous/actual-budget/index.mdx     |  5 ++++-
 .../miscellaneous/adventurelog/index.mdx      |  6 +++++-
 .../miscellaneous/ezbookkeeping/index.mdx     |  5 ++++-
 .../miscellaneous/filerise/index.mdx          |  6 +++++-
 .../miscellaneous/home-assistant/index.md     |  8 +++++--
 .../miscellaneous/open-webui/index.md         |  6 +++++-
 .../miscellaneous/wallos/index.mdx            |  6 +++++-
 .../miscellaneous/zipline/index.md            |  6 +++++-
 .../integrations/monitoring/beszel/index.mdx  |  6 +++++-
 .../monitoring/chronograf/index.mdx           |  6 +++++-
 .../integrations/monitoring/gatus/index.mdx   |  6 +++++-
 .../monitoring/glitchtip/index.md             |  6 +++++-
 .../integrations/monitoring/grafana/index.mdx |  6 +++++-
 .../integrations/monitoring/icinga/index.md   |  6 +++++-
 .../monitoring/observium/index.md             |  6 +++++-
 .../integrations/monitoring/pulse/index.md    |  6 +++++-
 .../monitoring/ubuntu-landscape/index.md      |  6 +++++-
 .../monitoring/whats-up-docker/index.md       |  6 +++++-
 .../integrations/networking/firezone/index.md |  6 +++++-
 .../integrations/networking/gravity/index.md  |  6 +++++-
 .../networking/headscale/index.md             |  6 +++++-
 .../integrations/networking/hoop.dev/index.md |  6 +++++-
 .../integrations/networking/netbird/index.mdx |  9 +++++---
 .../networking/pangolin/index.mdx             |  8 +++++--
 .../networking/tailscale/index.md             |  6 +++++-
 .../networking/technitium/index.md            |  6 +++++-
 .../integrations/platforms/budibase/index.md  |  6 +++++-
 .../integrations/platforms/drupal/index.md    |  6 +++++-
 .../integrations/platforms/personio/index.md  |  6 +++++-
 .../platforms/pocketbase/index.md             |  6 +++++-
 .../integrations/platforms/wordpress/index.md |  6 +++++-
 .../integrations/security/1password/index.mdx |  6 +++++-
 .../integrations/security/bitwarden/index.mdx | 15 +++++++------
 .../security/cloudflare-access/index.md       |  6 +++++-
 .../security/hashicorp-vault/index.md         |  6 +++++-
 .../security/vaultwarden/index.md             |  6 +++++-
 .../integrations/security/xcreds/index.mdx    |  6 +++++-
 126 files changed, 627 insertions(+), 148 deletions(-)
 create mode 100644 website/integrations/_redirect-uri-2026-5-note.mdx

diff --git a/website/docs/install-config/first-steps/index.mdx b/website/docs/install-config/first-steps/index.mdx
index 25f0f1e0ed..e07e6d0ffe 100644
--- a/website/docs/install-config/first-steps/index.mdx
+++ b/website/docs/install-config/first-steps/index.mdx
@@ -102,7 +102,7 @@ Every application that you add to authentik requires a provider, which is used t
           authorization, etc.
     - **Protocol settings**: provide the following required configurations:
         - Note the **Client ID**, **Client Secret**, and **Slug** values because they will be required later when you configure Grafana to use authentik.
-        - Set the **Redirect URI** as a `Strict` redirect to `https://grafana.company/login/generic_oauth`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://grafana.company/login/generic_oauth`.
             - <strong className="tip">TIP</strong>: The Redirect URI is where a user is directed to,
               as soon as authentik's authorization flow is successfully completed.
     - **Grant Types** (required): Select at least one [grant type](../../add-secure-apps/providers/oauth2/#oauth-20-flows-and-grant-types) that the provider can use.
diff --git a/website/integrations/_redirect-uri-2026-5-note.mdx b/website/integrations/_redirect-uri-2026-5-note.mdx
new file mode 100644
index 0000000000..309aa5dc3f
--- /dev/null
+++ b/website/integrations/_redirect-uri-2026-5-note.mdx
@@ -0,0 +1,3 @@
+:::info Redirect URI changes in authentik 2026.5
+In authentik versions earlier than 2026.5, all **Redirect URIs** are automatically treated as `Authorization` type. If you are using one of these older authentik versions, add only the `Authorization` URL to your **Redirect URIs** and do not configure a `Post Logout` URI.
+:::
diff --git a/website/integrations/chat-communication-collaboration/affine/index.md b/website/integrations/chat-communication-collaboration/affine/index.md
index 62d37b65e3..260489d9b8 100644
--- a/website/integrations/chat-communication-collaboration/affine/index.md
+++ b/website/integrations/chat-communication-collaboration/affine/index.md
@@ -4,6 +4,8 @@ sidebar_label: AFFiNE
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is AFFiNE?
 
 > AFFiNE is an open-source, self-hostable workspace for documents, whiteboards, and databases.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of AFFiNE with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of AFFiNE with authentik, you need to create an appli
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Add one `Strict` redirect URI and set it to `https://affine.company/oauth/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://affine.company/oauth/callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/chat-communication-collaboration/chatgpt/index.mdx b/website/integrations/chat-communication-collaboration/chatgpt/index.mdx
index 8108314f42..427cccdcd9 100644
--- a/website/integrations/chat-communication-collaboration/chatgpt/index.mdx
+++ b/website/integrations/chat-communication-collaboration/chatgpt/index.mdx
@@ -4,6 +4,7 @@ sidebar_label: ChatGPT
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
@@ -38,6 +39,8 @@ You can configure ChatGPT to use either OIDC or SAML; this guide explains both o
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of ChatGPT with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -48,7 +51,7 @@ To support the integration of ChatGPT with authentik, you need to create an appl
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Temporarily set a `Strict` redirect URI to `https://temp.temp`.
+        - Temporarily add a **Redirect URI** of type `Strict` `Authorization` as `https://temp.temp`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
@@ -77,7 +80,7 @@ ChatGPT only enables the **Manage SSO** wizard after you verify ownership of you
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Providers** and click the **Edit** icon of the newly created ChatGPT provider.
-3. Under **Protocol settings**, set the **Redirect URIs** to the **Login redirect URI** from ChatGPT.
+3. Under **Protocol settings**, add a **Redirect URI** of type `Strict` `Authorization` as the **Login redirect URI** value from ChatGPT.
 4. Click **Update**.
 
 </TabItem>
diff --git a/website/integrations/chat-communication-collaboration/espo-crm/index.md b/website/integrations/chat-communication-collaboration/espo-crm/index.md
index f497fdb616..072cab9d27 100644
--- a/website/integrations/chat-communication-collaboration/espo-crm/index.md
+++ b/website/integrations/chat-communication-collaboration/espo-crm/index.md
@@ -4,6 +4,8 @@ sidebar_label: EspoCRM
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is EspoCRM?
 
 > EspoCRM is a CRM (customer relationship management) web application that allows users to store, visualize, and analyze their company's business-related relationships such as opportunities, people, businesses, and projects.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of EspoCRM with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -37,7 +41,7 @@ To support the integration of EspoCRM with authentik, you need to create an appl
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://espocrm.company/oauth-callback.php`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://espocrm.company/oauth-callback.php`.
         - Select any available signing key.
         - Under **Advanced protocol settings**, set **Subject mode** to **Based on the User's username**.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/chat-communication-collaboration/grommunio/index.md b/website/integrations/chat-communication-collaboration/grommunio/index.md
index 3671d94f37..052a2a2eb9 100644
--- a/website/integrations/chat-communication-collaboration/grommunio/index.md
+++ b/website/integrations/chat-communication-collaboration/grommunio/index.md
@@ -4,6 +4,8 @@ sidebar_label: grommunio
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 <!-- spellchecker:ignore gromox -->
 
 ## What is grommunio?
@@ -25,6 +27,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To integrate authentik with grommunio, you will need to create an application and provider pair in authentik.
 
 :::info Keycloak-compatible endpoints
@@ -39,7 +43,7 @@ grommunio-web expects Keycloak-compatible OIDC endpoints. Because authentik does
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name, the authorization flow to use, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://grommunio.company/web`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://grommunio.company/web`.
         - Set **Signing Key** to an available RSA key.
         - Under **Advanced protocol settings**:
             - Add the `authentik default OAuth Mapping: OpenID 'offline_access'` scope to **Selected Scopes**.
diff --git a/website/integrations/chat-communication-collaboration/hedgedoc/index.md b/website/integrations/chat-communication-collaboration/hedgedoc/index.md
index b4e41f8dab..50883c1ca1 100644
--- a/website/integrations/chat-communication-collaboration/hedgedoc/index.md
+++ b/website/integrations/chat-communication-collaboration/hedgedoc/index.md
@@ -4,6 +4,8 @@ sidebar_label: HedgeDoc
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is HedgeDoc?
 
 > HedgeDoc lets you create real-time collaborative markdown notes.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of HedgeDoc with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of HedgeDoc with authentik, you need to create an app
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://hedgedoc.company/auth/oauth2/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://hedgedoc.company/auth/oauth2/callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 3. Click **Submit** to save the new application and provider.
diff --git a/website/integrations/chat-communication-collaboration/kanboard/index.md b/website/integrations/chat-communication-collaboration/kanboard/index.md
index b204eca231..389713f351 100644
--- a/website/integrations/chat-communication-collaboration/kanboard/index.md
+++ b/website/integrations/chat-communication-collaboration/kanboard/index.md
@@ -4,6 +4,8 @@ sidebar_label: Kanboard
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Kanboard?
 
 > Kanboard is a free and open source Kanban project management software.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Kanboard with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Kanboard with authentik, you need to create an app
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://kanboard.company/oauth/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://kanboard.company/oauth/callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/chat-communication-collaboration/mailcow-logs-viewer/index.md b/website/integrations/chat-communication-collaboration/mailcow-logs-viewer/index.md
index 609173069d..9f30192c53 100644
--- a/website/integrations/chat-communication-collaboration/mailcow-logs-viewer/index.md
+++ b/website/integrations/chat-communication-collaboration/mailcow-logs-viewer/index.md
@@ -4,6 +4,8 @@ sidebar_label: mailcow Logs Viewer
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is mailcow Logs Viewer?
 
 > A modern, self-hosted dashboard for monitoring, analyzing, and managing your mailcow mail server. Track email delivery, investigate spam, manage quarantine, detect bounce-based abuse, and validate DNS configurations, all from a single interface.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of mailcow Logs Viewer with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of mailcow Logs Viewer with authentik, you need to cr
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **application slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://mailcow-logs-viewer.company/api/auth/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://mailcow-logs-viewer.company/api/auth/callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/chat-communication-collaboration/mailcow/index.md b/website/integrations/chat-communication-collaboration/mailcow/index.md
index d5fe636eb3..1fcdc73dc4 100644
--- a/website/integrations/chat-communication-collaboration/mailcow/index.md
+++ b/website/integrations/chat-communication-collaboration/mailcow/index.md
@@ -4,6 +4,8 @@ sidebar_label: mailcow
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is mailcow?
 
 > mailcow is a Dockerized, open-source groupware and email suite based on Docker. It relies on many well-known and long-used components, which, when combined, result in a comprehensive email server solution.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of mailcow with authentik, you need to create a property mapping, set the `email_verified` attribute on required users, and create an application/provider pair in authentik.
 
 ### Create a property mapping
@@ -56,7 +60,7 @@ Repeat these steps for all users that need to use the Mailcow integration.
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://mailcow.company`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://mailcow.company`.
         - Select any available signing key.
         - Under **Advanced protocol settings**:
             - Remove the `authentik default OAuth Mapping: OpenID 'email'` scope from **Selected Scopes**.
diff --git a/website/integrations/chat-communication-collaboration/mastodon/index.md b/website/integrations/chat-communication-collaboration/mastodon/index.md
index 61aaa6c24b..6b2a6589e8 100644
--- a/website/integrations/chat-communication-collaboration/mastodon/index.md
+++ b/website/integrations/chat-communication-collaboration/mastodon/index.md
@@ -4,6 +4,8 @@ sidebar_label: Mastodon
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Mastodon?
 
 > Mastodon is free and open-source software for running self-hosted social networking services. It has microblogging features similar to Twitter
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Mastodon with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Mastodon with authentik, you need to create an app
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://mastodon.company/auth/auth/openid_connect/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://mastodon.company/auth/auth/openid_connect/callback`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/chat-communication-collaboration/matrix-synapse/index.md b/website/integrations/chat-communication-collaboration/matrix-synapse/index.md
index d57e7f6b50..1d79d8ac53 100644
--- a/website/integrations/chat-communication-collaboration/matrix-synapse/index.md
+++ b/website/integrations/chat-communication-collaboration/matrix-synapse/index.md
@@ -4,6 +4,8 @@ sidebar_label: Matrix Synapse
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Matrix Synapse?
 
 > Matrix is an open source project that publishes the Matrix open standard for secure, decentralized, real-time communication, and its Apache licensed reference implementations.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Matrix Synapse with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Matrix Synapse with authentik, you need to create
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://matrix.company/_synapse/client/oidc/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://matrix.company/_synapse/client/oidc/callback`.
     - Select any available RSA signing key. Matrix Synapse doesn't support ECC keys.
     - Do not set an encryption key because this is not supported by Matrix Synapse.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx b/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx
index 3311917e88..6ac90c4476 100644
--- a/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx
+++ b/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx
@@ -4,6 +4,7 @@ sidebar_label: Mattermost Team Edition
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
@@ -45,6 +46,8 @@ Once configured, Mattermost will display a login button with the GitLab icon, bu
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Mattermost Team Edition with authentik, you need to create property mappings and an application/provider pair in authentik.
 
 ### Create property mappings
@@ -84,7 +87,7 @@ The following `id` property mapping is optional. If omitted, Mattermost will gen
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://mattermost.company/signup/gitlab/complete`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://mattermost.company/signup/gitlab/complete`.
         - Select any available signing key.
         - Under **Advanced protocol settings**, add the scopes you just created to the list of selected scopes.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/chat-communication-collaboration/mobilizon/index.md b/website/integrations/chat-communication-collaboration/mobilizon/index.md
index 51fb0c597f..f3a190d6fe 100644
--- a/website/integrations/chat-communication-collaboration/mobilizon/index.md
+++ b/website/integrations/chat-communication-collaboration/mobilizon/index.md
@@ -4,6 +4,8 @@ sidebar_label: Mobilizon
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Mobilizon?
 
