Release 2025.12
2025.12 has not been released yet! We're publishing these release notes as a preview of what's to come, and for our awesome beta testers trying out release candidates.
To try out the release candidate, replace your Docker image tag with the latest release candidate number, such as xxxx.x.0-rc1. You can find the latest one in the latest releases on GitHub. If you don't find any, it means we haven't released one yet.
Highlights
- Endpoint Devices: Endpoint Devices is a new featureset for Windows, macOS, and Linux devices that enables SSH authentication, local device login, sudo authorization and more, all with authentik credentials.
- CSV Data Exports: Enterprise Now you can export user and event data in CSV format for backup or analysis purposes.
- RBAC Permissions: Permissions are now granted exclusively via roles, and permission inheritance and basic object permissions have been enhanced.
- Passkey Autofill (WebAuthn Conditional UI): Passkeys now appear in the browser's autofill dropdown alongside saved passwords, enabling seamless passwordless login when focusing on input fields.
Breaking changes
Storage improvements
File storage has been reworked to unify media file configuration (icons, branding options), and allow future uses of file storage including CSV Data Exports.
Files stored by authentik are now served from the /files prefix, and not from /media anymore. Any custom reverse proxy configuration handling those paths will need to be updated.
Storage mount changes
If local storage is used, authentik now expects a mount at /data for file storage. The existing /media mount must be moved to /data/media.
For Docker Compose users, the migration is as follows:
# Shut down authentik
docker compose down
# Create the new storage folder
mkdir -p ./data
# Move the old media storage to the new location
mv ./media ./data/media
# Download the new Docker Compose with the updated paths and start authentik. See below for details.
Storage configuration changes
New storage configuration options are available. See the storage settings reference for details.
New features and improvements
Endpoint devices
Endpoint Devices are end-user devices or servers authentication that are registered with authentik. #TODewi
Devices can be integrated by installing the authentik Agent which supports:
- Local device login with authentik credentials
- Connecting via SSH to Endpoint Devices with authentik credentials
- Sudo authorization with authentik credentials
- Authenticating to CLI applications such as kubectl and AWS with authentik credentials
Alternatively, Connectors allow authentik to be integrated with third party services like Fleet. This allows for device information to be reported to authentik for Device Compliance purposes.
CSV Data Exports Enterprise
authentik now allows you to export user and event data in CSV format for backup or analysis purposes. The exported content matches that returned by the API endpoints for the respective object types. You can access past data exports from System Management > Data Exports, where you can view the query used for each export, search by data type and user, download completed exports, and delete exports you no longer need.
See Data Exports documentation for more details.
Passkey Autofill (WebAuthn Conditional UI)
WebAuthn Conditional UI allows passkeys to appear directly in the browser's autofill dropdown alongside saved passwords. When a user focuses on a login input field, their registered passkeys are presented as autofill options, enabling a seamless passwordless authentication experience without requiring users to explicitly select a passkey option first.
This feature improves the discoverability of passkeys and reduces friction for users who have registered WebAuthn credentials, making passwordless login as intuitive as traditional password autofill.
RBAC Permissions
Our RBAC now focuses more strongly on the use of roles to grant permissions to users and groups. The 2025.12 release also provides support for multiple parents for a group, inherited permissions from ancestors, allowing one or MORE roles to be assigned to a single group, and enforcement of unique names for groups. Additionally, object permissions are auto-assigned to the object's creator via managed roles, to ensure CRUD rights.
Files
authentik now provides a centralized file management system for storing and organizing image files used throughout the platform. This includes application icons, source icons, and branding assets such as logos, favicons, and flow background images. Files can be uploaded and managed from Customization > Files in the Admin interface. By default, files are stored on disk, but S3 storage can also be configured.
See Files documentation for more details.
UI improvements on mobile and tablet devices
Flows now work better on smaller screens, including fixes for scrollbars on mobile and tablet devices, smarter login card shadows, and better form label alignment. If you use custom styles, you may need to revise them.
Localization improvements
A locale selector is now available on the login screen, allowing users to choose their preferred language before authenticating. The selected locale persists for the browser session, and after authentication, user attributes take priority over the session preference if configured. We've also improved locale detection and updated our locale management to make future translations easier.
Promoted source
Sources can now be promoted to display as primary buttons on the login page instead of small icons. This allows administrators to emphasize preferred social login providers (such as Google, GitHub, or Discord) by giving them more visual prominence in the authentication flow, making it easier for users to identify and select their preferred login method.
Glossary
We have replaced our too-short Terminology page with a more rich Glossary, with terms that are searchable by tags or first letter.
Upgrading
This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our Upgrade documentation.
When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance.
Docker Compose
To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
wget -O docker-compose.yml https://goauthentik.io/version/2025.12/docker-compose.yml
docker compose up -d
The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.
Kubernetes
Upgrade the Helm Chart to the new version, using the following commands:
helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.12