We also have a release walkthrough video on YouTube that shows how to implement all the new features and fix any breaking changes.
This release of authentik brings some big features, like managing endpoint devices, exporting data, and an overhaul of our permissions system.
Let's take a closer look at what's in the 2025.12 release of authentik, your favorite identity provider.
For years, we relied on Django's built-in storage backend, which is a solid base for less complex projects, but as time passed we started to push it to its limits. However, that's not all on Django; we had some technical debt on our side. For example, before 2025.12, you could not upload a file directly to a brand; you had to provide a full URL. I'll dive into why this was the case later on.
To share some insight into how security teams talk, when in the comfort of our own team meetings, here's a little snapshot from last week:
The incident at Okta, with the full-circle failure of AI and the poor Okta engineer who AI-ed himself into a hot mess, generated a whole lot of conversation and took over our Friday meeting.
As Joshua Rogers aptly called it, the “AI slop security engineering” incident started with a report of two security issues to Okta's auth0/nextjs-auth0 project, along with a PR to fix it.
The incredible response from Okta was a downward-spiral of AI doing everything in the worst possible way: stripping the name of the contributor from the PR and committing it, then using AI to apologize for itself, and finally refusing to remove the AI-generated details of the commit and restore the contributor's attribution.
Even more interesting than the lurid details of the Okta's AI chasing its own tail, and painfully catching it, was our look inwards to how we each feel about AI, how we use it (sure, of course, we each use it to some varying degree), and what the professional and personal/moral implications are. This started a discussion amongst our team on how we collectively use, and don't use, AI in our daily professional lives.
We also discussed how we want to talk about our limited use of AI with you, our community.
In our 2025.10 release, we removed Redis as a required database. In this blog, we'll go over why we made that decision, why we wanted Redis in the first place, and how we went about removing Redis and instead relying fully on PostgreSQL.
In the software world, databases are often the unsung heroes, and decisions about their usage, schemas, and data storage practices are important, so we want to share our thinking behind this decision.
The 2025.8 release blog post was never posted. Curious about what you missed? Check the 2025.8 release notes.
This release of authentik brings some big features that you don't want to miss, including the addition of our most requested source provider.
Let’s take a closer look at what’s in the 2025.10 release of authentik, your favorite identity provider.
Starting with version 2025.10, authentik supports both SAML single logout and OpenID Connect (OIDC) front-channel logout and back-channel logout.
This means that when you terminate a session in authentik, it sends logout requests to all properly configured applications, ending sessions everywhere.
While SAML single logout has existed for years, OIDC logout specifications are newer, and back-channel logout in particular isn't yet widely adopted by many applications (service providers/relying parties) or other Identity Providers. Even the long supported SAML single logout usually only has front-channel support by applications and IdPs.
Single logout (SLO) is the natural complement to single sign-on. With single sign-on, once you authenticate to authentik, you can automatically access all other applications that use authentik as an identity provider. With single logout, once you log out of authentik, you're automatically logged out of all properly configured applications that you accessed through authentik.
Single logout works by leveraging the SAML protocol's single logout service URL and OIDC's front-channel and back-channel URLs specified in the spec. When a request is sent via the IdP to the application's configured logout URL, the application terminates the user's session.
Without single logout, when a user logs out of an IdP, their sessions stay active with every application they logged into, meaning either:
The user will have to manually visit each application and log out.
An administrator will have to visit each application manually and log out the user for them.
The user will end up leaving a plethora of orphaned accounts that may be vulnerable to being hijacked.
The first question you might be asking yourself after reading the title of this post is
"Why in the @#$%&! would you do that"
If that wasn't the first thing that came to your mind, you're probably wondering what EAP even is and why you should be so taken aback. Don't worry, I will try to answer both of these questions with this blog post.
Over a year ago we changed our release cadence to be around every two months, to optimize the rapid delivery of new features without waiting too long and having massively large releases. Version 2025.6 is a strong indicator that this cadence works well; it’s a short, sweet bundle of new features, performance enhancements, and a few minor improvements.
Let’s take a closer look at what’s in the 2025.6 release of authentik, your favorite identity provider.
Identity and access management is a complex, sprawling space. Many of our largest customers come to us having implemented or inherited multiple identity providers, governance solutions, device management platforms, and other point solutions. All of these products help provide access to, or integrate with, many hundreds of applications for thousands of users (or more!) across endless groups and sub-organizations.
A few themes have emerged in why our enterprise customers most frequently choose to add yet another product and migrate their IAM needs to authentik. We will highlight some of those common use cases here in case they apply to your organization.
In short, our customers are saving time and money by streamlining their operations with a more flexible, reliable solution and a more responsive, trustworthy vendor. Here is what we most frequently hear from these customers:
With every authentik release, we highlight our commitment to delivering new features that focus on providing solutions for all of our users and the identity management challenges that they face.
Our 2025.4 release of authentik contains new features around increased configuration options for authentik Admins, with a new password history policy, the ability to pre-define a bundled set of permissions, setting reputation score limits to further harden access control, and a new "remember me" option.
This release also provides support for PostgreSQL connection pools, the Kubernetes Gateway API, and the ability to do lookups of LDAP group memberships based on user attributes.
Let's take a closer look at a few of these features.