 > Gather, organize and mobilize yourselves with a convivial, ethical, and emancipating tool. https://joinmobilizon.org
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Mobilizon with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Mobilizon with authentik, you need to create an ap
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://mobilizon.company/auth/keycloak/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://mobilizon.company/auth/keycloak/callback`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/chat-communication-collaboration/nextcloud/index.mdx b/website/integrations/chat-communication-collaboration/nextcloud/index.mdx
index 04dbde3697..476f1b7e38 100644
--- a/website/integrations/chat-communication-collaboration/nextcloud/index.mdx
+++ b/website/integrations/chat-communication-collaboration/nextcloud/index.mdx
@@ -4,6 +4,7 @@ sidebar_label: Nextcloud
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx";
 
 ## What is Nextcloud?
@@ -116,6 +117,8 @@ To connect to an existing Nextcloud user, set the `nextcloud_user_id` attribute
 
 ## Create an application and provider in authentik
 
+<RedirectURI20265Note />
+
 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **New Application** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
     - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
diff --git a/website/integrations/chat-communication-collaboration/opencloud/index.mdx b/website/integrations/chat-communication-collaboration/opencloud/index.mdx
index 9fcfc14a12..f082bd73df 100644
--- a/website/integrations/chat-communication-collaboration/opencloud/index.mdx
+++ b/website/integrations/chat-communication-collaboration/opencloud/index.mdx
@@ -4,6 +4,7 @@ sidebar_label: OpenCloud
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
 
@@ -35,6 +36,8 @@ Choose your setup below. The **Web only** tab logs in through the browser. The *
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 1. Log in to authentik as an administrator and open the Admin interface.
 2. Navigate to **Applications** > **Applications** and click **New Application**.
     - **Application**: provide a name and note the **slug**.
@@ -43,9 +46,9 @@ Choose your setup below. The **Web only** tab logs in through the browser. The *
         - **Client type**: `Public`
         - **Client ID**: `web`
         - **Redirect URIs**:
-            - Strict: `https://opencloud.company/oidc-callback.html`
-            - Strict: `https://opencloud.company/oidc-silent-redirect.html`
-            - Strict: `https://opencloud.company/`
+            - `Strict` `Authorization`: `https://opencloud.company/oidc-callback.html`
+            - `Strict` `Authorization`: `https://opencloud.company/oidc-silent-redirect.html`
+            - `Strict` `Authorization`: `https://opencloud.company/`
         - **Signing Key**: select any available key.
         - **Scopes**: `openid`, `profile`, `email`.
 3. Click **Submit**.
@@ -112,12 +115,12 @@ With GLOBAL issuer mode enabled, tokens use an issuer of `iss = https://authenti
 
 Repeat these steps for **each** of the four clients (Web, Desktop, Android, and iOS), using the per-client values from the table below.
 
-| Client  | Client ID          | Redirect URIs                                                                               |
-| ------- | ------------------ | ------------------------------------------------------------------------------------------- |
-| Web     | `web`              | Strict: `https://opencloud.company/oidc-callback.html`, `…/oidc-silent-redirect.html`, `…/` |
-| Desktop | `OpenCloudDesktop` | Regex: `http://127.0.0.1(:[0-9]+)?(/.*)?` and `http://localhost(:[0-9]+)?(/.*)?`            |
-| Android | `OpenCloudAndroid` | Strict: `oc://android.opencloud.eu`                                                         |
-| iOS     | `OpenCloudIOS`     | Strict: `oc://ios.opencloud.eu`                                                             |
+| Client  | Client ID          | Redirect URIs                                                                                                 |
+| ------- | ------------------ | ------------------------------------------------------------------------------------------------------------- |
+| Web     | `web`              | `Strict` `Authorization`: `https://opencloud.company/oidc-callback.html`, `…/oidc-silent-redirect.html`, `…/` |
+| Desktop | `OpenCloudDesktop` | `Regex` `Authorization`: `http://127.0.0.1(:[0-9]+)?(/.*)?` and `http://localhost(:[0-9]+)?(/.*)?`            |
+| Android | `OpenCloudAndroid` | `Strict` `Authorization`: `oc://android.opencloud.eu`                                                         |
+| iOS     | `OpenCloudIOS`     | `Strict` `Authorization`: `oc://ios.opencloud.eu`                                                             |
 
 1. Log in to authentik as an administrator and open the Admin interface.
 2. Navigate to **Applications** > **Applications** and click **New Application**.
diff --git a/website/integrations/chat-communication-collaboration/openproject/index.md b/website/integrations/chat-communication-collaboration/openproject/index.md
index 810faadcb7..5fa39a36f0 100644
--- a/website/integrations/chat-communication-collaboration/openproject/index.md
+++ b/website/integrations/chat-communication-collaboration/openproject/index.md
@@ -4,6 +4,8 @@ sidebar_label: OpenProject
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is OpenProject?
 
 > OpenProject is a web-based project management software. Use OpenProject to manage your projects, tasks and goals. Collaborate via work packages and link them to your pull requests on GitHub.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of OpenProject with authentik, you need to create a property mapping and an application/provider pair in authentik.
 
 ### Create a scope mapping
@@ -61,7 +65,7 @@ OpenProject requires a first and last name for each user. By default authentik o
     - **Protocol settings**:
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
         - **Redirect URI**:
-            - Strict: `https://openproject.company/auth/oidc-authentik/callback`
+            - `Strict` `Authorization`: `https://openproject.company/auth/oidc-authentik/callback`
         - **Signing key**: select any available signing key.
     - **Advanced protocol settings**:
         - **Scopes**:
diff --git a/website/integrations/chat-communication-collaboration/owncloud/index.md b/website/integrations/chat-communication-collaboration/owncloud/index.md
index 3fe9e17576..2ffe8b378d 100644
--- a/website/integrations/chat-communication-collaboration/owncloud/index.md
+++ b/website/integrations/chat-communication-collaboration/owncloud/index.md
@@ -4,6 +4,8 @@ sidebar_label: ownCloud
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is ownCloud?
 
 > ownCloud is a free and open-source software project for content collaboration and sharing and syncing of files.
@@ -23,6 +25,8 @@ This guide focuses on deploying ownCloud installations using Docker. If you depl
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of ownCloud with authentik, you need to create multiple application/provider pairs in authentik. A different pair is required for the Web UI, Desktop application, Android application, and iOS application.
 
 The configuration for each application is nearly identical, except for the **Client ID**, **Client Secret**, and the **Redirect URI** values, which are [predefined](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-ids-secrets-and-redirect-uris) by ownCloud for the Desktop, Android, and iOS applications.
@@ -43,29 +47,29 @@ The configuration for each application is nearly identical, except for the **Cli
         - **Client ID**: Use the value generated by authentik.
         - **Client Secret**: Use the value generated by authentik.
         - **Redirect URIs**:
-            - Strict: `https://owncloud.company/apps/openidconnect/redirect`
+            - `Strict` `Authorization`: `https://owncloud.company/apps/openidconnect/redirect`
 
         **Desktop Application**
         - **Signing Key**: Select any available signing key.
         - **Client ID**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-id).
         - **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret).
         - **Redirect URIs**:
-            - Regex: `http://localhost:\d+`
-            - Regex: `http://127.0.0.1:\d+`
+            - `Regex` `Authorization`: `http://localhost:\d+`
+            - `Regex` `Authorization`: `http://127.0.0.1:\d+`
 
         **Android Application**
         - **Signing Key**: Select any available signing key.
         - **Client ID**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-id).
         - **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret).
         - **Redirect URI**:
-            - Strict: `oc://android.owncloud.com`
+            - `Strict` `Authorization`: `oc://android.owncloud.com`
 
         **iOS Application**
         - **Signing Key**: Select any available signing key.
         - **Client ID**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-id).
         - **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret).
         - **Redirect URI**:
-            - Strict: `oc://ios.owncloud.com`
+            - `Strict` `Authorization`: `oc://ios.owncloud.com`
 
     - **Advanced protocol settings:**
         - **Scopes**: Select the following scopes for each of the four application/provider pairs: `email`, `offline_access`, `openid`, `profile`.
diff --git a/website/integrations/chat-communication-collaboration/planka/index.mdx b/website/integrations/chat-communication-collaboration/planka/index.mdx
index 3cb8a3938c..184f8fb23a 100644
--- a/website/integrations/chat-communication-collaboration/planka/index.mdx
+++ b/website/integrations/chat-communication-collaboration/planka/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: Planka
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Planka?
 
 > Planka is an open-source, Trello-like application with a Kanban board system, used for project management.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Planka with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Planka with authentik, you need to create an appli
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://planka.company/oidc-callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://planka.company/oidc-callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/chat-communication-collaboration/rocketchat/index.md b/website/integrations/chat-communication-collaboration/rocketchat/index.md
index ec6b751bc9..eb4dc1657f 100644
--- a/website/integrations/chat-communication-collaboration/rocketchat/index.md
+++ b/website/integrations/chat-communication-collaboration/rocketchat/index.md
@@ -4,6 +4,8 @@ sidebar_label: Rocket.chat
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Rocket.chat?
 
 > Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript for organizations with high standards of data protection. It is licensed under the MIT License with some other licenses mixed in. See [Rocket.chat GitHub](https://github.com/RocketChat/Rocket.Chat/blob/develop/LICENSE) for licensing information.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Rocket.chat with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Rocket.chat with authentik, you need to create an
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://rocket.company/\_oauth/authentik`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://rocket.company/\_oauth/authentik`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/chat-communication-collaboration/roundcube/index.md b/website/integrations/chat-communication-collaboration/roundcube/index.md
index 16ea18ad68..a87f28148e 100644
--- a/website/integrations/chat-communication-collaboration/roundcube/index.md
+++ b/website/integrations/chat-communication-collaboration/roundcube/index.md
@@ -4,6 +4,8 @@ sidebar_label: Roundcube
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Roundcube?
 
 > Roundcube is a browser-based multilingual IMAP client with an application-like user interface. It provides the full functionality you expect from an email client, including MIME support, address book, folder manipulation, message searching and spell checking.
@@ -29,6 +31,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Roundcube with authentik, you need to create an application/provider pair in authentik.
 
 ### Create property mappings
@@ -59,7 +63,7 @@ To support the integration of Roundcube with authentik, you need to create an ap
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://roundcube.company/index.php?\_task=settings&\_action=plugin.oauth_redirect`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://roundcube.company/index.php?\_task=settings&\_action=plugin.oauth_redirect`.
     - Select any available signing key.
     - Under **Advanced protocol settings**:
         - Under **Scopes**, add `dovecotprofile` and `authentik default OAuth Mapping: OpenID 'offline_access'` to the list of selected scopes.
diff --git a/website/integrations/chat-communication-collaboration/sharepoint-se/index.md b/website/integrations/chat-communication-collaboration/sharepoint-se/index.md
index b10ca7489b..8f1ecac453 100644
--- a/website/integrations/chat-communication-collaboration/sharepoint-se/index.md
+++ b/website/integrations/chat-communication-collaboration/sharepoint-se/index.md
@@ -4,6 +4,8 @@ sidebar_label: SharePoint Server SE
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Microsoft SharePoint?
 
 > SharePoint is a proprietary, web-based collaborative platform that integrates natively with Microsoft 365.
@@ -66,6 +68,8 @@ These guidelines use the following placeholders for the overall setup:
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 ### Step 1: Create authentik OpenID property mappings
 
 SharePoint requires additional properties within the OpenID and profile scopes in order to operate OIDC properly and map incoming authentik OID claims with Microsoft claims.
@@ -140,7 +144,7 @@ From the authentik Admin Dashboard:
       :::info
       use the explicit flow if user consents are required
       :::
-    - **Redirect URIs / Origins**: `auth.providerRedirectURI`
+    - **Redirect URIs / Origins** (`Strict` `Authorization`): `auth.providerRedirectURI`
     - **Signing Key**: authentik Self-signed Certificate
       :::info
       The certificate is used for signing JWT tokens; if you change it after the integration do not forget to update your SharePoint Trusted Certificate.
diff --git a/website/integrations/chat-communication-collaboration/vikunja/index.mdx b/website/integrations/chat-communication-collaboration/vikunja/index.mdx
index ffc336152c..8d528ffe16 100644
--- a/website/integrations/chat-communication-collaboration/vikunja/index.mdx
+++ b/website/integrations/chat-communication-collaboration/vikunja/index.mdx
@@ -4,6 +4,7 @@ sidebar_label: Vikunja
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
 
@@ -31,6 +32,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Vikunja with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -41,8 +44,8 @@ To support the integration of Vikunja with authentik, you need to create an appl
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - For web login, set a `Strict` redirect URI to `https://vikunja.company/auth/openid/authentik`.
-        - If using the Vikunja desktop client, add a `Regex` redirect URI such as `^http://127\\.0\\.0\\.1:[0-9]+/auth/openid/authentik$` to allow loopback redirects to `127.0.0.1`.
+        - For web login, add a **Redirect URI** of type `Strict` `Authorization` as `https://vikunja.company/auth/openid/authentik`.
+        - If using the Vikunja desktop client, add a **Redirect URI** of type `Regex` `Authorization` such as `^http://127\\.0\\.0\\.1:[0-9]+/auth/openid/authentik$` to allow loopback redirects to `127.0.0.1`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 3. Click **Submit** to save the new application and provider.
diff --git a/website/integrations/chat-communication-collaboration/wekan/index.mdx b/website/integrations/chat-communication-collaboration/wekan/index.mdx
index bc3c91a631..008d8557bf 100644
--- a/website/integrations/chat-communication-collaboration/wekan/index.mdx
+++ b/website/integrations/chat-communication-collaboration/wekan/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: Wekan
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Wekan?
 
 > Wekan is an open-source kanban board which allows a card-based task and to-do management.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Wekan with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Wekan with authentik, you need to create an applic
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://wekan.company/_oauth/oidc`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://wekan.company/_oauth/oidc`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/chat-communication-collaboration/writefreely/index.md b/website/integrations/chat-communication-collaboration/writefreely/index.md
index 435217e1f9..180e536ddd 100644
--- a/website/integrations/chat-communication-collaboration/writefreely/index.md
+++ b/website/integrations/chat-communication-collaboration/writefreely/index.md
@@ -4,6 +4,8 @@ sidebar_label: Writefreely
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Writefreely?
 
 > An open source platform for building a writing space on the web.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Writefreely with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Writefreely with authentik, you need to create an
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://writefreely.company/oauth/callback/generic`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://writefreely.company/oauth/callback/generic`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/cloud-providers/aws-classic/index.mdx b/website/integrations/cloud-providers/aws-classic/index.mdx
index 21a3c348a8..6838258512 100644
--- a/website/integrations/cloud-providers/aws-classic/index.mdx
+++ b/website/integrations/cloud-providers/aws-classic/index.mdx
@@ -4,6 +4,7 @@ sidebar_label: Amazon Web Services (Classic IAM)
 support_level: authentik
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
@@ -44,6 +45,8 @@ SCIM Provisioning is only supported in conjunction with [IAM Identity Center](..
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of AWS with authentik via the Classic IAM method, you need to create two property mappings, an application/provider pair, and application entitlements for the AWS roles that users can assume.
 
 ### Create property mappings
@@ -273,7 +276,7 @@ To support the integration of AWS with authentik using OIDC, you need to create
     - **Choose a Provider type**: Select OAuth2/OpenID Provider as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to match the AWS resource that you want to access via OIDC.
+        - Add a **Redirect URI** of type `Strict` `Authorization` that matches the AWS resource that you want to access via OIDC.
         - Select any available signing key.
         - Under **Advanced protocol settings** > **Selected Scopes**, add `authentik default OAuth Mapping: OpenID 'entitlements'`.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/cloud-providers/digitalocean/index.md b/website/integrations/cloud-providers/digitalocean/index.md
index 12fb4abfd6..a0b6dbacd8 100644
--- a/website/integrations/cloud-providers/digitalocean/index.md
+++ b/website/integrations/cloud-providers/digitalocean/index.md
@@ -4,6 +4,8 @@ sidebar_label: DigitalOcean
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is DigitalOcean?
 
