[HOW-TO] Send automatic email invite during invitation creation

[stiw47]

First of all I would like to say that I am not dev at all. I used google, used little bit help of GPT, made below scripts, and they are working for my use case. Of course, I am open for suggestions and improvements, if anybody is interested to comment.

TBH, I was surprised when I saw that we have possibility to create invitation enrollment URLs, and there is no out of box option to send created URL automatically via email (or some other channel) to the invited person. Similar what the heck surprise as for there is no simple option (out of box) for users to upload their avatar 😂. Luckily, we have this guy @drpetersen who solved avatar mystery here: #6824 (BIG THANKS!), but this is now some other story, and not related with my post. However, no matter, if we ignore these odd's, really good peace of software, and I can see that we getting new features with updates - THANKS FOR THAT! I also understand that Authentik guys most probably cannot implement everything at once.

I will describe how I accomplished to automatically send email invitation to invited person when invitation is created. This email also contain invitation enrollment URL and other important data. I will describe 3 different approaches:

1. Sending text mail invitation with the help of policy in Authentik
2. Sending fancy HTML mail invitation with the help of policy in Authentik
3. Sending fancy HTML mail invitation with the help of the python script on the host, outside of Authentik containers

This guide presume that you already have some enrollment flow, so that invitation URL will open enrollment flow for invited user. I made my enrollment flow with the help of this guide: https://youtu.be/mGOTpRfulfQ?t=424 Please note that first half of this video is about how to enable "Sign Up" link on Authentik login page. This way, everyone from the internet would be able to register in your Authentik. I have some feeling that most of the home lab users wouldn't want that, rather would want that invited people only could register. If you share my opinion/use case, then ignore first part of the video and watch second part, i.e. from the link timestamp. If you already have your enrollment flow - ignore provided video at all.

Ok, once when you have enrollment flow, let's setup automatic email invite. This also presume that you already have your email parameters (username, password, etc.) loaded as environment variables in Authentik, and your email is working. Here is a little background:

• I am running Authentik with docker compose (as most of you)
• I am using official docker-compose.yaml, which is slightly edited. These edits are not relevant with the first and second approaches of this guide, I will describe edits and why I made it, in third approach

So, ok, regarding email environment variables I mentioned before, this is what I have in my .env file (and what is related to email). I will use here some dummy domains, passwords, etc. of course:

AUTHENTIK_EMAIL__HOST=smtp.my.mail
AUTHENTIK_EMAIL__PORT=465
AUTHENTIK_EMAIL__USERNAME=admin@my.domain
AUTHENTIK_EMAIL__PASSWORD=app-password-here
AUTHENTIK_EMAIL__USE_TLS=false
AUTHENTIK_EMAIL__USE_SSL=true
AUTHENTIK_EMAIL__TIMEOUT=10
AUTHENTIK_EMAIL__FROM="Technical Support <admin@my.domain>"

First approach - Sending text mail invitation with the help of policy in Authentik

1. Go to Events > Notification Rules and create dummy empty fake notification rule like this:
   
   As you can see, this ^ rule doing nothing. But I don't know some other way that I can attach policy which would be executed when invitation is created. And in this certain case, policy (going next) is python script which:

• Listening for new events
• Filtering events and waiting for app == authentik_stages_invitation and model_name == invitation, this means invitation created
• Composing and sending email

2. Expand previously created Notification Rule, and go to Create and bind Policy (I already have policy bound on screenshot):
   

3. Choose Expression Policy and Next:
   

4. Give Policy the name, paste python script I will provide in next steps into Expression field, and click Next:
   

5. Click Finish on last screen, you can leave all default:
   

After this, you should have your Policy bound to your Notification Rule.

Python script/expression

This is the script which should be pasted into Expression field from step 4:

# Import necessary modules
import os
import smtplib
from email.mime.text import MIMEText
from django.apps import apps
from datetime import datetime

AUTHENTIK_DOMAIN_NAME = "my.domain"
invited_email = "admin@my.domain"
invited_name = "Padawan"
invited_username = "Padawan"

# Ensure the policy is triggered by an event
if "event" not in request.context:
    return False

event = request.context["event"]

# Check if the event action is 'model_created' and pertains to the 'invitation' model
if event.action == "model_created" and event.context.get("model", {}).get("app") == "authentik_stages_invitation" and event.context.get("model", {}).get("model_name") == "invitation":
    
    # Retrieve the Invitation model
    Invitation = apps.get_model("authentik_stages_invitation", "invitation")
    
    # Fetch the specific invitation instance using the primary key from the event context
    try:
        invitation = Invitation.objects.get(pk=event.context["model"]["pk"])
    except Invitation.DoesNotExist:
        return False

    # Extract invitation's fixed_data (custom attributes)
    custom_attributes = invitation.fixed_data
    if (custom_attributes.get("email") != None):
        invited_email = custom_attributes.get("email")
    if (custom_attributes.get("name") != None):
        invited_name = custom_attributes.get("name")
    if (custom_attributes.get("username") != None):
        invited_username = custom_attributes.get("username")

    # Extract invitation's expire date and format it to more eye friendly
    expires_date = datetime.fromisoformat(str(invitation.expires))
    expires_friendly = expires_date.strftime("%a, %b %d, %Y, %I:%M%p %Z")

    # Create invitation URL
    invitation_uid = event.context.get("model", {}).get("pk")
    invitation_url = f"https://{AUTHENTIK_DOMAIN_NAME}/if/flow/enrollment-invitation/?itoken={invitation_uid}"
    
    if not invited_email or not invited_name or not invited_username or not expires_date or not invitation_uid or not invitation_url:
        return False

    # Email configuration
    email_sender = os.environ.get('AUTHENTIK_EMAIL__USERNAME')
    email_password = os.environ.get('AUTHENTIK_EMAIL__PASSWORD')
    email_from = os.environ.get('AUTHENTIK_EMAIL__FROM')
    email_server = os.environ.get('AUTHENTIK_EMAIL__HOST')
    email_port = int(os.environ.get('AUTHENTIK_EMAIL__PORT'))

    if not email_sender or not email_password or not email_from or not email_server or not email_port:
        return False

    # Create the email content
    email_subject = f"{invited_name}, you're Invited!"
    email_body = f"Hello {invited_name},\n\nYou've been invited to join. Please use the following link to accept the invitation:\n\n{invitation_url}\n\nInvitation link expires on: {expires_friendly}\n\nBest regards,\nThe {AUTHENTIK_DOMAIN_NAME} Team"
    email_msg = MIMEText(email_body)
    email_msg['Subject'] = email_subject
    email_msg['From'] = email_from
    email_msg['To'] = invited_email

    # Send the email
    try:
        if email_port == 465:
            with smtplib.SMTP_SSL(email_server, email_port) as server:
                server.login(email_sender, email_password)
                server.sendmail(email_sender, email_msg['To'], email_msg.as_string())
        elif email_port == 587:
            with smtplib.SMTP(email_server, email_port) as server:
                server.starttls()  # Secure the connection
                server.login(email_sender, email_password)
                server.sendmail(email_sender, email_msg['To'], email_msg.as_string())
        else:
            return False
    except Exception as e:
        return False

    return True

return False

Few more notes

Lines 8-11 - change variable values to your own values:

AUTHENTIK_DOMAIN_NAME = "my.domain"
invited_email = "admin@my.domain"
invited_name = "Padawan"
invited_username = "Padawan"

AUTHENTIK_DOMAIN_NAME is fixed variable and will not be changed anywhere during script execution.
For other 3 - as soon as I explain how to use this and how to create invitation in order that mail being sent to some desired address, I will also explain why I set them initially to above values.

