Skip to main content

Release 2026.5

We’re publishing these release notes as a preview of what's to come. To try a release candidate, find the latest RC version on GitHub releases, then update your Docker image tag accordingly.

Read more about beta testing

Highlights

  • Account Lockdown: Enterprise A new panic button for compromised accounts that can immediately cut off access, revoke tokens, end sessions, and leave an audit trail.
  • Fleet Conditional Access: Enterprise authentik can now verify user devices using Fleet certificates via the Fleet Connector and an mTLS stage, without the authentik agent.
  • AKQL is now open source: The AKQL search query language for logs and users, previously enterprise-only, is now free for everyone to use.
  • Command Palette and wizard upgrades: A new Cmd + K command palette to search the authentik UI, alongside reworked wizards including a new user creation wizard, improved binding wizard, and new invitation wizard.
  • Performance improvements: The new Rust worker entrypoint drops memory usage by approximately 200 MB per worker container, opens one fewer PostgreSQL connection per worker, and makes the Admin interface less resource-intensive through lazy-loaded modals.

Breaking changes

Listening on multiple IPs

For advanced use cases, authentik now supports setting listening settings to a comma-separated list of IPs. With this change, the default IP we listen on changed from 0.0.0.0 to [::] to better match ecosystem standards. Some IPv4-only environments might need to adapt those settings.

New features and improvements

Account Lockdown: Enterprise

Account Lockdown gives administrators and users a panic button to secure an account when compromise is suspected. From the Admin interface, an administrator can lock down a user directly from their detail page; users can also lock down their own account from Settings if they no longer trust their password or active sessions.

A lockdown can deactivate the account, invalidate the local authentik password, terminate active sessions, revoke API/app/recovery/verification/OAuth tokens and grants, and record the reason in the audit log. authentik includes a packaged blueprint with warnings, reason collection, and completion messages so teams can get started quickly and customize the experience where needed.

For setup details, refer to the Account Lockdown documentation.

Command Palette

The new command palette lets you quickly navigate authentik without clicking through menus. Press Cmd + K (or Ctrl + K on Windows and Linux) from anywhere in the UI to open it, then start typing to jump to a page, run an action, or look up a user. You can also use Cmd/Ctrl + / to jump straight into search, or Cmd/Ctrl + Shift + K to open directly to the actions list.

Results are grouped by category, including pages within authentik, users, and documentation searches that open on docs.goauthentik.io. The palette is designed to make routine admin tasks faster — useful when you know what you want to do but don't want to hunt for the right menu.

Fleet Conditional Access: Enterprise

authentik can now verify user devices based on their Fleet certificates without requiring the authentik agent, using the Fleet Connector together with an mTLS stage. For details, refer to the Fleet Conditional Access documentation.

Tap-to-login Secure Enclave support: Enterprise

Endpoint Devices now support independent Secure Enclave keys for tap-to-login. This allows iPhone and Apple Watch credentials to be bound directly to a user, so tap-to-login can work without first pairing the credential to a specific endpoint device.

WebAuthn Client Hints support

The WebAuthn Stage now supports the hints parameter from the WebAuthn Level 3 spec. Admins can configure one or more hints (security-key, client-device, or hybrid) to tell the browser which authenticator type to expect. The browser uses this to skip straight to the relevant selection UI during passkey registration and authentication, reducing friction especially in enterprise deployments where security keys are mandatory.

Keep in mind that hints are advisory — they only affect the browser UI, not policy. Authenticator type requirements still need to be enforced server-side.

2FA attempt throttling

The Authenticator Validation stage can now throttle repeated failed attempts for email and SMS OTP devices, extending the same brute-force protection already available for TOTP and static authenticators. Admins can tune throttling behavior to slow down repeated guessing attempts without changing the user's login flow.

Import hashed passwords

authentik can now bootstrap and import users with pre-hashed Django passwords, making automated installs and migrations safer by avoiding plaintext passwords in deployment workflows.

Use AUTHENTIK_BOOTSTRAP_PASSWORD_HASH for the initial akadmin password, generate hashes with the new hash_password command, or import hashes later through blueprints and the user password-hash API.

Hashed-password imports update authentik's local password verifier only. Because authentik never receives the raw password, these imports are not written back to LDAP or Kerberos sources.