 > DigitalOcean is a cloud infrastructure provider that offers developers simple, scalable virtual servers (droplets), managed databases, and other cloud services to deploy and manage applications efficiently.
@@ -22,6 +24,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of DigitalOcean with authentik, you need to create a scope mapping, an application/provider pair, and application entitlements for the DigitalOcean roles that users should receive.
 
 ### Create a scope mapping
@@ -72,7 +76,7 @@ To support the integration of DigitalOcean with authentik, you need to create a
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://cloud.digitalocean.com/sessions/sso/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://cloud.digitalocean.com/sessions/sso/callback`.
         - Select any available signing key.
         - Under **Advanced protocol settings**:
             - Add the `profile` scope created in the previous section. Do not remove authentik’s `authentik default OAuth Mapping: OpenID 'profile'`, as claims such as `name` are required by DigitalOcean.
diff --git a/website/integrations/cloud-providers/oracle-cloud/index.md b/website/integrations/cloud-providers/oracle-cloud/index.md
index 70ba59ce8b..2eb4bea93e 100644
--- a/website/integrations/cloud-providers/oracle-cloud/index.md
+++ b/website/integrations/cloud-providers/oracle-cloud/index.md
@@ -4,6 +4,8 @@ sidebar_label: Oracle Cloud
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Oracle Cloud?
 
 > Oracle Cloud is the first public cloud built from the ground up to be a better cloud for every application. By rethinking core engineering and systems design for cloud computing, we created innovations that accelerate migrations, deliver better reliability and performance for all applications, and offer the complete services customers need to build innovative cloud applications.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Oracle Cloud with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -35,7 +39,7 @@ To support the integration of Oracle Cloud with authentik, you need to create an
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://tenant.identity.oraclecloud.com/oauth2/v1/social/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://tenant.identity.oraclecloud.com/oauth2/v1/social/callback`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/dashboards/dashy/index.md b/website/integrations/dashboards/dashy/index.md
index 382d70586f..580e689017 100644
--- a/website/integrations/dashboards/dashy/index.md
+++ b/website/integrations/dashboards/dashy/index.md
@@ -4,6 +4,8 @@ sidebar_label: Dashy
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Dashy?
 
 > Dashy is a self-hostable personal dashboard built for you. Includes status-checking, widgets, themes, icon packs, a UI editor and tons more.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Dashy with authentik, you need to create an application/provider pair in authentik.
 
 If you want to manage Dashy administrator access through authentik, create or choose a group for Dashy administrators and add the appropriate users to it. Note the exact group name because it will be required later.
@@ -36,7 +40,7 @@ If you want to manage Dashy administrator access through authentik, create or ch
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **slug** values because they will be required later.
         - Set the **Client type** to `Public`. Dashy runs entirely in the browser and does not store a client secret.
-        - Create two `Strict` redirect URIs:
+        - Add two **Redirect URIs** of type `Strict` `Authorization`:
             - `https://dashy.company`
             - `https://dashy.company/`
         - Select any available signing key.
diff --git a/website/integrations/dashboards/homarr/index.md b/website/integrations/dashboards/homarr/index.md
index 0005de3bcc..550e93b9e8 100644
--- a/website/integrations/dashboards/homarr/index.md
+++ b/website/integrations/dashboards/homarr/index.md
@@ -4,6 +4,8 @@ sidebar_label: Homarr
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Homarr?
 
 > A sleek, modern dashboard that puts all of your apps and services at your fingertips. Control everything in one convenient location. Seamlessly integrates with the apps you've added, providing you with valuable information.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Homarr with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Homarr with authentik, you need to create an appli
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Create two `Strict` redirect URIs: `https://homarr.company/api/auth/callback/oidc` and `http://localhost:50575/api/auth/callback/oidc`.
+    - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://homarr.company/api/auth/callback/oidc` and `http://localhost:50575/api/auth/callback/oidc`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/dashboards/linkwarden/index.md b/website/integrations/dashboards/linkwarden/index.md
index 60cffdfc14..73d572ed29 100644
--- a/website/integrations/dashboards/linkwarden/index.md
+++ b/website/integrations/dashboards/linkwarden/index.md
@@ -4,6 +4,8 @@ sidebar_label: Linkwarden
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Linkwarden?
 
 > Linkwarden is an open-source collaborative bookmark manager used to collect, organize, and preserve webpages.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Linkwarden with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Linkwarden with authentik, you need to create an a
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://linkwarden.company/api/v1/auth/callback/authentik`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://linkwarden.company/api/v1/auth/callback/authentik`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/development/coder/index.md b/website/integrations/development/coder/index.md
index a0d75d89eb..94570c3081 100644
--- a/website/integrations/development/coder/index.md
+++ b/website/integrations/development/coder/index.md
@@ -4,6 +4,8 @@ sidebar_label: Coder
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Coder?
 
 > Coder is an open-source platform that provides browser-based cloud development environments, enabling developers and teams to securely write, edit, and manage code remotely without the need for local setup.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Coder with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Coder with authentik, you need to create an applic
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://coder.company/api/v2/users/oidc/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://coder.company/api/v2/users/oidc/callback`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/development/engomo/index.mdx b/website/integrations/development/engomo/index.mdx
index d9cedfb59f..c8f3967bf3 100644
--- a/website/integrations/development/engomo/index.mdx
+++ b/website/integrations/development/engomo/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: engomo
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is engomo?
 
 > engomo is a low-code app development platform to create enterprise apps for smartphones and tablets based on Android, iOS, or iPadOS.
@@ -25,6 +27,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Engomo with authentik, you need to create an application/provider pair in authentik.
 
 ### Create property mappings
@@ -46,7 +50,7 @@ To support the integration of Engomo with authentik, you need to create an appli
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID** and **slug** values because they will be required later.
     - Set the **Client type** to `Public`.
-    - Add two `Strict` redirect URIs and set them to `https://engomo.company/auth` and `com.engomo.engomo://callback/`.
+    - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://engomo.company/auth` and `com.engomo.engomo://callback/`.
     - Select any available signing key.
     - Under **Advanced protocol settings**, add the scope you just created to the list of available scopes.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/development/forgejo/index.md b/website/integrations/development/forgejo/index.md
index a29b10f261..df34aa3bf3 100644
--- a/website/integrations/development/forgejo/index.md
+++ b/website/integrations/development/forgejo/index.md
@@ -4,6 +4,8 @@ sidebar_label: Forgejo
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Forgejo?
 
 > Forgejo is a lightweight, self‑hosted alternative to GitHub/GitLab, with a strong emphasis on community governance and open development.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Forgejo with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Forgejo with authentik, you need to create an appl
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://<forgejo.company>/user/oauth2/authentik/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://<forgejo.company>/user/oauth2/authentik/callback`.
         - Select any available signing key.
         - Under **Advanced protocol settings** > **Selected Scopes**, add `authentik default OAuth Mapping: OpenID 'entitlements'`.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/development/frappe/index.md b/website/integrations/development/frappe/index.md
index e5664a78a1..b893d8de94 100644
--- a/website/integrations/development/frappe/index.md
+++ b/website/integrations/development/frappe/index.md
@@ -4,6 +4,8 @@ sidebar_label: Frappe
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 :::info
 These instructions apply to all projects in the Frappe Family, including ERPNext.
 :::
@@ -28,6 +30,8 @@ This documentation only lists the settings that have been changed from their def
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Frappe with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -39,7 +43,7 @@ To support the integration of Frappe with authentik, you need to create an appli
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://frappe.company/api/method/frappe.integrations.oauth2_logins.custom/<provider-name>`. Replace `<provider-name>` with the name of the provider in Frappe.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://frappe.company/api/method/frappe.integrations.oauth2_logins.custom/<provider-name>`. Replace `<provider-name>` with the name of the provider in Frappe.
     - Select any available signing key.
     - Under **Advanced protocol settings**, set **Subject mode** to be `Based on the Users's username`.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/development/gitea/index.md b/website/integrations/development/gitea/index.md
index 33dfaa2094..eda4ad538f 100644
--- a/website/integrations/development/gitea/index.md
+++ b/website/integrations/development/gitea/index.md
@@ -4,6 +4,8 @@ sidebar_label: Gitea
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Gitea?
 
 > Gitea is a community managed lightweight code hosting solution written in Go. It is published under the MIT license.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Gitea with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Gitea with authentik, you need to create an applic
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://<gitea.company>/user/oauth2/authentik/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://<gitea.company>/user/oauth2/authentik/callback`.
     - Select any available signing key.
     - Under **Advanced protocol settings** > **Selected Scopes**, add `authentik default OAuth Mapping: OpenID 'entitlements'`.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/development/gitlab/index.mdx b/website/integrations/development/gitlab/index.mdx
index 6154cc6239..e8e243e85d 100644
--- a/website/integrations/development/gitlab/index.mdx
+++ b/website/integrations/development/gitlab/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: GitLab
 support_level: authentik
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is GitLab?
 
 > GitLab is a complete DevOps platform with features for version control, CI/CD, issue tracking, and collaboration, facilitating efficient software development and deployment workflows.
@@ -43,6 +45,8 @@ import Tabs from "@theme/Tabs";
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of GitLab with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -110,7 +114,7 @@ To support the integration of GitLab with authentik, you need to create an appli
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://gitlab.company/users/auth/openid_connect/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://gitlab.company/users/auth/openid_connect/callback`.
     - Select any available signing key.
     - Under **Advanced protocol settings**, set the **Subject mode** to `Based on the User's Email`.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/development/gravitee/index.md b/website/integrations/development/gravitee/index.md
index f05fdfd16f..0e4565936f 100644
--- a/website/integrations/development/gravitee/index.md
+++ b/website/integrations/development/gravitee/index.md
@@ -4,6 +4,8 @@ sidebar_label: Gravitee
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Gravitee?
 
 > Gravitee.io API Management is a flexible, lightweight and blazing-fast Open Source solution that helps your organization control who, when and how users access your APIs.
@@ -25,6 +27,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Gravitee with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -36,7 +40,7 @@ To support the integration of Gravitee with authentik, you need to create an app
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Add two `Strict` redirect URI and set them to `https://gravitee.company/user/login` and `https://gravitee.company/console/`. Ensure a trailing slash is present at the end of the second redirect URI.
+    - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://gravitee.company/user/login` and `https://gravitee.company/console/`. Ensure a trailing slash is present at the end of the second redirect URI.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/development/jenkins/index.md b/website/integrations/development/jenkins/index.md
index 0ce37bf2c0..470bc2dd47 100644
--- a/website/integrations/development/jenkins/index.md
+++ b/website/integrations/development/jenkins/index.md
@@ -4,6 +4,8 @@ sidebar_label: Jenkins
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Jenkins?
 
 > The leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Jenkins with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Jenkins with authentik, you need to create an appl
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://jenkins.company/securityRealm/finishLogin`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://jenkins.company/securityRealm/finishLogin`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/development/node-red/index.md b/website/integrations/development/node-red/index.md
index f0ef11869f..4e21606981 100644
--- a/website/integrations/development/node-red/index.md
+++ b/website/integrations/development/node-red/index.md
@@ -4,6 +4,8 @@ sidebar_label: Node-RED
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Node-RED?
 
 > Node-RED is a programming tool for wiring together hardware devices, APIs and online services in new and interesting ways.
@@ -29,6 +31,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Node-RED with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -40,7 +44,7 @@ To support the integration of Node-RED with authentik, you need to create an app
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://nodered.company/auth/strategy/callback/`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://nodered.company/auth/strategy/callback/`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/device-management/apple/index.md b/website/integrations/device-management/apple/index.md
index 5a259e2680..37d0798933 100644
--- a/website/integrations/device-management/apple/index.md
+++ b/website/integrations/device-management/apple/index.md
@@ -13,6 +13,8 @@ authentik_enterprise: true
 authentik_preview: true
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Apple Business Manager?
 
 > Apple Business Manager is a web-based portal for IT administrators, managers, and procurement professionals to manage devices and automate device enrollment.
@@ -71,6 +73,8 @@ Be aware that Apple Business Manager imposes the following restrictions on feder
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 The workflow to configure authentik as an identity provider for Apple Business Manager involves creating scope mappings, signing keys, a Shared Signals Framework provider, and an OIDC provider/application pair.
 
 Together, these components will handle the authentication flow and backchannel communication between authentik and Apple Business Manager.
@@ -160,7 +164,7 @@ You will need to create an [OAuth2/OpenID Provider](/docs/add-secure-apps/provid
     - **Choose a Provider type**: select **OAuth2/OpenID Provider** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://gsa-ws.apple.com/grandslam/GsService2/acs`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://gsa-ws.apple.com/grandslam/GsService2/acs`.
         - Select any available signing key.
         - Under **Advanced protocol settings**, in addition to the default scopes, add the four following **Selected Scopes** to the provider.
             - `Apple Business Manager ssf.manage`
diff --git a/website/integrations/device-management/meshcentral/index.md b/website/integrations/device-management/meshcentral/index.md
index 226adb7a07..9329c80bc7 100644
--- a/website/integrations/device-management/meshcentral/index.md
+++ b/website/integrations/device-management/meshcentral/index.md
@@ -4,6 +4,8 @@ sidebar_label: MeshCentral
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is MeshCentral?
 
 > MeshCentral is a free, open source, web-based platform for remote device management.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of MeshCentral with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of MeshCentral with authentik, you need to create an
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://meshcentral.company/auth-oidc-callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://meshcentral.company/auth-oidc-callback`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/device-management/omnissa-workspace-one-access/index.md b/website/integrations/device-management/omnissa-workspace-one-access/index.md
index 6b8a5baa32..8bc4bc2330 100644
--- a/website/integrations/device-management/omnissa-workspace-one-access/index.md
+++ b/website/integrations/device-management/omnissa-workspace-one-access/index.md
@@ -4,6 +4,8 @@ sidebar_label: Omnissa Workspace ONE Access
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Omnissa Workspace ONE Access?
 