How to create invitation in order that invited party get email

Go to Directory > Invitations > Create, and except of invitation Name, Expires and Flow, fill also some data in Custom attributes. This is important, because the script/policy will get the value of the email field from Custom attributes and this will be receiver email address for your invitation. I am usually using following data (not mandatory, will explain):

{
  "name": "Johnny Silverhand",
  "username": "stiw47",
  "email": "stiw47@some.mail
}

At this point, you are done. Once when you click Create, if you followed previous guide carefully and set everything without mistake, stiw47@some.mail should receive the email with invitation URL and rest of the basic body text and subject from this part of the script:

    email_subject = f"{invited_name}, you're Invited!"
    email_body = f"Hello {invited_name},\n\nYou've been invited to join. Please use the following link to accept the invitation:\n\n{invitation_url}\n\nInvitation link expires on: {expires_friendly}\n\nBest regards,\nThe {AUTHENTIK_DOMAIN_NAME} Team"

As said, any of above fields is not mandatory, but I'm using username and name cause I figured out if I fill it like this, then Sign Up form will be already pre-populated with respective values, once when invited user open invitation URL, like below:

This not limiting username, name not even the email to ones pre-populated. Enrolled user can change any of those (and in my flow, user will have email verification stage), but people are usually lazy and not thinking too much outside of box, so in 99% cases I know I will find new user as I set it in Custom attributes.

Little more background

Once when you create invitation, it ends in Authentik's PostgreSQL DB, in table authentik_stages_invitation_invitation:

 < 👙 root@archmedia: docker-compose-nginx 🛃 > # docker exec -it authentik-postgresql psql -U authentik -d authentik -c "select * from authentik_stages_invitation_invitation;"
             invite_uuid              |        expires         |                                    fixed_data                                    | created_by_id | single_use | expiring |     name     |               flow_id                
--------------------------------------+------------------------+----------------------------------------------------------------------------------+---------------+------------+----------+--------------+--------------------------------------
 9be55f5a-7ece-472c-b15a-a5477c64a365 | 2025-02-28 17:04:00+00 | {"name": "Johnny Silverhand", "email": "stiw47@some.mail", "username": "stiw47"} |            41 | t          | t        | ytgiuojuigyu | fdac801a-ee0c-4539-92e3-a4ab458b219e
(1 row)

As you can see, all your Custom attributes ends in column fixed_data. So below part of the Python script is in charge to pull them:

    # Retrieve the Invitation model
    Invitation = apps.get_model("authentik_stages_invitation", "invitation")
    
    # Fetch the specific invitation instance using the primary key from the event context
    try:
        invitation = Invitation.objects.get(pk=event.context["model"]["pk"])
    except Invitation.DoesNotExist:
        return False

    # Extract invitation's fixed_data (custom attributes)
    custom_attributes = invitation.fixed_data
    if (custom_attributes.get("email") != None):
        invited_email = custom_attributes.get("email")
    if (custom_attributes.get("name") != None):
        invited_name = custom_attributes.get("name")
    if (custom_attributes.get("username") != None):
        invited_username = custom_attributes.get("username")

So what I said few paragraphs before, I am setting above variables to some initial values in order that email has some Hey <name> if I decide to skip the name, or that email goes to my inbox if I decide to skip email. TBH, now when I'm looking, I am not using username anywhere in email 😂😂.

One more thing: From my knowledge, SMTP IMAP mails are using either 465 or 587 port. If anyone anywhere is using some other port except of these two (I don't think so, right?), then script would need to be edited.

I think this is enough for now, probably already starts to be confusing. I will write second and third approaches most probably tomorrow, and much more short. Basically, setting workflow for second approach is the same, with the difference that you have prepared HTML mail template on storage, and python script should be slightly edited to replace text placeholders such as {{ url }}, {{ user.name }}... with actual data, and send this HTML template instead of plain text.

Be free to ask if something is not clear, and I would really like to hear opinions, suggestions, etc.
Cheers

[mvanderlee]

Great guide thank you!

I had to change this line to ensure it worked with AWS SES.

- server.sendmail(email_sender, email_msg['To'], email_msg.as_string())

+ server.sendmail(email_from, email_msg['To'], email_msg.as_string())

[stiw47]

Thank you for nice words, I am glad to hear someone is using it 😁. Yeah, I need to do what I promised, part about HTML mail from policy (less guide job writing), and from the host (little bit more), but time.... damn time. Will try to accomplish it since I promised (on the other hand, wanted to see will someone use it 🤣)

[peknoViking]

That's the best guide that I find
Thanks

[ashkaty]

This guide is awesome! For some reason though, I'm having a hard time getting my policy to trigger. I even tripped the policy back a lot so that anytime any event that matches "authentik_stages_invitation" and "model_created", the policy will trigger. But looking at the logs, I see no mention of the policy triggering. I also properly set up the notification to send to admins using the default authentik notification transport just see if the notification itself would trigger, but no luck. If you know why this is happening or have some troubleshooting tips, that'd be awesome! I'd love to get this working

[func0der]

Why isn't this a feature?
We only have this VERY confusing guide here https://docs.goauthentik.io/docs/users-sources/user/invitations

It suggests that we can do this, but in the end we just have invitation links and they say

Copy the URL and send it in an email to the people you want to invite to enroll.

Shouldn't invitations be an included feature for a SSO solution?
If not, then I loved to hear more about the reasoning, if somebody could point me towards it.

[caplam]

Thank you for this guide. It's a missing feature of authentik.
I just had to edit the script to adjust to my enrollment flow. Perhaps it's possible to catch the flow name as you have to select which flow to use when you create an invite.

[bartolomesoriano]

@stiw47 thank you so much! Will you be posting the third method? That is the one I am most interested in, so I can send the email from my own app outside of Authentik. Again, thank you for your guide.

[stiw47]

Dude.... I don't ignore you, I saw your message same day when written, and did not forget. Will give my best those days to finish this.

[stiw47]

@bartolomesoriano : Done, sry for delay.

[nikolaioak]

I spent some time tinkering on the second method regarding providing an html email (as well as a plain text email fallback).

Main differences are:

• from email.mime.multipart import MIMEMultipart
• updating the email_msg to MIMEMultipart('alternative')
• creating an html f-string (I used the account_confirmation.html and base.html templates from my authentik install as a reference)
• providing both text and html to the email_msg via:

email_plain = MIMEText(email_body_txt, 'plain')
email_html = MIMEText(email_body_html, 'html')

email_msg.attach(email_plain)
email_msg.attach(email_html)

This version also uses server.sendmail(email_from, email_msg['To'], email_msg.as_string()) for AWS SES (thanks @mvanderlee).