AKQL is now open source

The AKQL search query language was previously an enterprise-only feature for querying logs and users. AKQL is now free for everyone to use, allowing searches based on specific attributes such as context.geo.country = "Germany".

Improved UI and accessibility

Accessibility and user experience improvements have been made across the admin interface.

Form accessibility

Form labels have been updated to be more descriptive for screen readers, and now informing you of the full action that will be executed when the button is pressed. This change is being rolled out across the entire admin interface, starting with the most commonly used buttons and forms. These changes have all been reflected in the docs as well, helping to make authentik more accessible for all users.

In addition to general improvements to form accessibility, many of our modals now use the browser native <dialog> element, fixing several issues which prevented screen readers from properly traversing modal content. We'll be phasing out the remaining non-<dialog> modals over the next few releases to ensure a more consistent and accessible experience across the entire admin interface.

Wizard improvements

Wizards throughout authentik have been reworked to have fewer steps and cover of the most common use cases.

The invitation wizard in particular now makes it easy for administrators to send invites to new users. It guides admins through the process of configuring an invite system and sending the invites to users.

Service accounts are now created through the new user creation wizard, which has been reworked to be more intuitive and faster to use.

Mobile and tablet improvements

While authentik's admin interface is primarily designed for desktop use, we've made several improvements to make it more usable on mobile and tablet devices for those times when you need to make a quick change on the go.

Login improvements

The login flow has additional UI improvements to reduce friction and make it easier to use, including:

  • An improved "Remember me" option that autofocuses the most appropriate input field based the presence of a username or password field.
  • Better error handling and messaging for failed login attempts, including more specific error messages for WebAuthn when authentication fails.
  • Additional mobile optimizations, such as better keyboard handling, field focus, and responsive design improvements to make the login flow easier to use on mobile and tablet devices.

Small general improvements (SAML issuer, hide applications)

SAML issuer: authentik now automatically generates your SAML issuer URL. You can still override the default SAML issuer.

Hide applications: You can hide applications from the My applications page for situations when a user needs access to an application that should not appear there.

info

Before authentik 2026.5, an application was hidden by setting its Launch URL to blank://blank. Existing applications using that value are automatically migrated to using the Hide from My applications option upon upgrading.

Performance improvements

The authentik worker now starts through a Rust entrypoint. Python still runs authentik's worker code, but the Rust process owns worker startup, health checks, metrics, and worker-status reporting. This removes an idle top-level Python process and has led to an approximately 200 MB drop in memory usage for a single worker container. If you're a developer, check the updated Developer Docs to install Rust.

The worker status reporting change also uses one fewer PostgreSQL connection per worker, which should put less load on the database.

The Admin interface is also less resource-intensive in the browser due to lazy-loaded modals.

OAuth2 configurable grant types

OAuth2 providers now have a Grant Types setting that lets admins explicitly choose which grant types a given provider may use. The available options are Authorization Code, Implicit, Hybrid, Refresh token, Client credentials, Password, and Device-code. Existing providers default to having all grant types enabled to preserve current behavior, but you can now disable any grant types you don't want a particular client to use — useful for tightening security on individual integrations and disabling legacy flows like Implicit or Password where they aren't needed.

Google Chrome conditional access: Enterprise

authentik now includes a Google Device Trust connector that integrates with Chrome Enterprise Device Trust via the Chrome Verified Access API. This lets authentik validate that a user's Chrome browser or ChromeOS device is compliant — for example, running an up-to-date version with security patches applied — and use that as a signal in conditional access flows. The connector is especially useful for BYOD environments and remote workforces where device compliance can't be assumed.

New out-of-the-box experience

When setting up authentik for the first time, you will now automatically be redirected to the initial-setup flow instead of having to manually go there to complete your authentik installation.

New integration guides

An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added. A big thanks to our contributors!

Integration guide updates

Upgrading

This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our Upgrade documentation.

warning

When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommend that you always upgrade any outposts at the same time you upgrade your authentik instance.

Docker Compose

To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:

wget -O docker-compose.yml https://goauthentik.io/version/2026.5/lifecycle/container/compose.yml
docker compose up -d

The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.

Kubernetes

Upgrade the Helm Chart to the new version, using the following commands:

helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2026.5

Minor changes/fixes

API Changes