 > Omnissa Workspace ONE Access, now Omnissa Access, is the identity and access service for the Omnissa Workspace ONE platform. It provides single sign-on, access policies, and identity federation for applications and devices, and can delegate authentication to external identity providers such as authentik.
@@ -31,6 +33,8 @@ You can leave the form open in another browser tab while configuring authentik.
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Omnissa Workspace ONE Access with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -43,8 +47,8 @@ To support the integration of Omnissa Workspace ONE Access with authentik, you n
         - Note the **Client ID** and **Client Secret** values because they will be required later.
         - **Protocol Settings**:
             - **Redirect URI**:
-                - Strict: the redirect URI you noted in the Omnissa Workspace ONE Access pre-configuration step.
-                - Strict: `awgb://oauth2`. This URI is used by the Workspace ONE mobile applications.
+                - `Strict` `Authorization`: the redirect URI you noted in the Omnissa Workspace ONE Access pre-configuration step.
+                - `Strict` `Authorization`: `awgb://oauth2`. This URI is used by the Workspace ONE mobile applications.
             - **Signing Key**: select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/documentation/bookstack/index.mdx b/website/integrations/documentation/bookstack/index.mdx
index a73e7894fb..e80c785311 100644
--- a/website/integrations/documentation/bookstack/index.mdx
+++ b/website/integrations/documentation/bookstack/index.mdx
@@ -4,6 +4,7 @@ sidebar_label: BookStack
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
 
@@ -38,6 +39,8 @@ You can configure Bookstack to use either OIDC or SAML, and this guide explains
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of BookStack with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -48,7 +51,7 @@ To support the integration of BookStack with authentik, you need to create an ap
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://bookstack.company/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://bookstack.company/oidc/callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/documentation/dokuwiki/index.md b/website/integrations/documentation/dokuwiki/index.md
index 2dd3bc1cb0..1d45852a02 100644
--- a/website/integrations/documentation/dokuwiki/index.md
+++ b/website/integrations/documentation/dokuwiki/index.md
@@ -4,6 +4,8 @@ sidebar_label: DokuWiki
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is DokuWiki?
 
 > DokuWiki is an open source wiki application licensed under GPLv2 and written in the PHP programming language. It works on plain text files and thus does not need a database. Its syntax is similar to the one used by MediaWiki and it is often recommended as a more lightweight, easier to customize alternative to MediaWiki.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of DokuWiki with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
diff --git a/website/integrations/documentation/karakeep/index.md b/website/integrations/documentation/karakeep/index.md
index 19d6b625ad..1eb9d46a33 100644
--- a/website/integrations/documentation/karakeep/index.md
+++ b/website/integrations/documentation/karakeep/index.md
@@ -4,6 +4,8 @@ sidebar_label: Karakeep
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Karakeep?
 
 > A self-hostable bookmark-everything app (links, notes and images) with AI-based automatic tagging and full-text search.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Karakeep with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Karakeep with authentik, you need to create an app
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://karakeep.company/api/auth/callback/custom`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://karakeep.company/api/auth/callback/custom`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/documentation/kitchenowl/index.md b/website/integrations/documentation/kitchenowl/index.md
index 87aa24dbb0..802e171e35 100644
--- a/website/integrations/documentation/kitchenowl/index.md
+++ b/website/integrations/documentation/kitchenowl/index.md
@@ -4,6 +4,8 @@ sidebar_label: KitchenOwl
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is KitchenOwl?
 
 > KitchenOwl is a smart self-hosted grocery list and recipe manager. Easily add items to your shopping list before you go shopping. You can also create recipes and set up meal plans to help you organize your cooking.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of KitchenOwl with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of KitchenOwl with authentik, you need to create an a
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret** values because they will be required later.
-        - Create two `Strict` redirect URIs and set them to `https://kitchenowl.company/signin/redirect` and `kitchenowl:/signin/redirect`.
+        - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://kitchenowl.company/signin/redirect` and `kitchenowl:/signin/redirect`.
 
 3. Click **Submit** to save the new application and provider.
 
diff --git a/website/integrations/documentation/mealie/index.md b/website/integrations/documentation/mealie/index.md
index d21edafe32..96117a7172 100644
--- a/website/integrations/documentation/mealie/index.md
+++ b/website/integrations/documentation/mealie/index.md
@@ -4,6 +4,8 @@ sidebar_label: Mealie
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Mealie?
 
 > Mealie is a self-hosted recipe manager and meal planner. Easily add recipes by providing the URL and Mealie will automatically import the relevant data or add a family recipe with the UI editor.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Mealie with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Mealie with authentik, you need to create an appli
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, , and **slug** values because they will be required later.
-    - Create two `Strict` redirect URIs and set to `https://mealie.company/login` and `https://mealie.company/login?direct=1`.
+    - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://mealie.company/login` and `https://mealie.company/login?direct=1`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/documentation/netbox/index.md b/website/integrations/documentation/netbox/index.md
index 8a4cdaa9c8..0cdcffef91 100644
--- a/website/integrations/documentation/netbox/index.md
+++ b/website/integrations/documentation/netbox/index.md
@@ -4,6 +4,8 @@ sidebar_label: NetBox
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is NetBox?
 
 > NetBox is the leading solution for modeling and documenting modern networks.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of NetBox with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of NetBox with authentik, you need to create an appli
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://netbox.company/oauth/complete/oidc/`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://netbox.company/oauth/complete/oidc/`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/documentation/outline/index.md b/website/integrations/documentation/outline/index.md
index ab058984bc..547fd9cc2e 100644
--- a/website/integrations/documentation/outline/index.md
+++ b/website/integrations/documentation/outline/index.md
@@ -4,6 +4,8 @@ sidebar_label: Outline
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Outline?
 
 > Your team's knowledge base.
@@ -24,6 +26,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Outline with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -35,7 +39,7 @@ To support the integration of Outline with authentik, you need to create an appl
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://outline.company/auth/oidc.callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://outline.company/auth/oidc.callback`.
     - Select any available signing key.
     - Under **Advanced protocol settings**, set the **Subject Mode** to **Based on the User's username**.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/documentation/paperless-ngx/index.mdx b/website/integrations/documentation/paperless-ngx/index.mdx
index 758116cee2..c14dcbbc85 100644
--- a/website/integrations/documentation/paperless-ngx/index.mdx
+++ b/website/integrations/documentation/paperless-ngx/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: Paperless-ngx
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Paperless-ngx?
 
 > Paperless-ngx is an application that indexes your scanned documents and allows you to easily search for documents and store metadata alongside your documents. It was a fork from Paperless-ng, in turn a fork from the original Paperless, neither of which are maintained any longer.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Paperless-ngx with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Paperless-ngx with authentik, you need to create a
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://paperless.company/accounts/oidc/authentik/login/callback/`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://paperless.company/accounts/oidc/authentik/login/callback/`.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
     - **Advanced protocol settings**:
         - **Selected Scopes**: Add the following
diff --git a/website/integrations/documentation/papra/index.mdx b/website/integrations/documentation/papra/index.mdx
index 06f04fd13a..3ded3f7628 100644
--- a/website/integrations/documentation/papra/index.mdx
+++ b/website/integrations/documentation/papra/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: Papra
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Papra?
 
 > An open-source document management platform designed to help you organize, secure, and archive your files effortlessly.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Papra with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Papra with authentik, you need to create an applic
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **Slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://papra.company/api/auth/oauth2/callback/authentik`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://papra.company/api/auth/oauth2/callback/authentik`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/documentation/tandoor/index.md b/website/integrations/documentation/tandoor/index.md
index 75a7259e7c..dde4f187b1 100644
--- a/website/integrations/documentation/tandoor/index.md
+++ b/website/integrations/documentation/tandoor/index.md
@@ -4,6 +4,8 @@ sidebar_label: Tandoor
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Tandoor?
 
 > Application for managing recipes, planning meals and building shopping lists.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Tandoor with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Tandoor with authentik, you need to create an appl
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://tandoor.company/accounts/oidc/authentik/login/callback/`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://tandoor.company/accounts/oidc/authentik/login/callback/`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/documentation/wiki-js/index.md b/website/integrations/documentation/wiki-js/index.md
index d02f80d636..9353aec562 100644
--- a/website/integrations/documentation/wiki-js/index.md
+++ b/website/integrations/documentation/wiki-js/index.md
@@ -4,6 +4,8 @@ sidebar_label: Wiki.js
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Wiki.js?
 
 > Wiki.js is a wiki engine running on Node.js and written in JavaScript. It is free software released under the Affero GNU General Public License. It is available as a self-hosted solution or using "single-click" install on the DigitalOcean and AWS marketplace.
@@ -33,6 +35,8 @@ Add a _Generic OpenID Connect / OAuth2_ strategy and take note of the _Callback
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Wiki.js with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -44,7 +48,7 @@ To support the integration of Wiki.js with authentik, you need to create an appl
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://wiki.company/login/id-from-wiki/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://wiki.company/login/id-from-wiki/callback`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/hypervisors-orchestrators/arcane/index.md b/website/integrations/hypervisors-orchestrators/arcane/index.md
index c2ca0a3774..805f50c3b0 100644
--- a/website/integrations/hypervisors-orchestrators/arcane/index.md
+++ b/website/integrations/hypervisors-orchestrators/arcane/index.md
@@ -4,6 +4,8 @@ sidebar_label: Arcane
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Arcane?
 
 > Modern Docker Management, Designed for Everyone.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Arcane with authentik, you need to create an application/provider pair in authentik.
 
 ### Create custom scope mapping
@@ -53,7 +57,7 @@ Arcane either requires the email scope to return a `true` value for whether the
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://arcane.company/auth/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://arcane.company/auth/oidc/callback`.
         - Select any available signing key.
         - Under **Advanced protocol settings**:
             - Remove the `authentik default OAuth Mapping: OpenID 'email'` scope, and add the custom scope mapping you created above.
diff --git a/website/integrations/hypervisors-orchestrators/portainer/index.md b/website/integrations/hypervisors-orchestrators/portainer/index.md
index be6161989c..8e43594255 100644
--- a/website/integrations/hypervisors-orchestrators/portainer/index.md
+++ b/website/integrations/hypervisors-orchestrators/portainer/index.md
@@ -4,6 +4,8 @@ sidebar_label: Portainer
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Portainer?
 
 > Portainer is a powerful, GUI-based Container-as-a-Service solution that helps organizations manage and deploy cloud-native applications easily and securely.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Portainer with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Portainer with authentik, you need to create an ap
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations:
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://portainer.company/`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://portainer.company/`.
     - Select any available signing key.
     - Under **Advanced protocol settings** > **Selected Scopes**, add `authentik default OAuth Mapping: OpenID 'entitlements'`.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/hypervisors-orchestrators/proxmox-ve/index.md b/website/integrations/hypervisors-orchestrators/proxmox-ve/index.md
index a9506d099f..b388bb87ad 100644
--- a/website/integrations/hypervisors-orchestrators/proxmox-ve/index.md
+++ b/website/integrations/hypervisors-orchestrators/proxmox-ve/index.md
@@ -4,6 +4,8 @@ sidebar_label: Proxmox VE
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Proxmox VE?
 
 > Proxmox Virtual Environment is an open source server virtualization management solution based on QEMU/KVM and LXC. You can manage virtual machines, containers, highly available clusters, storage, and networks with an integrated, easy-to-use web interface or via CLI. Proxmox VE code is licensed under the GNU Affero General Public License, version 3. The project is developed and maintained by Proxmox Server Solutions GmbH.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Proxmox with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Proxmox with authentik, you need to create an appl
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://proxmox.company:8006`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://proxmox.company:8006`.
     - Select any available signing key.
     - Ensure that encryption is disabled.
     - Under **Advanced protocol settings**:
diff --git a/website/integrations/hypervisors-orchestrators/vmware-cloud-director/index.md b/website/integrations/hypervisors-orchestrators/vmware-cloud-director/index.md
index eaff37aad4..c969104797 100644
--- a/website/integrations/hypervisors-orchestrators/vmware-cloud-director/index.md
+++ b/website/integrations/hypervisors-orchestrators/vmware-cloud-director/index.md
@@ -4,6 +4,8 @@ sidebar_label: VMware Cloud Director
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is VMware Cloud Director?
 
 > VMware Cloud Director is a platform that enables service providers and enterprises to create multi-tenant virtual data centers (VDCs) from underlying VMware vSphere infrastructure. It supports self-service resource provisioning, secure tenant isolation, and management of compute, storage, and networking via web portals and APIs.
@@ -21,6 +23,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of VMware Cloud Director with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -31,7 +35,7 @@ To support the integration of VMware Cloud Director with authentik, you need to
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://clouddirector.company/login/oauth?service=provider`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://clouddirector.company/login/oauth?service=provider`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/hypervisors-orchestrators/vmware-vcenter/index.md b/website/integrations/hypervisors-orchestrators/vmware-vcenter/index.md
index da00fb37bd..e4a44cab11 100644
--- a/website/integrations/hypervisors-orchestrators/vmware-vcenter/index.md
+++ b/website/integrations/hypervisors-orchestrators/vmware-vcenter/index.md
@@ -4,6 +4,8 @@ sidebar_label: VMware vCenter
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is vCenter?
 
 > vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location. VMware vMotion and svMotion require the use of vCenter and ESXi hosts.
@@ -25,6 +27,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of vCenter with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -36,7 +40,7 @@ To support the integration of vCenter with authentik, you need to create an appl
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://vcenter.company/ui/login/oauth2/authcode`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://vcenter.company/ui/login/oauth2/authcode`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/hypervisors-orchestrators/xen-orchestra/index.md b/website/integrations/hypervisors-orchestrators/xen-orchestra/index.md
index e984d08396..4807639da1 100644
--- a/website/integrations/hypervisors-orchestrators/xen-orchestra/index.md
+++ b/website/integrations/hypervisors-orchestrators/xen-orchestra/index.md
@@ -4,6 +4,8 @@ sidebar_label: Xen Orchestra
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Xen Orchestra?
 
 > Xen Orchestra provides a user friendly web interface for every Xen based hypervisor (XenServer, xcp-ng, etc.).
@@ -28,6 +30,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Xen Orchestra with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -39,7 +43,7 @@ To support the integration of Xen Orchestra with authentik, you need to create a
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://xenorchestra.company/signin/oidc/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://xenorchestra.company/signin/oidc/callback`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/infrastructure/apache-guacamole/index.mdx b/website/integrations/infrastructure/apache-guacamole/index.mdx
index a91a85d647..be8e3ed55a 100644
--- a/website/integrations/infrastructure/apache-guacamole/index.mdx
+++ b/website/integrations/infrastructure/apache-guacamole/index.mdx
@@ -4,6 +4,7 @@ sidebar_label: Apache Guacamole
 support_level: authentik
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
 
@@ -26,6 +27,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Apache Guacamole with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -37,7 +40,7 @@ To support the integration of Apache Guacamole with authentik, you need to creat
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://guacamole.company/`. If you have configured [Apache Tomcat](https://tomcat.apache.org/) to run Apache Guacamole on a subpath, you will need to update this value accordingly.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://guacamole.company/`. If you have configured [Apache Tomcat](https://tomcat.apache.org/) to run Apache Guacamole on a subpath, you will need to update this value accordingly.
     - Select any available signing key.
     - Note that Apache Guacamole does not support session tokens longer than 300 minutes (5 hours).
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/infrastructure/argocd/index.md b/website/integrations/infrastructure/argocd/index.md
index ae576f176d..6c201276c3 100644
--- a/website/integrations/infrastructure/argocd/index.md
+++ b/website/integrations/infrastructure/argocd/index.md
@@ -4,6 +4,8 @@ sidebar_label: ArgoCD
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is ArgoCD?
 
 > Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of ArgoCD with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of ArgoCD with authentik, you need to create an appli
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Add two `Strict` redirect URI and set them to `https://argocd.company/api/dex/callback` and `https://localhost:8085/auth/callback`.
+        - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://argocd.company/api/dex/callback` and `https://localhost:8085/auth/callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/infrastructure/harbor/index.md b/website/integrations/infrastructure/harbor/index.md
index cb18da1d9c..4d7ec76acc 100644
--- a/website/integrations/infrastructure/harbor/index.md
+++ b/website/integrations/infrastructure/harbor/index.md
@@ -4,6 +4,8 @@ sidebar_label: Harbor
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Harbor?
 