Full script (modified from the original provided - much thanks to @stiw47, obviously edit for style and language as you see fit):

# Import necessary modules
import os
import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from django.apps import apps
from datetime import datetime

AUTHENTIK_DOMAIN_NAME = "my.domain"
invited_email = "admin@my.domain"
invited_name = "test"
invited_username = "testuser"

# Ensure the policy is triggered by an event
if "event" not in request.context:
    return False

event = request.context["event"]

# Check if the event action is 'model_created' and pertains to the 'invitation' model
if event.action == "model_created" and event.context.get("model", {}).get("app") == "authentik_stages_invitation" and event.context.get("model", {}).get("model_name") == "invitation":
    
    # Retrieve the Invitation model
    Invitation = apps.get_model("authentik_stages_invitation", "invitation")
    
    # Fetch the specific invitation instance using the primary key from the event context
    try:
        invitation = Invitation.objects.get(pk=event.context["model"]["pk"])
    except Invitation.DoesNotExist:
        return False

    # Extract invitation's fixed_data (custom attributes)
    custom_attributes = invitation.fixed_data
    if (custom_attributes.get("email") != None):
        invited_email = custom_attributes.get("email")
    if (custom_attributes.get("name") != None):
        invited_name = custom_attributes.get("name")
    if (custom_attributes.get("username") != None):
        invited_username = custom_attributes.get("username")

    # Extract invitation's expire date and format it to more eye friendly
    expires_date = datetime.fromisoformat(str(invitation.expires))
    expires_friendly = expires_date.strftime("%a, %b %d, %Y, %I:%M%p %Z")

    # Create invitation URL
    invitation_uid = event.context.get("model", {}).get("pk")
    invitation_url = f"https://{AUTHENTIK_DOMAIN_NAME}/if/flow/default-enrollment-flow/?itoken={invitation_uid}"
    
    if not invited_email or not invited_name or not invited_username or not expires_date or not invitation_uid or not invitation_url:
        return False

    # Email configuration
    email_sender = os.environ.get('AUTHENTIK_EMAIL__USERNAME')
    email_password = os.environ.get('AUTHENTIK_EMAIL__PASSWORD')
    email_from = os.environ.get('AUTHENTIK_EMAIL__FROM')
    email_server = os.environ.get('AUTHENTIK_EMAIL__HOST')
    email_port = int(os.environ.get('AUTHENTIK_EMAIL__PORT'))

    if not email_sender or not email_password or not email_from or not email_server or not email_port:
        return False

    # Create the email content
    email_msg = MIMEMultipart('alternative')
    email_subject = f"{invited_name}, you're Invited!"
    email_msg['Subject'] = email_subject
    email_msg['From'] = email_from
    email_msg['To'] = invited_email
    
    email_body_html = f"""
        <!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtm=l">

<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <meta name="viewport" content="width=device-width">
</head>

<body style="font-family: Arial, sans-serif; font-size: 14px; color: #fffff;">
    <div>
        <center>
            <div style="-ms-text-size-adjust: 100%; -webkit-text-size-adjust: 100%; table-layout: fixed; width: 100%; max-width: 548px; padding: 60px 10px; font-size: 14px;">
                <table border="0" align="center" width="100%">
                    <tr>
                        <td style="padding: 20px; border: 1px solid #d8dee9; background-color: #fffff;">
                            <table width="100%" style="background-color: #fffff; border-spacing: 0; margin-top: 15px;">
                                <tr height="80">
                                    <td align="center" style="padding: 20px 0;">
                                        <img src="<logo url>" border="0=" alt="authentik logo" style="height: auto; max-width: 100%; max-height: 35px;">
                                    </td>
                                </tr>
                            </table>
                        </td>
                    </tr>
                    <tr>
                        <td>
                            <table border="0" style="margin-top: 10px; background-color: #fffff;" width="100%">
                                <tr>
                                    <td style="background: #FAFBFB;">
                                        <table style="width: 100%;">
                                            <tr>
                                                <td align="center">
                                                    <h1>You're invited!</h1>
                                                </td>
                                            </tr>
                                            <tr>
                                                <td align="center">
                                                    <table border="0">
                                                        <tr>
                                                            <td align="center" style="max-width: 350px; padding: 20px 0; color: #212124;">
                                                                Hi {invited_name}! You're invited ...
                                                            </td>
                                                        </tr>
                                                        <tr>
                                                            <td align="center" style="text-decoration: none; color: #FFF; background-color: #4c566a; border: solid #4c566a; width: 100%; line-height: 2em; font-weight: bold; text-align: center; cursor: pointer; display: inline-block; text-transform: capitalize;" class="btn ">
                                                                <a id="accept" href="{invitation_url}" target="_blank" style="color: #fff;">Accept Invitation</a>
                                                            </td>
                                                        </tr>
                                                        <tr>
                                                            <td align="center" style="max-width: 350px; padding: 20px 0; color: #212124;">
                                                                This invitation link expires on: <br> {expires_friendly}
                                                            </td>
                                                        </tr>
                                                    </table>
                                                </td>
                                            </tr>
                                            <td>
                                                <tr>
                                                    <td style="padding: 20px; font-size: 12px; color: #212124;word-break: break-all; overflow-wrap: break-word;" align="center">
                                                        If that doesn't work, copy and paste the following link in your browser: <br>{invitation_url}
                                                    </td>
                                                </tr>
                                        </table>
                                    </td>
                                </tr>
                            </table>
                        </td>
                    </tr>
                    <tr>
                        <td align="center">
                            Powered by authentik.
                        </td>
                    </tr>
                </table>
            </div>
        </center>
    </div>
</body>

</html>
    """
    email_body_txt = f"Hello {invited_name},\n\nYou've been invited to join. Please use the following link to accept the invitation:\n\n{invitation_url}\n\nInvitation link expires on: {expires_friendly}\n\nBest regards,\nThe {AUTHENTIK_DOMAIN_NAME} Team"
    email_plain = MIMEText(email_body_txt, 'plain')
    email_html = MIMEText(email_body_html, 'html')

    email_msg.attach(email_plain)
    email_msg.attach(email_html)

    # Send the email
    try:
        if email_port == 465:
            with smtplib.SMTP_SSL(email_server, email_port) as server:
                server.login(email_sender, email_password)
                server.sendmail(email_sender, email_msg['To'], email_msg.as_string())
        elif email_port == 587:
            with smtplib.SMTP(email_server, email_port) as server:
                server.starttls()  # Secure the connection
                server.login(email_sender, email_password)
                server.sendmail(email_from, email_msg['To'], email_msg.as_string())
        else:
            return False
    except Exception as e:
        return False

    return True

return False

[bartolomesoriano]

@nikolaioak , thank you! I ended up writing my own app in python to create the invitation via authentik API and send an email to the user with instructions for enrollment, among other functions.

[stiw47]

@nikolaioak : Thank you for your contribution. Sorry for delay, I am overloaded with few hundreds other stuff. I just posted my solution as well, I more like it when have html template as separate file.

[stiw47]

Guys, sorry for the huge delay....

Second approach - Sending fancy HTML mail invitation with the help of policy in Authentik

I will try to be shorter, but I have problem with that 😂😂. Basically, everything is the same as in the first approach, just a python script aka policy is slightly edited, so it can provide external .html file instead of inline body. And obviously, we will have external .htmlfile. But anyway, will write all steps (in shorter form 😁). Don't forget to change script variables values to your domain, mail, html template path, etc. they are on the top of the script.

1. Go to Events > Notification Rules and create dummy empty fake notification rule like this:
   

2. Expand previously created Notification Rule, and go to Create and bind Policy (I already have policy bound on screenshot):
   

3. Choose Expression Policy and Next:
   

4. Give the name to the Policy, paste python script I will provide in next steps into Expression field, and click Next:
   

5. Click Finish on last screen, you can leave all default:
   

After this, you should have your Policy bound to your Notification Rule.

Python script/expression

This is the script which should be pasted into Expression field from step 4:

# Import necessary modules
import os
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from django.apps import apps
from datetime import datetime

# Define variables
AUTHENTIK_DOMAIN_NAME = "my.domain"
AUTHENTIK_ENROLMENT_FLOW_IDENTIFIER = "<identifier of your flow>"
HTML_TEMPLATE_PATH = "/templates/invitation.html"
invited_email = "admin@my.domain"
invited_name = "Padawan"
invited_username = "Padawan"

# Ensure the policy is triggered by an event
if "event" not in request.context:
    return False

event = request.context["event"]

# Check if the event action is 'model_created' and pertains to the 'invitation' model
if event.action == "model_created" and event.context.get("model", {}).get("app") == "authentik_stages_invitation" and event.context.get("model", {}).get("model_name") == "invitation":

	# Check if HTML template exist on storage
    if not os.path.exists(HTML_TEMPLATE_PATH):
        return False
    
    # Retrieve the Invitation model
    Invitation = apps.get_model("authentik_stages_invitation", "invitation")
    
    # Fetch the specific invitation instance using the primary key from the event context
    try:
        invitation = Invitation.objects.get(pk=event.context["model"]["pk"])
    except Invitation.DoesNotExist:
        return False

    # Extract invitation's fixed_data (custom attributes)
    custom_attributes = invitation.fixed_data
    if (custom_attributes.get("email") != None):
        invited_email = custom_attributes.get("email")
    if (custom_attributes.get("name") != None):
        invited_name = custom_attributes.get("name")
    if (custom_attributes.get("username") != None):
        invited_username = custom_attributes.get("username")

    # Extract invitation's expire date and format it to more eye friendly
    expires_date = datetime.fromisoformat(str(invitation.expires))
    expires_friendly = expires_date.strftime("%a, %b %d, %Y, %I:%M%p %Z")

    # Create invitation URL
    invitation_uid = event.context.get("model", {}).get("pk")
    invitation_url = f"https://{AUTHENTIK_DOMAIN_NAME}/if/flow/{AUTHENTIK_ENROLMENT_FLOW_IDENTIFIER}/?itoken={invitation_uid}"
    
    if not invited_email or not invited_name or not invited_username or not expires_date or not invitation_uid or not invitation_url:
        return False

    # Email configuration
    email_sender = os.environ.get('AUTHENTIK_EMAIL__USERNAME')
    email_password = os.environ.get('AUTHENTIK_EMAIL__PASSWORD')
    email_from = os.environ.get('AUTHENTIK_EMAIL__FROM')
    email_server = os.environ.get('AUTHENTIK_EMAIL__HOST')
    email_port = int(os.environ.get('AUTHENTIK_EMAIL__PORT'))

    if not email_sender or not email_password or not email_from or not email_server or not email_port:
        return False

    # Send the email
    try:
        with open(HTML_TEMPLATE_PATH, "r", encoding="utf-8") as f:
            html_content = f.read()

        formatted_html = (
            html_content
            .replace("{{ user.name }}", invited_name)
            .replace("{{ url }}", invitation_url)
            .replace("{{ expires }}", expires_friendly)
        )

        # Create the email content
        email_subject = f"{AUTHENTIK_DOMAIN_NAME} | Enrollment Invitation!"
        email_msg = MIMEMultipart()
        email_msg['Subject'] = email_subject
        email_msg['From'] = email_from
        email_msg['To'] = invited_email
        email_msg.attach(MIMEText(formatted_html, "html"))

        if email_port == 465:
            with smtplib.SMTP_SSL(email_server, email_port) as server:
                server.login(email_sender, email_password)
                server.sendmail(email_sender, email_msg['To'], email_msg.as_string())

        elif email_port == 587:
            with smtplib.SMTP(email_server, email_port) as server:
                server.starttls()  # Secure the connection
                server.login(email_sender, email_password)
                server.sendmail(email_sender, email_msg['To'], email_msg.as_string())

        else:
            return False

    except Exception as e:
        return False

    return True

return False

Guys, don't be mad on me, I wrote it long time ago and maybe forgot everything I changed compared to first approach (and I am lazy to compare now 😋), but if I remember correct, below part where we opening and "attaching" external .html file is different:

.......

    try:
        with open(HTML_TEMPLATE_PATH, "r", encoding="utf-8") as f:
            html_content = f.read()

        formatted_html = (
            html_content
            .replace("{{ user.name }}", invited_name)
            .replace("{{ url }}", invitation_url)
            .replace("{{ expires }}", expires_friendly)
        )

        # Create the email content
        email_subject = f"{AUTHENTIK_DOMAIN_NAME} | Enrollment Invitation!"
        email_msg = MIMEMultipart()
        email_msg['Subject'] = email_subject
        email_msg['From'] = email_from
        email_msg['To'] = invited_email
        email_msg.attach(MIMEText(formatted_html, "html"))

......

External .html file....

There are plenty of "html email builder" sites over internet, and I really don't remember where I created my .html template. Just pick some online builder of your choice (and without ads 🫠), and do it. I will provide my template, but it is huge, so before that want to mention few things, so then .html template goes as the end of this message:

• I don't want to provide a .gif I am using as a background (fair enough 😋), and I will replace GIF's URL with <paste your GIF URL here> string. So Ctrl+F for mentioned string, and put the URL of some your favorite GIF, which is publicly available. Also search for <paste your logo URL here>, and also for <paste your site URL here> and for paste your site name here. Side note, there is also falback in this HTML, so it show gradient background in Outlook, since it not support animated GIF in email body.
• In above python script aka policy, variable HTML_TEMPLATE_PATH = "/templates/invitation.html" is the location and file name, where you should put your .html template on your storage. Or if you more like it explained from opposite way 😅, put your template where ever you want, and set HTML_TEMPLATE_PATH variable for that path. Please note this path should be from the point of view of the Authentik container, and not from the POV of your host (script/policy is running in container).
• Maybe worthy to mention, there are {{ user.name }}, {{ expires }} and {{ url }} in .html template. These are actually placeholders which python script change when open template, and populate with their actual values from:

            .replace("{{ user.name }}", invited_name)
            .replace("{{ url }}", invitation_url)
            .replace("{{ expires }}", expires_friendly)

Anyway, this does not need to be changed in template, just as side note.
I hope I did not forget something.