 > Harbor is an open source container image registry that secures images with role-based access control, scans images for vulnerabilities, and signs images as trusted. A CNCF Graduated project, Harbor delivers compliance, performance, and interoperability to help you consistently and securely manage images across cloud native compute platforms like Kubernetes and Docker.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Harbor with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -35,7 +39,7 @@ To support the integration of Harbor with authentik, you need to create an appli
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - **Protocol Settings**:
         - **Redirect URI**:
-            - Strict: `https://harbor.company/c/oidc/callback`.
+            - `Strict` `Authorization`: `https://harbor.company/c/oidc/callback`.
         - **Signing Key**: select any available signing key.
     - **Advanced Protocol Settings**:
         - **Scopes**: add `authentik default OAuth Mapping: OpenID 'offline_access'` to **Selected Scopes**.
diff --git a/website/integrations/infrastructure/keycloak/index.mdx b/website/integrations/infrastructure/keycloak/index.mdx
index df90fb72c6..b4ba14dc11 100644
--- a/website/integrations/infrastructure/keycloak/index.mdx
+++ b/website/integrations/infrastructure/keycloak/index.mdx
@@ -4,6 +4,7 @@ sidebar_label: Keycloak
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
@@ -39,6 +40,8 @@ Keycloak can be configured to use either OIDC or SAML for federated login source
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Keycloak with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -49,7 +52,7 @@ To support the integration of Keycloak with authentik, you need to create an app
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://keycloak.company/access/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://keycloak.company/access/oidc/callback`.
         - Set the **Logout URI** to `https://keycloak.company/realms/<keycloak-realm-name>/protocol/openid-connect/logout/backchannel-logout`.
         - Set the **Logout Method** to `Back-channel`.
         - Select any available signing key.
diff --git a/website/integrations/infrastructure/komodo/index.mdx b/website/integrations/infrastructure/komodo/index.mdx
index de4d83794a..a8abba5089 100644
--- a/website/integrations/infrastructure/komodo/index.mdx
+++ b/website/integrations/infrastructure/komodo/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: Komodo
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Komodo?
 
 > Komodo is a web-based application designed to organize and streamline the management of servers, builds, deployments, and automated tasks.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Komodo with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Komodo with authentik, you need to create an appli
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://komodo.company/auth/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://komodo.company/auth/oidc/callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
     - **Configure Launch URL** _(optional)_: set to `https://komodo.company/auth/oidc/login`.
diff --git a/website/integrations/infrastructure/minio/index.mdx b/website/integrations/infrastructure/minio/index.mdx
index a82346f0c7..e53fc9e4d7 100644
--- a/website/integrations/infrastructure/minio/index.mdx
+++ b/website/integrations/infrastructure/minio/index.mdx
@@ -4,6 +4,7 @@ sidebar_label: MinIO
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
 
@@ -30,6 +31,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of MinIO with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -40,7 +43,7 @@ To support the integration of MinIO with authentik, you need to create an applic
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://minio.company/oauth_callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://minio.company/oauth_callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/infrastructure/nexterm/index.md b/website/integrations/infrastructure/nexterm/index.md
index ab4e0eb326..7a5284b1f3 100644
--- a/website/integrations/infrastructure/nexterm/index.md
+++ b/website/integrations/infrastructure/nexterm/index.md
@@ -4,6 +4,8 @@ sidebar_label: Nexterm
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Nexterm?
 
 > Nexterm is an open-source server management platform for SSH, VNC, and RDP.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Nexterm with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Nexterm with authentik, you need to create an appl
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://nexterm.company/api/auth/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://nexterm.company/api/auth/oidc/callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/infrastructure/osticket/index.md b/website/integrations/infrastructure/osticket/index.md
index 57f6f202b1..e1a5976301 100644
--- a/website/integrations/infrastructure/osticket/index.md
+++ b/website/integrations/infrastructure/osticket/index.md
@@ -4,6 +4,8 @@ sidebar_label: osTicket
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is osTicket?
 
 > osTicket is a web-based, open source user support/ticketing solution.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of osTicket with authentik, you need to create an application/provider pair in authentik.
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
@@ -31,7 +35,7 @@ To support the integration of osTicket with authentik, you need to create an app
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret** and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://osticket.company/osticket/api/auth/oauth2`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://osticket.company/osticket/api/auth/oauth2`.
         - Select any available signing key.
         - Under **Advanced protocol settings**:
             - **Subject Mode**: `Based on the User's Email`
diff --git a/website/integrations/infrastructure/pgadmin/index.md b/website/integrations/infrastructure/pgadmin/index.md
index ff0e1fb1fe..8f63db21c0 100644
--- a/website/integrations/infrastructure/pgadmin/index.md
+++ b/website/integrations/infrastructure/pgadmin/index.md
@@ -4,6 +4,8 @@ sidebar_label: pgAdmin
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is pgAdmin?
 
 > pgAdmin is a management tool for PostgreSQL and derivative relational databases such as EnterpriseDB's EDB Advanced Server. It may be run either as a web or desktop application.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of pgAdmin with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -37,7 +41,7 @@ To support the integration of pgAdmin with authentik, you need to create an appl
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://pgadmin.company/oauth2/authorize`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://pgadmin.company/oauth2/authorize`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/infrastructure/plesk/index.md b/website/integrations/infrastructure/plesk/index.md
index 9a261458a7..54d57cd237 100644
--- a/website/integrations/infrastructure/plesk/index.md
+++ b/website/integrations/infrastructure/plesk/index.md
@@ -4,6 +4,8 @@ sidebar_label: Plesk
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Plesk?
 
 > Plesk is a web hosting platform with a control panel that helps manage servers, applications, and websites through a comprehensive graphical user interface. It provides tools for web professionals, IT administrators, and hosting companies to simplify the process of hosting and managing websites.
@@ -27,6 +29,8 @@ Replace these placeholders in the guide with your values:
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Plesk with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Plesk with authentik, you need to create an applic
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://plesk.company/modules/oauth/public/login.php`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://plesk.company/modules/oauth/public/login.php`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/infrastructure/rabbitmq/index.mdx b/website/integrations/infrastructure/rabbitmq/index.mdx
index 5b10602f2b..cf4d6d9b25 100644
--- a/website/integrations/infrastructure/rabbitmq/index.mdx
+++ b/website/integrations/infrastructure/rabbitmq/index.mdx
@@ -4,6 +4,7 @@ sidebar_label: RabbitMQ
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
 
@@ -28,6 +29,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of RabbitMQ with authentik, you need to create a property mapping, two user groups, and an application/provider pair.
 
 ### Create a property mapping
@@ -66,7 +69,7 @@ After creating the groups, select a group, navigate to the **Users** tab, and ma
         - Set **Client Type** to **Public**.
         - Note the **Client ID** and **slug** values because they will be required later.
         - Under **Grant Types**, select **Authorization Code** and **Client credentials**.
-        - Set a `Strict` redirect URI to `https://rabbitmq.company:15672/js/oidc-oauth/login-callback.html`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://rabbitmq.company:15672/js/oidc-oauth/login-callback.html`.
         - Select any available signing key.
         - Under **Advanced protocol settings**:
             - Add the `RabbitMQ claims` scope that you created in the previous section to **Selected Scopes**.
diff --git a/website/integrations/infrastructure/rustdesk-pro/index.mdx b/website/integrations/infrastructure/rustdesk-pro/index.mdx
index f50a6e2052..4aef8bb2ce 100644
--- a/website/integrations/infrastructure/rustdesk-pro/index.mdx
+++ b/website/integrations/infrastructure/rustdesk-pro/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: RustDesk Server Pro
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is RustDesk Server Pro?
 
 > RustDesk Server Pro is a premium self-hosted solution for managing remote desktop connections securely and efficiently.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Rustdesk Server Pro with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Rustdesk Server Pro with authentik, you need to cr
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://rustdesk.company/api/oidc/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://rustdesk.company/api/oidc/callback`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/infrastructure/semaphore/index.mdx b/website/integrations/infrastructure/semaphore/index.mdx
index e2e7f7117a..4ffdeb8337 100644
--- a/website/integrations/infrastructure/semaphore/index.mdx
+++ b/website/integrations/infrastructure/semaphore/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: Semaphore
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Semaphore UI?
 
 > Semaphore UI is a modern web interface for managing popular DevOps tools.
@@ -25,6 +27,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Semaphore with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -35,7 +39,7 @@ To support the integration of Semaphore with authentik, you need to create an ap
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://semaphore.company/api/auth/oidc/authentik/redirect`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://semaphore.company/api/auth/oidc/authentik/redirect`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/infrastructure/synology-dsm/index.md b/website/integrations/infrastructure/synology-dsm/index.md
index b3d9fe326a..c5811b0909 100644
--- a/website/integrations/infrastructure/synology-dsm/index.md
+++ b/website/integrations/infrastructure/synology-dsm/index.md
@@ -4,6 +4,8 @@ sidebar_label: Synology DSM (DiskStation Manager)
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Synology DSM?
 
 > Synology Inc. is a Taiwanese corporation that specializes in network-attached storage (NAS) appliances. Synology's line of NAS is known as the DiskStation for desktop models, FlashStation for all-flash models, and RackStation for rack-mount models. Synology's products are distributed worldwide and localized in several languages.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Synology DSM with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Synology DSM with authentik, you need to create an
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://synology.company`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://synology.company`.
     - Select any available signing key.
     - Under **Advanced protocol settings**, set the **subject mode** to be based on the user's email.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/infrastructure/termix/index.mdx b/website/integrations/infrastructure/termix/index.mdx
index 5db31fb6ce..4eac67e7a4 100644
--- a/website/integrations/infrastructure/termix/index.mdx
+++ b/website/integrations/infrastructure/termix/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: Termix
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Termix?
 
 > Termix is a clientless web-based server management platform with SSH terminal, tunneling, and file editing capabilities.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Termix with authentik, you need to create an application/provider pair in authentik.
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
@@ -31,7 +35,7 @@ To support the integration of Termix with authentik, you need to create an appli
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://termix.company/users/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://termix.company/users/oidc/callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/infrastructure/terrakube/index.md b/website/integrations/infrastructure/terrakube/index.md
index 10f7a4f35a..b10aba8f25 100644
--- a/website/integrations/infrastructure/terrakube/index.md
+++ b/website/integrations/infrastructure/terrakube/index.md
@@ -4,6 +4,8 @@ sidebar_label: Terrakube
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Terrakube?
 
 > Terrakube is an open-source collaboration platform designed for managing remote Infrastructure-as-Code (IaC) operations with Terraform. It serves as an alternative to proprietary tools like Terraform Enterprise.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Terrakube with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Terrakube with authentik, you need to create an ap
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://terrakube-dex.company/dex/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://terrakube-dex.company/dex/callback`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/infrastructure/zammad/index.md b/website/integrations/infrastructure/zammad/index.md
index 6cc586b61d..13788cac5c 100644
--- a/website/integrations/infrastructure/zammad/index.md
+++ b/website/integrations/infrastructure/zammad/index.md
@@ -4,6 +4,7 @@ sidebar_label: Zammad
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
 import SAMLProvider20265Warning from "../../\_saml-provider-2026-5-warning.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
@@ -40,6 +41,8 @@ values={[
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Zammad with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -102,7 +105,7 @@ To support the integration of Zammad with authentik, you need to create an appli
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Set the **Client type** to `Public`.
         - Take note of the **Client ID** and **slug** values because they will be required later.
-        - Set the **Redirect URIs/Origins** to `Strict` / `https://zammad.company/auth/openid_connect/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://zammad.company/auth/openid_connect/callback`.
         - Select a **Signing Key**.
         - Under **Advanced protocol settings**, set **Subject mode** to **Based on the User's Email**.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/infrastructure/zendesk/index.mdx b/website/integrations/infrastructure/zendesk/index.mdx
index 2ea808ab58..3897cc8bd6 100644
--- a/website/integrations/infrastructure/zendesk/index.mdx
+++ b/website/integrations/infrastructure/zendesk/index.mdx
@@ -4,6 +4,7 @@ sidebar_label: Zendesk
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
 
@@ -38,6 +39,8 @@ Zendesk can be configured to use either OIDC or SAML. This guide covers both met
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Zendesk with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -48,7 +51,7 @@ To support the integration of Zendesk with authentik, you need to create an appl
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://company.zendesk.com/access/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://company.zendesk.com/access/oidc/callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/infrastructure/zot/index.md b/website/integrations/infrastructure/zot/index.md
index 4c6b0945be..3c8f47151d 100644
--- a/website/integrations/infrastructure/zot/index.md
+++ b/website/integrations/infrastructure/zot/index.md
@@ -4,6 +4,8 @@ sidebar_label: Zot
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Zot?
 
 > Zot is an OCI-native container registry for distributing container images and OCI artifacts.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Zot with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -35,11 +39,9 @@ To support the integration of Zot with authentik, you need to create an applicat
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - **Protocol Settings**:
         - **Redirect URI**:
-            - Strict: `https://zot.company/zot/auth/callback/oidc`.
+            - `Strict` `Authorization`: `https://zot.company/zot/auth/callback/oidc`.
         - **Signing Key**: select any available signing key.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://zot.company/zot/auth/callback/oidc`.
-    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
 3. Click **Submit** to save the new application and provider.
diff --git a/website/integrations/learning/absorb-lms/index.mdx b/website/integrations/learning/absorb-lms/index.mdx
index 2445d92fd1..f29b7e71fc 100644
--- a/website/integrations/learning/absorb-lms/index.mdx
+++ b/website/integrations/learning/absorb-lms/index.mdx
@@ -5,6 +5,7 @@ support_level: community
 authentik_version: 2026.5
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
@@ -39,6 +40,8 @@ values={[
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To integrate authentik with Absorb LMS via OIDC, you will need to create an application and provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -49,7 +52,7 @@ To integrate authentik with Absorb LMS via OIDC, you will need to create an appl
     - **Choose a Provider type**: select **OAuth2/OIDC Provider** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Take note of the **Client ID** and **Client Secret** values as these will be required in the next section.
-        - Set a `Strict` Redirect URI to `https://company.myabsorb.com/account/openidconnect`
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://company.myabsorb.com/account/openidconnect`
         - Select any available **Signing key**.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications in a user's **Application Dashboard**.
 
diff --git a/website/integrations/media/audiobookshelf/index.md b/website/integrations/media/audiobookshelf/index.md
index b99aeebec9..0918f4713b 100644
--- a/website/integrations/media/audiobookshelf/index.md
+++ b/website/integrations/media/audiobookshelf/index.md
@@ -4,6 +4,8 @@ sidebar_label: Audiobookshelf
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Audiobookshelf?
 
 > Audiobookshelf is a self-hosted audiobook and podcast server.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Audiobookshelf with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
diff --git a/website/integrations/media/freshrss/index.mdx b/website/integrations/media/freshrss/index.mdx
index ebc10d11f8..9945828a29 100644
--- a/website/integrations/media/freshrss/index.mdx
+++ b/website/integrations/media/freshrss/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: FreshRSS
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is FreshRSS?
 