HTML Template:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" lang="en">
<head>
<title></title>
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<!--[if !mso]>-->
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<!--<![endif]-->
<meta name="x-apple-disable-message-reformatting" content="" />
<meta content="target-densitydpi=device-dpi" name="viewport" />
<meta content="true" name="HandheldFriendly" />
<meta content="width=device-width" name="viewport" />
<meta name="format-detection" content="telephone=no, date=no, address=no, email=no, url=no" />
<style type="text/css">
table {
border-collapse: separate;
table-layout: fixed;
mso-table-lspace: 0pt;
mso-table-rspace: 0pt
}
table td {
border-collapse: collapse
}
.ExternalClass {
width: 100%
}
.ExternalClass,
.ExternalClass p,
.ExternalClass span,
.ExternalClass font,
.ExternalClass td,
.ExternalClass div {
line-height: 100%
}
body, a, li, p, h1, h2, h3 {
-ms-text-size-adjust: 100%;
-webkit-text-size-adjust: 100%;
}
html {
-webkit-text-size-adjust: none !important
}
body, #innerTable {
-webkit-font-smoothing: antialiased;
-moz-osx-font-smoothing: grayscale
}
#innerTable img+div {
display: none;
display: none !important
}
img {
Margin: 0;
padding: 0;
-ms-interpolation-mode: bicubic
}
h1, h2, h3, p, a {
line-height: inherit;
overflow-wrap: normal;
white-space: normal;
word-break: break-word
}
a {
text-decoration: none
}
h1, h2, h3, p {
min-width: 100%!important;
width: 100%!important;
max-width: 100%!important;
display: inline-block!important;
border: 0;
padding: 0;
margin: 0
}
a[x-apple-data-detectors] {
color: inherit !important;
text-decoration: none !important;
font-size: inherit !important;
font-family: inherit !important;
font-weight: inherit !important;
line-height: inherit !important
}
u + #body a {
color: inherit;
text-decoration: none;
font-size: inherit;
font-family: inherit;
font-weight: inherit;
line-height: inherit;
}
a[href^="mailto"],
a[href^="tel"],
a[href^="sms"] {
color: inherit;
text-decoration: none
}
</style>
<style type="text/css">
@media (min-width: 481px) {
.hd { display: none!important }
}
</style>
<style type="text/css">
@media (max-width: 480px) {
.hm { display: none!important }
}
</style>
<style type="text/css">
@media (max-width: 480px) {
.t35{padding-bottom:70px!important}.t37,.t57{width:480px!important}.t10,.t16,.t22,.t33,.t4,.t42,.t49,.t53{width:420px!important}.t6{mso-line-height-alt:50px!important;line-height:50px!important}.t18{mso-line-height-alt:11px!important;line-height:11px!important}.t13{line-height:38px!important;font-size:28px!important;mso-text-raise:3px!important}.t55{padding-top:60px!important;padding-bottom:60px!important}
}
</style>
<!--[if !mso]>-->
<link href="https://fonts.googleapis.com/css2?family=Albert+Sans:wght@400;700;900&amp;family=Inter+Tight:wght@800&amp;display=swap" rel="stylesheet" type="text/css" />
<!--<![endif]-->
<!--[if mso]>
<xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
<o:PixelsPerInch>96</o:PixelsPerInch>
</o:OfficeDocumentSettings>
</xml>
<![endif]-->
</head>
<body id="body" class="t61" style="min-width:100%;Margin:0px;padding:0px;background-color:#ffffff;"><div class="t60" style="background-color:#ffffff;"><table role="presentation" width="100%" cellpadding="0" cellspacing="0" border="0" align="center"><tr><td class="t59" style="font-size:0;line-height:0;mso-line-height-rule:exactly;background-color:#ffffff;" valign="top" align="center">
<!--[if mso]>
<v:background xmlns:v="urn:schemas-microsoft-com:vml" fill="true" stroke="false">
<v:fill color="#ffffff"/>
</v:background>
<![endif]-->
<table role="presentation" width="100%" cellpadding="0" cellspacing="0" border="0" align="center" id="innerTable"><tr><td align="center">
<table width="680" class="t38" role="presentation" cellpadding="0" cellspacing="0" style="Margin-left:auto;Margin-right:auto;background-color:purple;background-image:linear-gradient(purple, orange);"><tr>

<td class="t37" style="background-image:url(<paste your GIF URL here>);background-repeat:no-repeat;background-size:cover;background-position:center center;width:680px;">