 > FreshRSS is a self-hosted RSS feed aggregator.
@@ -23,6 +25,8 @@ This documentation only lists the settings that have been changed from their def
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of FreshRSS with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of FreshRSS with authentik, you need to create an app
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Add two `Strict` redirect URIs and set them to `https://freshrss.company/i/oidc/` and `https://freshrss.company:443/i/oidc/`. If FreshRSS is exposed on a port other than `443`, update the second redirect URI accordingly.
+    - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://freshrss.company/i/oidc/` and `https://freshrss.company:443/i/oidc/`. If FreshRSS is exposed on a port other than `443`, update the second redirect URI accordingly.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/media/immich/index.md b/website/integrations/media/immich/index.md
index 9668fc947c..c8212d7fb1 100644
--- a/website/integrations/media/immich/index.md
+++ b/website/integrations/media/immich/index.md
@@ -4,6 +4,8 @@ sidebar_label: Immich
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Immich?
 
 > Immich is a self-hosted backup solution for photos and videos on mobile devices.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Immich with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Immich with authentik, you need to create an appli
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Add three `Strict` redirect URIs and set them to `app.immich:///oauth-callback`, `https://immich.company/auth/login`, and `https://immich.company/user-settings`.
+        - Add three **Redirect URIs** of type `Strict` `Authorization` as `app.immich:///oauth-callback`, `https://immich.company/auth/login`, and `https://immich.company/user-settings`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
     - **Configure Launch URL** _(optional)_: set the [Launch URL](/docs/add-secure-apps/applications/#appearance) to `https://immich.company/auth/login?autoLaunch=1` to allow automatic login to Immich when clicking the application from within authentik.
diff --git a/website/integrations/media/jellyfin/index.md b/website/integrations/media/jellyfin/index.md
index f0252d06fd..815be053f5 100644
--- a/website/integrations/media/jellyfin/index.md
+++ b/website/integrations/media/jellyfin/index.md
@@ -4,6 +4,8 @@ sidebar_label: Jellyfin
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Jellyfin?
 
 > Jellyfin is a free and open source media management and streaming platform for movies, TV shows, and music.
@@ -95,6 +97,8 @@ At this point, enter a username and click **Save Search Attribute Settings and Q
 
 ## OIDC configuration
 
+<RedirectURI20265Note />
+
 ### authentik configuration
 
 **Provider Settings**
@@ -102,7 +106,7 @@ At this point, enter a username and click **Save Search Attribute Settings and Q
 In authentik under **Providers**, create an OAuth2/OpenID Provider with these settings:
 
 - Name: `jellyfin`
-- Redirect URI: `https://jellyfin.company/sso/OID/redirect/authentik`
+- **Redirect URI**: `Strict` `Authorization` `https://jellyfin.company/sso/OID/redirect/authentik`
 
 Everything else is up to you, just make sure to grab the client ID and the client secret!
 
diff --git a/website/integrations/media/komga/index.md b/website/integrations/media/komga/index.md
index 10ed952c3c..27cb7f3cc0 100644
--- a/website/integrations/media/komga/index.md
+++ b/website/integrations/media/komga/index.md
@@ -4,6 +4,8 @@ sidebar_label: Komga
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Komga?
 
 > Komga is an open-source comic and manga server that lets users organize, read, and stream their digital comic collections with ease.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Komga with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an email verification scope mapping in authentik
@@ -40,7 +44,7 @@ Refer to [Email scope verification](/docs/add-secure-apps/providers/oauth2/index
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://komga.company/login/oauth2/code/authentik`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://komga.company/login/oauth2/code/authentik`.
     - Select any available signing key.
     - **Advanced protocol settings** > **Scopes**:
         - Add `OAuth Mapping: OpenID 'email' with "email_verified"` to the **Selected Scopes**.
diff --git a/website/integrations/media/miniflux/index.md b/website/integrations/media/miniflux/index.md
index 9bea7a0a77..97f98adf79 100644
--- a/website/integrations/media/miniflux/index.md
+++ b/website/integrations/media/miniflux/index.md
@@ -4,6 +4,8 @@ sidebar_label: Miniflux
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Miniflux?
 
 > Miniflux is a minimalist and opinionated RSS feed reader.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Miniflux with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Miniflux with authentik, you need to create an app
     - **Choose a Provider type**: Select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://miniflux.company/oauth2/oidc/callback`
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://miniflux.company/oauth2/oidc/callback`
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/media/photoprism/index.md b/website/integrations/media/photoprism/index.md
index 9857859d1e..287fb75624 100644
--- a/website/integrations/media/photoprism/index.md
+++ b/website/integrations/media/photoprism/index.md
@@ -4,6 +4,8 @@ sidebar_label: PhotoPrism
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is PhotoPrism?
 
 > PhotoPrism is an AI-powered photos app that lets you browse, organize, and find photos and videos on a home server, private server, or in the cloud.
@@ -27,6 +29,8 @@ PhotoPrism requires HTTPS for OpenID Connect (OIDC). Make sure that the `PHOTOPR
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of PhotoPrism with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -37,7 +41,7 @@ To support the integration of PhotoPrism with authentik, you need to create an a
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Add one `Strict` redirect URI and set it to `https://photoprism.company/api/v1/oidc/redirect`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://photoprism.company/api/v1/oidc/redirect`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/media/seafile/index.md b/website/integrations/media/seafile/index.md
index 67e2e2dec9..4b5e99fbfd 100644
--- a/website/integrations/media/seafile/index.md
+++ b/website/integrations/media/seafile/index.md
@@ -4,6 +4,8 @@ sidebar_label: Seafile
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Seafile?
 
 > Seafile is an open-source, cross-platform file-hosting software system. Files are stored on a central server and can be synchronized with personal computers and mobile devices through apps. Files on the Seafile server can also be accessed directly via the server's web interface.
@@ -22,6 +24,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Seafile with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -32,7 +36,7 @@ To support the integration of Seafile with authentik, you need to create an appl
     - **Choose a Provider type**: select OAuth2/OpenID Connect as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://seafile.company/oauth/callback/`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://seafile.company/oauth/callback/`.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
 3. Click **Submit** to save the new application and provider.
diff --git a/website/integrations/media/seerr/index.md b/website/integrations/media/seerr/index.md
index f6e1cc3a35..74a2a527a6 100644
--- a/website/integrations/media/seerr/index.md
+++ b/website/integrations/media/seerr/index.md
@@ -4,6 +4,8 @@ sidebar_label: Seerr
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Seerr?
 
 > Seerr (previously Jellyseerr) is a free and open source application for managing requests in your media library. It integrates with media servers like Jellyfin, Plex, and Emby, and services such as Sonarr and Radarr.
@@ -17,6 +19,8 @@ support_level: community
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Seerr with authentik, you need to create an application/provider pair in authentik.
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
@@ -25,7 +29,7 @@ To support the integration of Seerr with authentik, you need to create an applic
     - **Choose a Provider type**: OAuth2/OpenID
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and any required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://seerr.company/login`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://seerr.company/login`.
         - Select any available signing key.
     - **Configure Bindings** _(optional):_ you can create a [binding](https://docs.goauthentik.io/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user’s **Application Dashboard** page.
 
diff --git a/website/integrations/miscellaneous/actual-budget/index.mdx b/website/integrations/miscellaneous/actual-budget/index.mdx
index 1ecc595a90..f04328b09c 100644
--- a/website/integrations/miscellaneous/actual-budget/index.mdx
+++ b/website/integrations/miscellaneous/actual-budget/index.mdx
@@ -4,6 +4,7 @@ sidebar_label: Actual Budget
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
 
@@ -26,6 +27,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Actual Budget with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -36,7 +39,7 @@ To support the integration of Actual Budget with authentik, you need to create a
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://actual.company/openid/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://actual.company/openid/callback`.
         - Select any available signing key. Actual Budget only supports the RS256 algorithm. Be aware of this when choosing a signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/miscellaneous/adventurelog/index.mdx b/website/integrations/miscellaneous/adventurelog/index.mdx
index a599de2c8a..b81f0afc60 100644
--- a/website/integrations/miscellaneous/adventurelog/index.mdx
+++ b/website/integrations/miscellaneous/adventurelog/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: AdventureLog
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is AdventureLog?
 
 > AdventureLog is a self-hosted travel tracker and trip planner. AdventureLog is the ultimate travel companion for the modern-day explorer.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of AdventureLog with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of AdventureLog with authentik, you need to create an
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Regex` redirect URI to `^https://adventurelog.company/accounts/oidc/.\*$`.
+    - Add a **Redirect URI** of type `Regex` `Authorization` as `^https://adventurelog.company/accounts/oidc/.\*$`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/miscellaneous/ezbookkeeping/index.mdx b/website/integrations/miscellaneous/ezbookkeeping/index.mdx
index d16aaf1c2b..fd98dbd539 100644
--- a/website/integrations/miscellaneous/ezbookkeeping/index.mdx
+++ b/website/integrations/miscellaneous/ezbookkeeping/index.mdx
@@ -4,6 +4,7 @@ sidebar_label: ezBookkeeping
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
 
@@ -26,6 +27,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of ezBookkeeping with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -36,7 +39,7 @@ To support the integration of ezBookkeeping with authentik, you need to create a
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://ezbookkeeping.company/oauth2/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://ezbookkeeping.company/oauth2/callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/miscellaneous/filerise/index.mdx b/website/integrations/miscellaneous/filerise/index.mdx
index 0311d22e73..783d388e57 100644
--- a/website/integrations/miscellaneous/filerise/index.mdx
+++ b/website/integrations/miscellaneous/filerise/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: FileRise
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is FileRise?
 
 > Lightweight, self-hosted web-based file manager with multi-file upload, editing, and batch operations.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of FileRise with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of FileRise with authentik, you need to create an app
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set **Redirect URI** to `https://filerise.company/api/auth/auth.php?oidc=callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://filerise.company/api/auth/auth.php?oidc=callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/miscellaneous/home-assistant/index.md b/website/integrations/miscellaneous/home-assistant/index.md
index 6ea250576a..f7d6e83d4c 100644
--- a/website/integrations/miscellaneous/home-assistant/index.md
+++ b/website/integrations/miscellaneous/home-assistant/index.md
@@ -4,6 +4,8 @@ sidebar_label: Home Assistant
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 <!-- spellchecker:ignore christiaangoossens -->
 
 ## What is Home Assistant?
@@ -47,6 +49,8 @@ values={[
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Home Assistant with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -58,7 +62,7 @@ To support the integration of Home Assistant with authentik, you need to create
     - Choose a **Provider Type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://hass.company/auth/openid/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://hass.company/auth/openid/callback`.
         - Select any available signing key (to use the RS256 `id_token_signing_alg`)
     - Configure Bindings (optional): you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
@@ -109,7 +113,7 @@ To support the integration of Home Assistant with authentik, you need to create
     - Choose a **Provider Type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://hass.company/auth/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://hass.company/auth/oidc/callback`.
         - Select any available signing key (to use the RS256 `id_token_signing_alg`)
     - Configure Bindings (optional): you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/miscellaneous/open-webui/index.md b/website/integrations/miscellaneous/open-webui/index.md
index a5dfbc91f9..c5ceb67eaa 100644
--- a/website/integrations/miscellaneous/open-webui/index.md
+++ b/website/integrations/miscellaneous/open-webui/index.md
@@ -4,6 +4,8 @@ sidebar_label: Open WebUI
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Open WebUI?
 
 > Open WebUI is a simple, self-hosted AI platform that works entirely offline. It supports tools like Ollama and OpenAI-style APIs and has a built-in engine for RAG tasks.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Open WebUI with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Open WebUI with authentik, you need to create an a
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://openwebui.company/oauth/oidc/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://openwebui.company/oauth/oidc/callback`.
     - Select any available signing key.
     - Make sure to leave the **Encryption Key** field empty.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/miscellaneous/wallos/index.mdx b/website/integrations/miscellaneous/wallos/index.mdx
index b24f151b0e..7606385b16 100644
--- a/website/integrations/miscellaneous/wallos/index.mdx
+++ b/website/integrations/miscellaneous/wallos/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: Wallos
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Wallos?
 
 > Wallos is a self-hosted subscription and budget planning application.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Wallos with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Wallos with authentik, you need to create an appli
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://wallos.company/index.php`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://wallos.company/index.php`.
         - Select any available signing key.
     - **Configure Bindings** (optional): you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/miscellaneous/zipline/index.md b/website/integrations/miscellaneous/zipline/index.md
index 38f1e5997f..814477df42 100644
--- a/website/integrations/miscellaneous/zipline/index.md
+++ b/website/integrations/miscellaneous/zipline/index.md
@@ -4,6 +4,8 @@ sidebar_label: Zipline
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Zipline?
 
 > Zipline is a self-hostable file upload server designed for easy file sharing, supporting tools like ShareX and Flameshot, with features such as simplified setup and extensive customization options.
@@ -27,6 +29,8 @@ This guide is compatible with Zipline [version `v4.0.0`](https://github.com/dice
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Zipline with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Zipline with authentik, you need to create an appl
 - **Choose a Provider type**: Select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: Provide a name (or accept the auto-provided name), choose the authorization flow for this provider, and configure the following required settings:
     - Note the **Client ID** and **Client Secret** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://zipline.company/api/auth/oauth/oidc`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://zipline.company/api/auth/oauth/oidc`.
     - Select any available signing key.
     - Under **Advanced protocol settings** > **Scopes**, add `authentik default OAuth Mapping: OpenID 'offline_access'` to the **Selected Scopes** list.
 - **Configure Bindings** _(optional)_: Create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/monitoring/beszel/index.mdx b/website/integrations/monitoring/beszel/index.mdx
index e7a3c01b8c..ebe9f916cc 100644
--- a/website/integrations/monitoring/beszel/index.mdx
+++ b/website/integrations/monitoring/beszel/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: Beszel
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Beszel?
 
 > Beszel is a lightweight server monitoring platform that provides Docker statistics, historical data, and configurable alerts.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 The steps to configure authentik include creating an email verification scope mapping, creating an application and provider pair in authentik, obtaining the Client ID and Client Secret values, setting the redirect URI, and selecting a signing key.
 
 ### Create an email verification scope mapping in authentik
@@ -44,7 +48,7 @@ Refer to [Email scope verification](/docs/add-secure-apps/providers/oauth2/index
 - **Choose a Provider type**: OAuth2/OpenID
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and any required configurations.
     - Note the **Client ID** and **Client Secret** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://beszel.company/api/oauth2-redirect`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://beszel.company/api/oauth2-redirect`.
     - Select any available signing key.
     - **Advanced protocol settings** > **Scopes**:
         - Add `OAuth Mapping: OpenID 'email' with "email_verified"` to the **Selected Scopes**.
diff --git a/website/integrations/monitoring/chronograf/index.mdx b/website/integrations/monitoring/chronograf/index.mdx
index e8d7bc2f6c..5ed04465f5 100644
--- a/website/integrations/monitoring/chronograf/index.mdx
+++ b/website/integrations/monitoring/chronograf/index.mdx
@@ -3,6 +3,8 @@ title: Integrate with Chronograf
 sidebar_label: Chronograf
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Chronograf?
 