  <table class="t36" role="presentation" cellpadding="0" cellspacing="0" width="100%" style="width:100%;"><tr><td class="t35" style="padding:60px 30px 100px 30px;"><table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="width:100% !important;"><tr><td align="center">
    <table class="t34" role="presentation" cellpadding="0" cellspacing="0" style="Margin-left:auto;Margin-right:auto;"><tr>
    <!--[if mso]>
    <td width="475" class="t33" style="background:rgba(1,1,1,0.5);width:475px;">
    <![endif]-->
    <!--[if !mso]>-->
    <td class="t33" style="background:rgba(1,1,1,0.5);width:475px;">
    <!--<![endif]-->
    <table class="t32" role="presentation" cellpadding="0" cellspacing="0" width="100%" style="width:100%;"><tr><td class="t31"><table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="width:100% !important;"><tr><td><div class="t1" style="mso-line-height-rule:exactly;mso-line-height-alt:10px;line-height:10px;font-size:1px;display:block;">&nbsp;&nbsp;</div></td></tr><tr><td align="center">
    <table class="t5" role="presentation" cellpadding="0" cellspacing="0" style="Margin-left:auto;Margin-right:auto;"><tr>
    <!--[if mso]>
    <td width="475" class="t4" style="width:475px;">
    <![endif]-->
    <!--[if !mso]>-->
    <td class="t4" style="width:475px;">
    <!--<![endif]-->
    <table class="t3" role="presentation" cellpadding="0" cellspacing="0" width="100%" style="width:100%;"><tr><td class="t2" style="padding:0 10px 0 10px;"><div style="font-size:0px;"><img class="t0" style="display:block;border:0;height:auto;width:100%;Margin:0;max-width:100%;" width="455" height="129.03125" alt="" src="<paste your logo URL here>"/></div></td></tr></table>
    </td></tr></table>
    </td></tr><tr><td><div class="t6" style="mso-line-height-rule:exactly;mso-line-height-alt:90px;line-height:90px;font-size:1px;display:block;">&nbsp;&nbsp;</div></td></tr><tr><td align="center">
    <table class="t11" role="presentation" cellpadding="0" cellspacing="0" style="Margin-left:auto;Margin-right:auto;"><tr>
    <!--[if mso]>
    <td width="444" class="t10" style="width:444px;">
    <![endif]-->
    <!--[if !mso]>-->
    <td class="t10" style="width:444px;">
    <!--<![endif]-->
    <table class="t9" role="presentation" cellpadding="0" cellspacing="0" width="100%" style="width:100%;"><tr><td class="t8"><p class="t7" style="margin:0;Margin:0;font-family:Albert Sans,BlinkMacSystemFont,Segoe UI,Helvetica Neue,Arial,sans-serif;line-height:32px;font-weight:900;font-style:normal;font-size:30px;text-decoration:none;text-transform:none;direction:ltr;color:#FFFFFF;text-align:center;mso-line-height-rule:exactly;mso-text-raise:1px;">Welcome {{ user.name }}!</p></td></tr></table>
    </td></tr></table>
    </td></tr><tr><td><div class="t12" style="mso-line-height-rule:exactly;mso-line-height-alt:56px;line-height:56px;font-size:1px;display:block;">&nbsp;&nbsp;</div></td></tr><tr><td align="center">
    <table class="t17" role="presentation" cellpadding="0" cellspacing="0" style="Margin-left:auto;Margin-right:auto;"><tr>
    <!--[if mso]>
    <td width="445" class="t16" style="width:445px;">
    <![endif]-->
    <!--[if !mso]>-->
    <td class="t16" style="width:445px;">
    <!--<![endif]-->
    <table class="t15" role="presentation" cellpadding="0" cellspacing="0" width="100%" style="width:100%;"><tr><td class="t14"><h1 class="t13" style="margin:0;Margin:0;font-family:Albert Sans,BlinkMacSystemFont,Segoe UI,Helvetica Neue,Arial,sans-serif;line-height:39px;font-weight:700;font-style:normal;font-size:40px;text-decoration:none;text-transform:none;direction:ltr;color:#FFFFFF;text-align:center;mso-line-height-rule:exactly;">Ready to start?</h1></td></tr></table>
    </td></tr></table>
    </td></tr><tr><td><div class="t18" style="mso-line-height-rule:exactly;mso-line-height-alt:16px;line-height:16px;font-size:1px;display:block;">&nbsp;&nbsp;</div></td></tr><tr><td align="center">
    <table class="t23" role="presentation" cellpadding="0" cellspacing="0" style="Margin-left:auto;Margin-right:auto;"><tr>
    <!--[if mso]>
    <td width="444" class="t22" style="width:444px;">
    <![endif]-->
    <!--[if !mso]>-->
    <td class="t22" style="width:444px;">
    <!--<![endif]-->
    <table class="t21" role="presentation" cellpadding="0" cellspacing="0" width="100%" style="width:100%;"><tr><td class="t20"><p class="t19" style="margin:0;Margin:0;font-family:Albert Sans,BlinkMacSystemFont,Segoe UI,Helvetica Neue,Arial,sans-serif;line-height:32px;font-weight:400;font-style:normal;font-size:21px;text-decoration:none;text-transform:none;direction:ltr;color:#FFFFFF;text-align:center;mso-line-height-rule:exactly;mso-text-raise:3px;">We want you in our club! Let’s get started by enrolling your account. Just click the button below, and the party starting! 🚀🎉<br><br><span style="font-size:12px;">Below link is valid until: {{ expires }}!</span></p></td></tr></table>
    </td></tr></table>
    </td></tr><tr><td><div class="t24" style="mso-line-height-rule:exactly;mso-line-height-alt:56px;line-height:56px;font-size:1px;display:block;">&nbsp;&nbsp;</div></td></tr><tr><td align="center">
    <table class="t29" role="presentation" cellpadding="0" cellspacing="0" style="Margin-left:auto;Margin-right:auto;"><tr>
    <!--[if mso]>
    <td width="220" class="t28" style="background-color:#000000;overflow:hidden;width:220px;border-radius:4px 4px 4px 4px;">
    <![endif]-->
    <!--[if !mso]>-->
    <td class="t28" style="background-color:#000000;overflow:hidden;width:220px;border-radius:4px 4px 4px 4px;">
    <!--<![endif]-->
    <table class="t27" role="presentation" cellpadding="0" cellspacing="0" width="100%" style="width:100%;"><tr><td class="t26" style="text-align:center;line-height:48px;mso-line-height-rule:exactly;mso-text-raise:10px;padding:0 10px 0 10px;"><a class="t25" href="{{ url }}" rel="noopener noreferrer" style="display:block;margin:0;Margin:0;font-family:Inter Tight,BlinkMacSystemFont,Segoe UI,Helvetica Neue,Arial,sans-serif;line-height:48px;font-weight:800;font-style:normal;font-size:14px;text-decoration:none;text-transform:uppercase;letter-spacing:0.65px;direction:ltr;color:#FFFFFF;text-align:center;mso-line-height-rule:exactly;mso-text-raise:10px;" target="_blank">Create Account</a></td></tr></table>
    </td></tr></table>
    </td></tr><tr><td><div class="t30" style="mso-line-height-rule:exactly;mso-line-height-alt:20px;line-height:20px;font-size:1px;display:block;">&nbsp;&nbsp;</div></td></tr></table></td></tr></table>
    </td></tr></table>
    </td></tr></table></td></tr></table>
    </td></tr></table>
    </td></tr><tr><td align="center">
    <table class="t58" role="presentation" cellpadding="0" cellspacing="0" style="Margin-left:auto;Margin-right:auto;"><tr>
    <!--[if mso]>
    <td width="680" class="t57" style="background-color:#000000;width:680px;">
    <![endif]-->
    <!--[if !mso]>-->
    <td class="t57" style="background-color:#000000;width:680px;">
    <!--<![endif]-->
    <table class="t56" role="presentation" cellpadding="0" cellspacing="0" width="100%" style="width:100%;"><tr><td class="t55" style="padding:80px 30px 80px 30px;"><table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="width:100% !important;"><tr><td align="center">
    <table class="t54" role="presentation" cellpadding="0" cellspacing="0" style="Margin-left:auto;Margin-right:auto;"><tr>
    <!--[if mso]>
    <td width="475" class="t53" style="background-color:transparent;width:475px;">
    <![endif]-->
    <!--[if !mso]>-->
    <td class="t53" style="background-color:transparent;width:475px;">
    <!--<![endif]-->
    <table class="t52" role="presentation" cellpadding="0" cellspacing="0" width="100%" style="width:100%;"><tr><td class="t51"><table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="width:100% !important;"><tr><td align="center">
    <table class="t43" role="presentation" cellpadding="0" cellspacing="0" style="Margin-left:auto;Margin-right:auto;"><tr>
    <!--[if mso]>
    <td width="475" class="t42" style="width:475px;">
    <![endif]-->
    <!--[if !mso]>-->
    <td class="t42" style="width:475px;">
    <!--<![endif]-->
    <table class="t41" role="presentation" cellpadding="0" cellspacing="0" width="100%" style="width:100%;"><tr><td class="t40"><p class="t39" style="margin:0;Margin:0;font-family:Albert Sans,BlinkMacSystemFont,Segoe UI,Helvetica Neue,Arial,sans-serif;line-height:22px;font-weight:400;font-style:normal;font-size:14px;text-decoration:none;text-transform:none;direction:ltr;color:#FFFFFF;text-align:center;mso-line-height-rule:exactly;mso-text-raise:2px;">If that doesn't work, copy and paste the following link in your browser: {{ url }}</p></td></tr></table>
    </td></tr></table>
    </td></tr><tr><td><div class="t44" style="mso-line-height-rule:exactly;mso-line-height-alt:20px;line-height:20px;font-size:1px;display:block;">&nbsp;&nbsp;</div></td></tr><tr><td align="center">
    <table class="t50" role="presentation" cellpadding="0" cellspacing="0" style="Margin-left:auto;Margin-right:auto;"><tr>
    <!--[if mso]>
    <td width="475" class="t49" style="width:475px;">
    <![endif]-->
    <!--[if !mso]>-->
    <td class="t49" style="width:475px;">
    <!--<![endif]-->
    <table class="t48" role="presentation" cellpadding="0" cellspacing="0" width="100%" style="width:100%;"><tr><td class="t47"><p class="t46" style="margin:0;Margin:0;font-family:Albert Sans,BlinkMacSystemFont,Segoe UI,Helvetica Neue,Arial,sans-serif;line-height:22px;font-weight:400;font-style:normal;font-size:14px;text-decoration:none;text-transform:none;direction:ltr;color:#FFFFFF;text-align:center;mso-line-height-rule:exactly;mso-text-raise:2px;">Powered by <a class="t45" href="<paste your site URL here>" style="margin:0;Margin:0;font-weight:700;font-style:normal;font-size:14px;text-decoration:none;direction:ltr;color:blue;mso-line-height-rule:exactly;" target="_blank">paste your site name here</a>.</p></td></tr></table>
    <div class="t44" style="mso-line-height-rule:exactly;mso-line-height-alt:20px;line-height:20px;font-size:1px;display:block;">&nbsp;&nbsp;</div>
    <table class="t41" role="presentation" cellpadding="0" cellspacing="0" width="100%" style="width:100%;"><tr><td class="t40"><p class="t39" style="margin:0;Margin:0;font-family:Albert Sans,BlinkMacSystemFont,Segoe UI,Helvetica Neue,Arial,sans-serif;line-height:22px;font-weight:400;font-style:normal;font-size:14px;text-decoration:none;text-transform:none;direction:ltr;color:#FFFFFF;text-align:center;mso-line-height-rule:exactly;mso-text-raise:2px;">We are really sad if you are using some desktop email client, so you're not able to see this email in it's full glory and power of beauty - please enable remote content for this email in your client 🎉🎊, or check it from web browser!<br>We are even more sad if you are using MS Outlook for desktop, so you cannot see full beauty of this email at all!<br> 😢🫣💔🦆🦽⛅🧩♻️</p></td></tr></table>
    </td></tr></table>
    </td></tr></table></td></tr></table>
    </td></tr></table>
    </td></tr></table></td></tr></table>
    </td></tr></table>
    </td></tr></table></td></tr></table></div><div class="gmail-fix" style="display: none; white-space: nowrap; font: 15px courier; line-height: 0;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</div></body>
    </html>