 > Chronograf lets you quickly visualize the data stored in InfluxDB, enabling you to build robust queries and alerts. It is simple to use and comes with templates and libraries for rapidly creating dashboards with real-time data visualizations.
@@ -22,6 +24,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Chronograf with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Chronograf with authentik, you need to create an a
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://chronograf.company/oauth/authentik/callback/`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://chronograf.company/oauth/authentik/callback/`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/monitoring/gatus/index.mdx b/website/integrations/monitoring/gatus/index.mdx
index 7a1b81b638..a4fe0a9362 100644
--- a/website/integrations/monitoring/gatus/index.mdx
+++ b/website/integrations/monitoring/gatus/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: Gatus
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Gatus?
 
 > Gatus is a developer-oriented health dashboard that gives you the ability to monitor your services using HTTP, ICMP, TCP, and even DNS queries as well as evaluate the result of said queries by using a list of conditions on values like the status code, the response time, the certificate expiration, the body and many others. The icing on top is that each of these health checks can be paired with alerting via Slack, Teams, PagerDuty, Discord, Twilio and many more.
@@ -23,6 +25,8 @@ This documentation only lists the settings that have been changed from their def
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Gatus with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Gatus with authentik, you need to create an applic
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://gatus.company/authorization-code/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://gatus.company/authorization-code/callback`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/monitoring/glitchtip/index.md b/website/integrations/monitoring/glitchtip/index.md
index 0f05c9f64f..feb67a9e65 100644
--- a/website/integrations/monitoring/glitchtip/index.md
+++ b/website/integrations/monitoring/glitchtip/index.md
@@ -4,6 +4,8 @@ sidebar_label: Glitchtip
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Glitchtip?
 
 > Bugs are inevitable in web development. The important thing is to catch them when they appear. With GlitchTip, you can rest easy knowing that if your web app throws an error or goes down, you will be notified immediately. GlitchTip combines error tracking and uptime monitoring in one open-source package to keep you and your team fully up-to-date on the status of your projects.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Glitchtip with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Glitchtip with authentik, you need to create an ap
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://glitchtip.company/accounts/oidc/authentik/login/callback/`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://glitchtip.company/accounts/oidc/authentik/login/callback/`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/monitoring/grafana/index.mdx b/website/integrations/monitoring/grafana/index.mdx
index 5fedbdaaf3..43596d0225 100644
--- a/website/integrations/monitoring/grafana/index.mdx
+++ b/website/integrations/monitoring/grafana/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: Grafana
 support_level: authentik
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Grafana?
 
 > Grafana is a multi-platform open source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources, Grafana Enterprise version with additional capabilities is also available. It is expandable through a plug-in system.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Grafana with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Grafana with authentik, you need to create an appl
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://grafana.company/login/generic_oauth`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://grafana.company/login/generic_oauth`.
     - Set the Logout URI to `https://grafana.company/logout`.
     - Set the Logout Method to `Front-channel`.
     - Select any available signing key.
diff --git a/website/integrations/monitoring/icinga/index.md b/website/integrations/monitoring/icinga/index.md
index 06e29e3962..792b203e50 100644
--- a/website/integrations/monitoring/icinga/index.md
+++ b/website/integrations/monitoring/icinga/index.md
@@ -4,6 +4,8 @@ sidebar_label: Icinga Web 2
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Icinga Web 2?
 
 > Icinga Web 2 is the next-generation web interface for the Icinga monitoring stack. It provides a flexible UI to view monitoring states, drill into problems, and integrate with the Icinga 2 backend.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Icinga Web 2 with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -37,7 +41,7 @@ To support the integration of Icinga Web 2 with authentik, you need to create an
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://icinga.company/icingaweb2/oidc/authentication/realm?name=authentik`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://icinga.company/icingaweb2/oidc/authentication/realm?name=authentik`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/monitoring/observium/index.md b/website/integrations/monitoring/observium/index.md
index 4b9e6381c3..d660c5854e 100644
--- a/website/integrations/monitoring/observium/index.md
+++ b/website/integrations/monitoring/observium/index.md
@@ -4,6 +4,8 @@ sidebar_label: Observium
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Observium?
 
 > Observium is a network monitoring and management platform that provides real-time insight into network health and performance.
@@ -40,6 +42,8 @@ apt install ./libapache2-mod-auth-openidc_2.4.15.7-1.bookworm_amd64.deb
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Observium with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -51,7 +55,7 @@ To support the integration of Observium with authentik, you need to create an ap
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://observium.company/secure/redirect_uri`. Note that the Redirect URI can be anything, as long as it does not point to existing content.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://observium.company/secure/redirect_uri`. Note that the Redirect URI can be anything, as long as it does not point to existing content.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/monitoring/pulse/index.md b/website/integrations/monitoring/pulse/index.md
index c5ea687734..da36ce91ec 100644
--- a/website/integrations/monitoring/pulse/index.md
+++ b/website/integrations/monitoring/pulse/index.md
@@ -4,6 +4,8 @@ sidebar_label: Pulse
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Pulse?
 
 > Pulse is an open-source monitoring platform that provides real-time insight into Proxmox, Docker, and Kubernetes infrastructure.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Pulse with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Pulse with authentik, you need to create an applic
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://pulse.company/api/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://pulse.company/api/oidc/callback`.
         - Select any available signing key.
         - Under **Advanced protocol settings**, add `authentik default OAuth Mapping: OpenID 'offline_access'` to the selected scopes if you want long-lived sessions backed by refresh tokens.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/monitoring/ubuntu-landscape/index.md b/website/integrations/monitoring/ubuntu-landscape/index.md
index f4161b36d9..d4e4deab7d 100644
--- a/website/integrations/monitoring/ubuntu-landscape/index.md
+++ b/website/integrations/monitoring/ubuntu-landscape/index.md
@@ -4,6 +4,8 @@ sidebar_label: Ubuntu Landscape
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Ubuntu Landscape?
 
 > Landscape is a systems management tool developed by Canonical. It can be run on-premises or in the cloud depending on the needs of the user. It is primarily designed for use with Ubuntu derivatives such as Desktop, Server, and Core.
@@ -29,6 +31,8 @@ Landscape uses the OpenID Connect protocol for single sign-on.
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Landscape with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -40,7 +44,7 @@ To support the integration of Landscape with authentik, you need to create an ap
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://landscape.company/login/handle-openid`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://landscape.company/login/handle-openid`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/monitoring/whats-up-docker/index.md b/website/integrations/monitoring/whats-up-docker/index.md
index ed47fd8a62..c85db5da6b 100644
--- a/website/integrations/monitoring/whats-up-docker/index.md
+++ b/website/integrations/monitoring/whats-up-docker/index.md
@@ -4,6 +4,8 @@ sidebar_label: What's Up Docker
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is What's Up Docker?
 
 > What's Up Docker (WUD) is an easy-to-use tool that alerts you whenever a new version of your Docker containers is released.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of What's Up Docker with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of What's Up Docker with authentik, you need to creat
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://wud.company/auth/oidc/authentik/cb`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://wud.company/auth/oidc/authentik/cb`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/networking/firezone/index.md b/website/integrations/networking/firezone/index.md
index 7209c8d314..0ed2e1bcfe 100644
--- a/website/integrations/networking/firezone/index.md
+++ b/website/integrations/networking/firezone/index.md
@@ -4,6 +4,8 @@ sidebar_label: Firezone
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Firezone?
 
 > Firezone is an open-source remote access platform built on WireGuard®, a modern VPN protocol that's 4-6x faster than OpenVPN.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Firezone with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -34,7 +38,7 @@ To support the integration of Firezone with authentik, you need to create an app
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://firezone.company/auth/oidc/authentik/callback/`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://firezone.company/auth/oidc/authentik/callback/`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/networking/gravity/index.md b/website/integrations/networking/gravity/index.md
index 01384e25f6..8c4aae2c9e 100644
--- a/website/integrations/networking/gravity/index.md
+++ b/website/integrations/networking/gravity/index.md
@@ -4,6 +4,8 @@ sidebar_label: Gravity
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Gravity?
 
 > Gravity is a fully-replicated DNS, DHCP, and TFTP server powered by [etcd](https://etcd.io/), offering features like built-in caching, ad/privacy blocking, automatic DNS registration, and metric tracking.
@@ -27,6 +29,8 @@ Gravity automatically triggers SSO authentication when configured. To prevent th
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Gravity with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Gravity with authentik, you need to create an appl
 - **Choose a Provider type**: Select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: Provide a name (or accept the auto-provided name), choose the authorization flow for this provider, and configure the following required settings:
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://gravity.company/auth/oidc/callback`.
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://gravity.company/auth/oidc/callback`.
     - Select any available signing key.
 - **Configure Bindings** _(optional)_: Create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/networking/headscale/index.md b/website/integrations/networking/headscale/index.md
index 2fa1fd81c6..5cad73276e 100644
--- a/website/integrations/networking/headscale/index.md
+++ b/website/integrations/networking/headscale/index.md
@@ -4,6 +4,8 @@ sidebar_label: Headscale
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Headscale?
 
 > Headscale is an open source alternative to the Tailscale coordination server and can be self-hosted for a single tailnet. Headscale is a re-implemented version of the Tailscale coordination server, developed independently and completely separate from Tailscale, with its own independent community of users and developers.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Headscale with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Headscale with authentik, you need to create an ap
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://headscale.company/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://headscale.company/oidc/callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/networking/hoop.dev/index.md b/website/integrations/networking/hoop.dev/index.md
index c8307cd3fd..679e85679d 100644
--- a/website/integrations/networking/hoop.dev/index.md
+++ b/website/integrations/networking/hoop.dev/index.md
@@ -4,6 +4,8 @@ sidebar_label: Hoop.dev
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Hoop.dev?
 
 > Hoop.dev is an access gateway for databases and servers with AI-powered automations that eliminate cumbersome access policies and break-glass workflows without compromising security.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Hoop.dev with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Hoop.dev with authentik, you need to create an app
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://hoop.company/api/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://hoop.company/api/callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/networking/netbird/index.mdx b/website/integrations/networking/netbird/index.mdx
index 1ae5d51621..4ce088796e 100644
--- a/website/integrations/networking/netbird/index.mdx
+++ b/website/integrations/networking/netbird/index.mdx
@@ -4,6 +4,7 @@ sidebar_label: NetBird
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
 
@@ -41,6 +42,8 @@ NetBird can use authentik in two ways:
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support adding authentik as an external identity provider in NetBird, you need to create an application/provider pair and application entitlements in authentik.
 
 ### Create an application and provider in authentik
@@ -80,7 +83,7 @@ Name each entitlement exactly as the NetBird group value that NetBird should syn
     - **Issuer**: `https://authentik.company/application/o/<application_slug>/`
 4. Copy the redirect URL shown by NetBird. Do not complete the provider setup yet.
 5. Return to authentik, navigate to **Applications** > **Providers**, and edit the NetBird provider.
-6. Under **Redirect URIs/Origins**, add the redirect URL from NetBird as a `Strict` redirect.
+6. Under **Redirect URIs/Origins**, add the redirect URL from NetBird as a `Strict` `Authorization` redirect.
 7. Click **Update**.
 8. Return to NetBird and complete the identity provider setup.
 
@@ -109,8 +112,8 @@ To support replacing NetBird's embedded IdP with authentik, you need to create a
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** value because it will be required later.
         - Set **Client type** to `Public`.
-        - Add a `Strict` redirect URI to `http://localhost:53000`.
-        - Add a `Regex` redirect URI to `https://netbird.company/.*`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `http://localhost:53000`.
+        - Add a **Redirect URI** of type `Regex` `Authorization` as `https://netbird.company/.*`.
         - Select any available signing key.
         - Under **Advanced protocol settings**, set **Access Code Validity** to `minutes=10`.
         - Under **Advanced protocol settings**, set **Subject Mode** to `Based on the User's ID`.
diff --git a/website/integrations/networking/pangolin/index.mdx b/website/integrations/networking/pangolin/index.mdx
index 1b9c1f9d9c..c25c233df5 100644
--- a/website/integrations/networking/pangolin/index.mdx
+++ b/website/integrations/networking/pangolin/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: Pangolin
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is Pangolin?
 
 > Pangolin is a self-hosted tunneled reverse proxy server with identity and access control, designed to securely expose private resources on distributed networks.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Pangolin with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Pangolin with authentik, you need to create an app
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, and **Client Secret** values because they will be required later.
-        - Temporarily set **Redirect URI** to `https://temp.temp`.
+        - Temporarily add a **Redirect URI** of type `Strict` `Authorization` as `https://temp.temp`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
@@ -61,7 +65,7 @@ To support the integration of Pangolin with authentik, you need to create an app
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Providers** and click the **Edit** icon of the newly created Pangolin provider.
-3. Set the **Redirect URI** to the value taken from Pangolin (e.g. `https://pangolin.company/auth/idp/<identity-provider-number>/oidc/callback`).
+3. Add a **Redirect URI** of type `Strict` `Authorization` as the value taken from Pangolin (e.g. `https://pangolin.company/auth/idp/<identity-provider-number>/oidc/callback`).
 4. Click **Update**.
 
 ## Configuration verification
diff --git a/website/integrations/networking/tailscale/index.md b/website/integrations/networking/tailscale/index.md
index 3df0c2dd67..859640e4a6 100644
--- a/website/integrations/networking/tailscale/index.md
+++ b/website/integrations/networking/tailscale/index.md
@@ -4,6 +4,8 @@ sidebar_label: Tailscale
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Tailscale?
 
 > Tailscale is a mesh VPN service that creates secure, encrypted, peer-to-peer connections between devices across different networks using the WireGuard protocol.
@@ -42,6 +44,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Tailscale with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -52,7 +56,7 @@ To support the integration of Tailscale with authentik, you need to create an ap
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://login.tailscale.com/a/oauth_response`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://login.tailscale.com/a/oauth_response`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/networking/technitium/index.md b/website/integrations/networking/technitium/index.md
index c34f85e40d..698b8b630f 100644
--- a/website/integrations/networking/technitium/index.md
+++ b/website/integrations/networking/technitium/index.md
@@ -4,6 +4,8 @@ sidebar_label: Technitium DNS
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Technitium DNS?
 
 > Technitium DNS Server is a free, open source, cross-platform, authoritative and recursive DNS server that can be self-hosted for privacy and security, software development, and testing on small to medium-sized networks.
@@ -25,6 +27,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Technitium DNS with authentik, you need to create a scope mapping, an application/provider pair, and application entitlements in authentik.
 
 ### Create a scope mapping in authentik
@@ -59,7 +63,7 @@ Technitium DNS uses the `roles` claim to map SSO users to local groups. Create a
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
         - Set **Client type** to `Confidential`.
-        - Set a `Strict` redirect URI to `https://technitium.company/sso/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://technitium.company/sso/callback`.
         - Select any available signing key.
         - Ensure that the `openid`, `email`, and `profile` scopes are selected. Remove the `email` scope if you prefer usernames to use the preferred username claim instead of the email address.
         - Under **Advanced protocol settings** > **Selected Scopes**, add the scope mapping that you created in the previous section.
diff --git a/website/integrations/platforms/budibase/index.md b/website/integrations/platforms/budibase/index.md
index 693a7d7ac0..d2a45e6c0e 100644
--- a/website/integrations/platforms/budibase/index.md
+++ b/website/integrations/platforms/budibase/index.md
@@ -4,6 +4,8 @@ sidebar_label: Budibase
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Budibase?
 