[stiw47]

Third approach - Sending fancy HTML mail invitation with the help of the python script on the host, outside of Authentik containers

As we said in the first post, once when you create invitation, it ends in Authentik's PostgreSQL DB, in table authentik_stages_invitation_invitation. Example:

< 👙 root@archmedia: docker-compose-nginx 🛃 > # docker exec -it authentik-postgresql psql -U authentik -d authentik -c "select * from authentik_stages_invitation_invitation;"
             invite_uuid              |        expires         |                                    fixed_data                                    | created_by_id | single_use | expiring |     name     |               flow_id                
--------------------------------------+------------------------+----------------------------------------------------------------------------------+---------------+------------+----------+--------------+--------------------------------------
 9be55f5a-7ece-472c-b15a-a5477c64a365 | 2025-02-28 17:04:00+00 | {"name": "Johnny Silverhand", "email": "stiw47@some.mail", "username": "stiw47"} |            41 | t          | t        | ytgiuojuigyu | fdac801a-ee0c-4539-92e3-a4ab458b219e
(1 row)

So we need some mechanism to monitor changes in DB, and send email event based, i.e. when new row appear in above table. So we can create TRIGGER in DB and the function which will send the TRIGGER and data from newly created row.

Login to your Authentik's PostgreSQL DB. In my case, my DB container has name authentik-postgresql:

 < 🚇 root@archmedia: docker-compose-authentik 🐹 > # docker ps -a --format "table {{.Names}}\t{{.Status}}\t{{.RunningFor}}" | head -1; docker ps -a --format "table {{.Names}}\t{{.Status}}\t{{.RunningFor}}" | grep authentik
NAMES                              STATUS                  CREATED
authentik-postgresql               Up 20 hours (healthy)   20 hours ago
authentik-redis                    Up 2 days (healthy)     3 days ago
authentik                          Up 2 days (healthy)     3 weeks ago
authentik-worker                   Up 2 days (healthy)     3 weeks ago

Enter into DB container shell (change CT name below to the name of your CT), and connect to the DB:

 < 👌 root@archmedia: docker-compose-authentik 🐝 > # docker exec -it authentik-postgresql bash
dfe63b50f228:/# psql -U authentik
psql (16.9)
Type "help" for help.

authentik=#

Execute below queries to create a function and TRIGGER:

-- Step 1: Create the trigger function
CREATE OR REPLACE FUNCTION notify_insert() RETURNS TRIGGER AS $$
BEGIN
    PERFORM pg_notify('table_insert', row_to_json(NEW)::TEXT);
    RETURN NEW;
END;
$$ LANGUAGE plpgsql;

-- Step 2: Attach the trigger to your table
CREATE TRIGGER after_insert_notify
AFTER INSERT ON authentik_stages_invitation_invitation
FOR EACH ROW
EXECUTE FUNCTION notify_insert();

You can paste whole above block for function into terminal at once like this:

And whole block for the trigger like this:

Optionally, you can check if succeeded. See last two lines for the trigger:

authentik=# \d authentik_stages_invitation_invitation
           Table "public.authentik_stages_invitation_invitation"
    Column     |           Type           | Collation | Nullable | Default 
---------------+--------------------------+-----------+----------+---------
 invite_uuid   | uuid                     |           | not null | 
 expires       | timestamp with time zone |           |          | 
 fixed_data    | jsonb                    |           | not null | 
 created_by_id | integer                  |           | not null | 
 single_use    | boolean                  |           | not null | 
 expiring      | boolean                  |           | not null | 
 name          | character varying(50)    |           | not null | 
 flow_id       | uuid                     |           |          | 
Indexes:
    "authentik_stages_invitation_invitation_pkey" PRIMARY KEY, btree (invite_uuid)
    "authentik_s_expires_96f4b8_idx" btree (expires)
    "authentik_s_expirin_4f8096_idx" btree (expiring, expires)
    "authentik_s_expirin_4f8f35_idx" btree (expiring)
    "authentik_stages_invitation_invitation_created_by_id_87fe9398" btree (created_by_id)
    "authentik_stages_invitation_invitation_flow_id_66945236" btree (flow_id)
    "authentik_stages_invitation_invitation_name_00580941" btree (name)
    "authentik_stages_invitation_invitation_name_00580941_like" btree (name varchar_pattern_ops)
Foreign-key constraints:
    "authentik_stages_inv_created_by_id_87fe9398_fk_authentik" FOREIGN KEY (created_by_id) REFERENCES authentik_core_user(id) DEFERRABLE INITIALLY DEFERRED
    "authentik_stages_inv_flow_id_66945236_fk_authentik" FOREIGN KEY (flow_id) REFERENCES authentik_flows_flow(flow_uuid) DEFERRABLE INITIALLY DEFERRED
Triggers:
    after_insert_notify AFTER INSERT ON authentik_stages_invitation_invitation FOR EACH ROW EXECUTE FUNCTION notify_insert()

And this one for the function:

authentik=# \df
                           List of functions
 Schema |     Name      | Result data type | Argument data types | Type 
--------+---------------+------------------+---------------------+------
 public | notify_insert | trigger          |                     | func
(1 row)

I would say, this ^ should be persistent. I mean, we are all using volumes for DB data, and I also know that this TRIGGER and this function were survived few Postgres updates, and several container restarts/recreations in my case.

Ok, now we have something which will "send the data". Now we need something which will listen for these data, and send email on data appear, and it is a python script:

import psycopg2
import select
import json
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from datetime import datetime

# Database connection settings
DB_NAME = "authentik"
DB_USER = "authentik"
DB_PASSWORD = "2jcKXB3tw0zL43rBUN1skGhuxwFty8D5QAHHA7ZG" # change to your DB password
DB_HOST = "172.18.0.2"  # Change to the IP of your DB, docker DB IP. Also be aware this script could run only from host where your containe running, cause docker IP will not be visible to some other host
DB_PORT = "5432"

# Email configuration
EMAIL_HOST = "<your email smtp server>"
EMAIL_PORT = 587 # have to be 587. If you are using 465, then python script needs to be slightly edited in order to use SMTP_SSL, not SMTP. You can combine "if email_port" logic from the script in previous post for this
EMAIL_USER = "admin@my.domain"
EMAIL_FROM = "Technical Support or what else <admin@my.domain>"
EMAIL_PASSWORD = "<your password for SMTP, on popular mail providers, this is usually called app password>"


# File paths and other
LOG_FILE = "/root/docker-compose-authentik/ak_invitations_logs/ak_invitations.log"  # Change path as needed
HTML_TEMPLATE_PATH = "/root/docker-compose-authentik/custom-templates/invitation.html"
AUTHENTIK_DOMAIN_NAME = "my.domain"
AUTHENTIK_ENROLMENT_FLOW_IDENTIFIER = "<identifier of your flow>"

def send_invitation_email(recipient_email, name, invite_uuid, expires):
    """Send an email using an HTML template"""
    try:
        # Read the HTML template
        with open(HTML_TEMPLATE_PATH, "r", encoding="utf-8") as f:
            html_content = f.read()

        # Construct the URL
        invitation_url = f"https://{AUTHENTIK_DOMAIN_NAME}/if/flow/{AUTHENTIK_ENROLMENT_FLOW_IDENTIFIER}/?itoken={invitation_uid}"

        # Replace placeholders in the template
        expires_date = datetime.fromisoformat(expires)
        expires_friendly = expires_date.strftime("%a, %b %d, %Y, %I:%M%p %Z")
        formatted_html = (
            html_content
            .replace("{{ user.name }}", name)
            .replace("{{ url }}", invitation_url)
            .replace("{{ expires }}", expires_friendly)
        )

        # Create the email message
        msg = MIMEMultipart()
        msg["From"] = EMAIL_FROM
        msg["To"] = recipient_email
        msg["Subject"] = "stiw47 | Enrollment Invitation"

        msg.attach(MIMEText(formatted_html, "html"))  # Ensure HTML content type

        # Send the email
        server = smtplib.SMTP(EMAIL_HOST, EMAIL_PORT)
        server.starttls()
        server.login(EMAIL_USER, EMAIL_PASSWORD)
        server.sendmail(EMAIL_USER, recipient_email, msg.as_string())
        server.quit()

        print(f"Email successfully sent to {recipient_email}")

    except Exception as e:
        print(f"Failed to send email to {recipient_email}: {e}")

def listen_for_inserts():
    """Connect to PostgreSQL and listen for insert notifications."""
    conn = psycopg2.connect(
        dbname=DB_NAME,
        user=DB_USER,
        password=DB_PASSWORD,
        host=DB_HOST,
        port=DB_PORT
    )
    conn.set_isolation_level(psycopg2.extensions.ISOLATION_LEVEL_AUTOCOMMIT)

    cur = conn.cursor()
    cur.execute("LISTEN table_insert;")  # Listen for the trigger notification

    print("Listening for new inserts in 'authentik_stages_invitation_invitation' table...")

    while True:
        if select.select([conn], [], [], 5) == ([], [], []):
            continue
        conn.poll()
        while conn.notifies:
            notify = conn.notifies.pop(0)
            row_data = notify.payload

            # Write log
            with open(LOG_FILE, "a") as f:
                f.write(row_data + "\n")  # Append JSON data of inserted row to file

            # Parse JSON and extract recipient details
            try:
                row_json = json.loads(row_data)
                recipient_email = row_json["fixed_data"]["email"]
                name = row_json["fixed_data"]["name"]
                invite_uuid = row_json["invite_uuid"]
                expires = row_json["expires"]

                # Send email
                send_invitation_email(recipient_email, name, invite_uuid, expires)

            except (json.JSONDecodeError, KeyError) as e:
                print(f"Error processing log entry: {e}")

if __name__ == "__main__":
    listen_for_inserts()

Several notes (you know me 😂):

• Read carefully all # comments I added above after variables, they are all important
• This approach not using at all your email parameters from Authentik. As you can see above, all email parameters are defined within script, and python is sending email
• Variable LOG_FILE <- I added some logging.
• Variable HTML_TEMPLATE_PATH <- same as in previous post, put your HTML template on storage. You can use same template from the previous post
• I am pretty sure that you can find your DB_PASSWORD in your .env file shipped with docker-compose.yaml. Variable name is PG_PASS.

Now we have a problem. Most of the times, when docker container restarts (actually, I think each time), it's docker IP being changed. And in script, we are listening for the TRIGGER in DB via DB IP:

DB_HOST = "172.18.0.2"

So I slightly edited docker-compose.yaml to set fixed IP. This is the part related with Postgres, to not paste whole docker-compose.yaml, since it is big:

networks:
  docker-compose-authentik_default:
    external: true

services:
  postgresql:
    container_name: authentik-postgresql
    image: docker.io/library/postgres:16-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - .env
    networks:
      docker-compose-authentik_default:
        ipv4_address: 172.18.0.2

Side note, I done the same for other Authentik containers as well, so all of them have fixed IPs, e.g. (but this is not relevant, nor mandatory):

    networks:
      docker-compose-authentik_default:
        ipv4_address: 172.18.0.5

    networks:
      docker-compose-authentik_default:
        ipv4_address: 172.18.0.3

    networks:
      docker-compose-authentik_default:
        ipv4_address: 172.18.0.4

Ok, now we have only one remain problem, since in order that this works, you need manually to start the script, and of course to do this after each host reboot, so I created systemd service:

 < 🐡 root@archmedia: docker-compose-authentik 🚸 > # cat /etc/systemd/system/ak-invitations.service 
[Unit]
Description=PostgreSQL Insert Logger and mail sender for Authentik Invitations
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/python /root/docker-compose-authentik/ak_invitations_logs/ak_invitations.py
Restart=always
RestartSec=5
StandardOutput=append:/root/docker-compose-authentik/ak_invitations_logs/ak_invitations_insert_logger.log
StandardError=append:/root/docker-compose-authentik/ak_invitations_logs/ak_invitations_insert_logger.log

[Install]
WantedBy=multi-user.target

More logging ^ 😁

And set it to run on boot:

systemctl daemon-reload
systemctl enable --now ak-invitations

Check carefully my paths provided in the script and where else, and replace with your paths.
Please let me know if something is not clear, or if I made some mistake. I used this approach shortly, very soon I switched to approach via Authentik policy expression described before, and could be possible that I forgot something here.

Thx

[sbisbilo]

Hi,
Did some try to add a auto assignment group?

Thanks

[lunarstrider]

For anyone wondering about group membership (@sbisbilo)

• you can specify a single group in any 'user write' stage during the enrollment flow
  This is limited, and there is caveats to parent groups..

• The other solution is very explained here : https://unhexium.net/authentik/authentik-group-assignment-on-invitation-usage/

[viretius]

If someone like me has multiple invite flows and doesn’t want to manually adjust AUTHENTIK_ENROLMENT_FLOW_IDENTIFIER every time:

AUTHENTIK_ENROLMENT_FLOW_IDENTIFIER  = invitation.flow.slug
if (custom_attributes.get("enrollment-flow") != None):
     AUTHENTIK_ENROLMENT_FLOW_IDENTIFIER  = custom_attributes.get("enrollment-flow")

You can either set the enrollment flow directly in the custom attributes when creating the invite, or leave it empty and the flow selected during invite creation will automatically be used.

[melizeche]

We have been working on making the invitation UX better
Regarding this issue, a few things that could help:

Since authentik 2025.10, there's the ak_send_email function that can be used for sending emails from an expression policy https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#ak_send_emailaddress-str--liststr-subject-str-body-str--none-stage-emailstage--none-template-str--none-context-dict--none-cc-str--liststr--none-bcc-str--liststr--none---bool

---

#19823 was recently merged and is kinda related, it allows you to send invitation emails to users using the UI (or the API)

Also the Invitation creation wizard(WIP): #20399

These last 2 features will be available in the next version(2026.5). Let us know what you think about them 👍