 > Budibase is an open source low-code platform, and the easiest way to build internal tools that improve productivity.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Budibase with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of Budibase with authentik, you need to create an app
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://budibase.company/api/global/auth/oidc/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://budibase.company/api/global/auth/oidc/callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/platforms/drupal/index.md b/website/integrations/platforms/drupal/index.md
index 0afc315b4c..89d4b8b05e 100644
--- a/website/integrations/platforms/drupal/index.md
+++ b/website/integrations/platforms/drupal/index.md
@@ -4,6 +4,8 @@ sidebar_label: Drupal
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Drupal?
 
 > Drupal is a free and open-source content management system written in PHP and
@@ -28,6 +30,8 @@ There are many different modules for Drupal that allow you to set up SSO using d
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Drupal with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -38,7 +42,7 @@ To support the integration of Drupal with authentik, you need to create an appli
 - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `drupal-slug` placeholder defined earlier.
 - **Choose a Provider type**: select **OAuth2/OpenID Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
-    - Add the following **Redirect URI**: `https://drupal.company/openid-connect/generic`
+    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://drupal.company/openid-connect/generic`.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
 3. Click **Submit** to save the new application and provider.
diff --git a/website/integrations/platforms/personio/index.md b/website/integrations/platforms/personio/index.md
index 74b89535d1..62506db268 100644
--- a/website/integrations/platforms/personio/index.md
+++ b/website/integrations/platforms/personio/index.md
@@ -4,6 +4,8 @@ sidebar_label: Personio
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Personio?
 
 > Personio is an HR software platform for managing core HR processes such as recruiting, onboarding, payroll, time tracking, and performance management.
@@ -22,6 +24,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Personio with authentik, you need to create an application/provider pair in authentik.
 
 ### Copy the Personio callback URL
@@ -40,7 +44,7 @@ To support the integration of Personio with authentik, you need to create an app
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
         - Set the **Client type** to `Confidential`.
-        - Add two `Strict` redirect URIs:
+        - Add two **Redirect URIs** of type `Strict` `Authorization`:
             - The **Callback URLs/Redirect URIs** value from Personio.
             - `https://login.personio.com/login/callback`
         - Select any available signing key.
diff --git a/website/integrations/platforms/pocketbase/index.md b/website/integrations/platforms/pocketbase/index.md
index 747e5bbbca..643fd453e5 100644
--- a/website/integrations/platforms/pocketbase/index.md
+++ b/website/integrations/platforms/pocketbase/index.md
@@ -4,6 +4,8 @@ sidebar_label: PocketBase
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is PocketBase?
 
 > PocketBase is an open source backend consisting of an embedded SQLite database, realtime subscriptions, built-in auth management, a dashboard UI, and a REST-like API.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of PocketBase with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -33,7 +37,7 @@ To support the integration of PocketBase with authentik, you need to create an a
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://pocketbase.company/api/oauth2-redirect`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://pocketbase.company/api/oauth2-redirect`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/platforms/wordpress/index.md b/website/integrations/platforms/wordpress/index.md
index 9f9ea62820..8eb025e5e1 100644
--- a/website/integrations/platforms/wordpress/index.md
+++ b/website/integrations/platforms/wordpress/index.md
@@ -4,6 +4,8 @@ sidebar_label: WordPress
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is WordPress?
 
 > WordPress is an open source publishing platform used to create websites, blogs, and other web content.
@@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of WordPress with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider
@@ -37,7 +41,7 @@ To support the integration of WordPress with authentik, you need to create an ap
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and application **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://wp.company/wp-admin/admin-ajax.php?action=openid-connect-authorize`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://wp.company/wp-admin/admin-ajax.php?action=openid-connect-authorize`.
         - Select any available signing key.
         - Under **Advanced protocol settings** > **Scopes**, add `authentik default OAuth Mapping: OpenID 'offline_access'` to the **Selected Scopes** list.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
diff --git a/website/integrations/security/1password/index.mdx b/website/integrations/security/1password/index.mdx
index 18d81c8f8e..bae482d09f 100644
--- a/website/integrations/security/1password/index.mdx
+++ b/website/integrations/security/1password/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: 1Password
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is 1Password?
 
 > 1Password is a password management tool that simplifies the process of creating, storing, and sharing passwords. It allows you to create strong, unique passwords, securely store them in a vault, and automatically fill them in when needed.
@@ -24,6 +26,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of 1Password with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -35,7 +39,7 @@ To support the integration of 1Password with authentik, you need to create an ap
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Set **Client Type** to `Public`.
         - Note the **Client ID** and **slug** values because they will be required later.
-        - Add two `Strict` redirect URIs and set them to `https://your-domain.1password.com/sso/oidc/redirect/` and `onepassword://sso/oidc/redirect`.
+        - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://your-domain.1password.com/sso/oidc/redirect/` and `onepassword://sso/oidc/redirect`.
         - Select any available **Signing Key**.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. If you add a SCIM provider as a backchannel provider later, only users who can view this application are synchronized.
 
diff --git a/website/integrations/security/bitwarden/index.mdx b/website/integrations/security/bitwarden/index.mdx
index 10bde10045..9ec8306744 100644
--- a/website/integrations/security/bitwarden/index.mdx
+++ b/website/integrations/security/bitwarden/index.mdx
@@ -4,6 +4,7 @@ sidebar_label: Bitwarden
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
 import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx";
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
@@ -43,6 +44,8 @@ You can configure Bitwarden to use either OIDC or SAML; this guide explains both
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Bitwarden with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -55,14 +58,14 @@ To support the integration of Bitwarden with authentik, you need to create an ap
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
         - Add the redirect URIs for your Bitwarden deployment:
             - For Bitwarden Cloud US:
-                - Set a `Strict` `Authorization` redirect URI to `https://sso.bitwarden.com/oidc-signin`.
-                - Set a `Strict` `Post Logout` redirect URI to `https://sso.bitwarden.com/oidc-signedout`.
+                - Add a **Redirect URI** of type `Strict` `Authorization` as `https://sso.bitwarden.com/oidc-signin`.
+                - Add a **Redirect URI** of type `Strict` `Post Logout` as `https://sso.bitwarden.com/oidc-signedout`.
             - For Bitwarden Cloud EU:
-                - Set a `Strict` `Authorization` redirect URI to `https://sso.bitwarden.eu/oidc-signin`.
-                - Set a `Strict` `Post Logout` redirect URI to `https://sso.bitwarden.eu/oidc-signedout`.
+                - Add a **Redirect URI** of type `Strict` `Authorization` as `https://sso.bitwarden.eu/oidc-signin`.
+                - Add a **Redirect URI** of type `Strict` `Post Logout` as `https://sso.bitwarden.eu/oidc-signedout`.
             - For self-hosted Bitwarden:
-                - Set a `Strict` `Authorization` redirect URI to `https://bitwarden.company/sso/oidc-signin`.
-                - Set a `Strict` `Post Logout` redirect URI to `https://bitwarden.company/sso/oidc-signedout`.
+                - Add a **Redirect URI** of type `Strict` `Authorization` as `https://bitwarden.company/sso/oidc-signin`.
+                - Add a **Redirect URI** of type `Strict` `Post Logout` as `https://bitwarden.company/sso/oidc-signedout`.
         - Select any available **Signing Key**.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
diff --git a/website/integrations/security/cloudflare-access/index.md b/website/integrations/security/cloudflare-access/index.md
index bbd635f768..61e736c569 100644
--- a/website/integrations/security/cloudflare-access/index.md
+++ b/website/integrations/security/cloudflare-access/index.md
@@ -4,6 +4,8 @@ sidebar_label: Cloudflare Access
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Cloudflare Access?
 
 > Cloudflare Access is a secure, cloud-based zero-trust solution for managing and authenticating user access to internal applications and resources.
@@ -29,6 +31,8 @@ Looking to integrate authentik with your Cloudflare Dashboard? See our [integrat
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Cloudflare Access with authentik, you need to create an application/provider pair in authentik.
 
 Cloudflare uses your Cloudflare Access team name in the callback URL. You can find the team name in the Cloudflare dashboard under **Settings** > **Team name and domain** > **Team name**.
@@ -41,7 +45,7 @@ Cloudflare uses your Cloudflare Access team name in the callback URL. You can fi
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Add one `Strict` redirect URI and set it to `https://company.cloudflareaccess.com/cdn-cgi/access/callback`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://company.cloudflareaccess.com/cdn-cgi/access/callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 3. Click **Submit** to save the new application and provider.
diff --git a/website/integrations/security/hashicorp-vault/index.md b/website/integrations/security/hashicorp-vault/index.md
index f31df5dab4..9f14ceac9c 100644
--- a/website/integrations/security/hashicorp-vault/index.md
+++ b/website/integrations/security/hashicorp-vault/index.md
@@ -4,6 +4,8 @@ sidebar_label: HashiCorp Vault
 support_level: authentik
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is HashiCorp Vault?
 
 > HashiCorp Vault secures, stores, and controls access to tokens, passwords, certificates, encryption keys, and other sensitive data.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of HashiCorp Vault with authentik, you need to create an application and provider pair in authentik.
 
 ### Create an application and provider
@@ -33,7 +37,7 @@ To support the integration of HashiCorp Vault with authentik, you need to create
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set two `Strict` redirect URIs to `https://vault.company/ui/vault/auth/oidc/oidc/callback` and `http://localhost:8250/oidc/callback`.
+        - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://vault.company/ui/vault/auth/oidc/oidc/callback` and `http://localhost:8250/oidc/callback`.
         - Select any available signing key.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 3. Click **Submit** to save the new application and provider.
diff --git a/website/integrations/security/vaultwarden/index.md b/website/integrations/security/vaultwarden/index.md
index a039ae91e5..9b588144d8 100644
--- a/website/integrations/security/vaultwarden/index.md
+++ b/website/integrations/security/vaultwarden/index.md
@@ -4,6 +4,8 @@ sidebar_label: Vaultwarden
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
+
 ## What is Vaultwarden?
 
 > Vaultwarden is an alternative server implementation of the Bitwarden Client API, written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
@@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of Vaultwarden with authentik, you need to create an application/provider pair in authentik.
 
 ### Create custom scope mapping
@@ -53,7 +57,7 @@ Vaultwarden requires the email scope to return either `email_verified: True` or
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://vaultwarden.company/identity/connect/oidc-signin`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://vaultwarden.company/identity/connect/oidc-signin`.
         - Select any available signing key.
         - Under **Advanced protocol settings**:
             - Set **Access token validity** to more than 5 minutes.
diff --git a/website/integrations/security/xcreds/index.mdx b/website/integrations/security/xcreds/index.mdx
index 81be6f33d9..baaf24a556 100644
--- a/website/integrations/security/xcreds/index.mdx
+++ b/website/integrations/security/xcreds/index.mdx
@@ -4,6 +4,8 @@ sidebar_label: XCreds
 support_level: community
 ---
 
+import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx";
+
 ## What is XCreds?
 
 > XCreds is an open source project for synchronizing IdP passwords with macOS login passwords. XCreds replaces the macOS login window to provide authentication to the cloud provider; a user enters their cloud password for authentication and XCreds keeps the local Mac password synchronized with the cloud password.
@@ -26,6 +28,8 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
+<RedirectURI20265Note />
+
 To support the integration of XCreds with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
@@ -36,7 +40,7 @@ To support the integration of XCreds with authentik, you need to create an appli
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://127.0.0.1/xcreds`.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://127.0.0.1/xcreds`.
         - Select any available signing key.
         - Under **Advanced protocol settings**, add `authentik default OAuth Mapping: OpenID 'offline_access'` to **Selected Scopes**.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

From 9457696385e5adea715c8ca95f54ad1ed03453c3 Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Fri, 12 Jun 2026 14:09:41 +0200
Subject: [PATCH 68/68] root: bump pyo3 (#23036)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 Cargo.lock | 21 ++++++++++-----------
 Cargo.toml |  4 ++--
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 4ec2a1c779..08179d8e4c 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2642,9 +2642,9 @@ dependencies = [
 
 [[package]]
 name = "pyo3"
-version = "0.28.3"
+version = "0.29.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "91fd8e38a3b50ed1167fb981cd6fd60147e091784c427b8f7183a7ee32c31c12"
+checksum = "cd274650b21d4bfc26a0a47587962c1edb425f69287324355cd040c3ea66071c"
 dependencies = [
  "libc",
  "once_cell",
@@ -2656,18 +2656,18 @@ dependencies = [
 
 [[package]]
 name = "pyo3-build-config"
-version = "0.28.3"
+version = "0.29.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e368e7ddfdeb98c9bca7f8383be1648fd84ab466bf2bc015e94008db6d35611e"
+checksum = "c5e2a7d2f0d013342f295c048ad19237add5154a55b1c5a254c0ec93d4109078"
 dependencies = [
  "target-lexicon",
 ]
 
 [[package]]
 name = "pyo3-ffi"
-version = "0.28.3"
+version = "0.29.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f29e10af80b1f7ccaf7f69eace800a03ecd13e883acfacc1e5d0988605f651e"
+checksum = "ca85c467da1bbc8d866eea5deff9cf29ea5f7785054a17da36e65bda9c05845b"
 dependencies = [
  "libc",
  "pyo3-build-config",
@@ -2675,9 +2675,9 @@ dependencies = [
 
 [[package]]
 name = "pyo3-macros"
-version = "0.28.3"
+version = "0.29.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df6e520eff47c45997d2fc7dd8214b25dd1310918bbb2642156ef66a67f29813"
+checksum = "9ac53762fd065daa3194dd09337a38bd793a188100fd1a9304c4ab312d901771"
 dependencies = [
  "proc-macro2",
  "pyo3-macros-backend",
@@ -2687,13 +2687,12 @@ dependencies = [
 
 [[package]]
 name = "pyo3-macros-backend"
-version = "0.28.3"
+version = "0.29.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c4cdc218d835738f81c2338f822078af45b4afdf8b2e33cbb5916f108b813acb"
+checksum = "4ca3a1557399783172dc5bf39cfca835157732532cba56b71d2292161e53b362"
 dependencies = [
  "heck",
  "proc-macro2",
- "pyo3-build-config",
  "quote",
  "syn",
 ]
diff --git a/Cargo.toml b/Cargo.toml
index 520f596bac..802f80573d 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -48,8 +48,8 @@ metrics-exporter-prometheus = { version = "= 0.18.3", default-features = false }
 nix = { version = "= 0.31.3", features = ["hostname", "signal"] }
 notify = "= 8.2.0"
 pin-project-lite = "= 0.2.17"
-pyo3 = "= 0.28.3"
-pyo3-build-config = "= 0.28.3"
+pyo3 = "= 0.29.0"
+pyo3-build-config = "= 0.29.0"
 regex = "= 1.12.3"
 reqwest = { version = "= 0.13.4", features = [
   "form",