goauthentik · dominic-r · May 9, 2026 · May 8, 2026 · May 8, 2026 · May 8, 2026
@@ -26,7 +26,7 @@ The following options can be configured:
 - _Name_: This is the name shown for the application card
 - _Launch URL_: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider
 
-    You can use placeholders in the launch url to build them dynamically based on the logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username.
+    You can use placeholders in the launch URL to build them dynamically based on the logged-in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged-in user's username.
 
     For a reference of all fields available, see [the API schema for the User object](https://api.goauthentik.io/reference/core-users-retrieve/).
 

@@ -3,22 +3,22 @@ title: Example flows
 ---
 
 :::info
-You can apply these flows multiple times to stay updated, however this will discard all changes you've made.
+You can apply these flows multiple times to stay updated; however, this discards all changes you've made.
 :::
 
 :::info
-The example flows provided below will **override** the default flows, please review the contents of the example flow before importing and consider exporting the affected existing flows first.
+The example flows provided below **override** the default flows. Review the contents of the example flow before importing and consider exporting the affected existing flows first.
 :::
 
 These example flow blueprints are bundled with authentik. To import one, open the authentik Admin interface, navigate to **Flows and Stages** > **Flows**, click **Import**, select **Local path**, and choose the blueprint path shown below. You can also download the blueprint manually and import it with **File upload**.
 
-## Enrollment (2 Stage)
+## Two-stage enrollment
 
 Blueprint path: `example/flows-enrollment-2-stage.yaml`
 
 Flow: right-click <DownloadLink to="/blueprints/example/flows-enrollment-2-stage.yaml">here</DownloadLink> and save the file.
 
-Sign-up flow for new users, which prompts them for their username, email, password and name. No verification is done. Users are also immediately logged on after this flow.
+Sign-up flow for new users that prompts them for their username, email, password, and name. No verification is done. Users are also immediately logged in after this flow.
 
 ## Enrollment with email verification
 
@@ -30,33 +30,33 @@ Same flow as above, with an extra email verification stage.
 
 You'll probably have to adjust the Email stage and set your connection details.
 
-## Two-factor Login
+## Two-factor login
 
 Blueprint path: `example/flows-login-2fa.yaml`
 
 Flow: right-click <DownloadLink to="/blueprints/example/flows-login-2fa.yaml">here</DownloadLink> and save the file.
 
-Login flow which follows the default pattern (username/email, then password), but also checks for the user's OTP token, if they have one configured.
+Login flow that follows the default pattern (username/email, then password), but also checks for the user's OTP token, if they have one configured.
 
 You can force two-factor authentication by editing the _Not configured action_ in the Authenticator Validation Stage.
 
-## Login with conditional Captcha
+## Log in with conditional CAPTCHA
 
 Blueprint path: `example/flows-login-conditional-captcha.yaml`
 
 Flow: right-click <DownloadLink to="/blueprints/example/flows-login-conditional-captcha.yaml">here</DownloadLink> and save the file.
 
-Login flow which conditionally shows the users a captcha, based on the reputation of their IP and Username.
+Login flow that conditionally shows users a CAPTCHA, based on the reputation of their IP and username.
 
-By default, the captcha test keys are used. You can get a proper key [here](https://www.google.com/recaptcha/intro/v3.html).
+By default, the CAPTCHA test keys are used. You can get a proper key [here](https://www.google.com/recaptcha/intro/v3.html).
 
 ## Recovery with email and MFA verification
 
 Blueprint path: `example/flows-recovery-email-mfa-verification.yaml`
 
 Flow: right-click <DownloadLink to="/blueprints/example/flows-recovery-email-mfa-verification.yaml">here</DownloadLink> and save the file.
 
-With this recovery flow, the user is sent an email after they've identified themselves. After they click on the link in the email, they will have to verify their configured MFA device, and are prompted for a new password and immediately logged on.
+With this recovery flow, the user is sent an email after they've identified themselves. After they click the link in the email, they must verify their configured MFA device, and are prompted for a new password and immediately logged in.
 
 There's also <DownloadLink to="/blueprints/example/flows-recovery-email-verification.yaml">a version</DownloadLink> of this flow available without MFA validation at `example/flows-recovery-email-verification.yaml`, which is not recommended.
 

@@ -1,51 +1,51 @@
 ---
-title: Flow Inspector
+title: Flow inspector
 ---
 
-The Flow Inspector allows administrators to visually determine how custom flows work, inspect the current [flow context](./context/index.mdx) by stepping through the flow process and observing the Inspector with each step, and investigate issues.
+The flow inspector allows administrators to visually determine how custom flows work, inspect the current [flow context](./context/index.mdx) by stepping through the flow process and observing the inspector with each step, and investigate issues.
 
-As shown in the screenshot below, the Flow Inspector displays to the right, beside the selected flow (in this case, "Change Password"), with [information](#flow-inspector-details) about that specific flow and flow context.
+As shown in the screenshot below, the flow inspector displays to the right, beside the selected flow (in this case, "Change Password"), with [information](#flow-inspector-details) about that specific flow and flow context.
 
 ![](./flow-inspector.png)
 
-## Access the Flow Inspector
+## Access the flow inspector
 
 :::warning
-Be aware that when running a flow with the Inspector enabled, the flow is still executed normally. This means that for example, a [User write](../stages/user_write/index.md) stage _will_ write user data.
+Be aware that when running a flow with the inspector enabled, the flow is still executed normally. This means that, for example, a [User write](../stages/user_write/index.md) stage _will_ write user data.
 :::
 
-The Inspector is accessible to users that have been granted the [permission](../../../users-sources/access-control/permissions.md) **Can inspect a Flow's execution**, either directly or through a role. Superusers can always inspect flow executions.
+The inspector is accessible to users that have been granted the [permission](../../../users-sources/access-control/permissions.md) **Can inspect a Flow's execution**, either directly or through a role. Superusers can always inspect flow executions.
 
-### Manually running a flow with the Inspector
+### Manually run a flow with the inspector
 
-1. To access the Inspector, open the Admin interface and navigate to **Flows and Stages > Flows**.
+1. To access the inspector, open the Admin interface and navigate to **Flows and Stages > Flows**.
 
 2. Select the specific flow that you want to inspect by clicking its name in the list.
 
-3. On the Flow's detail page, on the left side under **Execute Flow**, click **Use Inspector**.
+3. On the flow's detail page, on the left side under **Execute Flow**, click **Use Inspector**.
 
-4. The selected flow will launch in a new browser tab, with the Flow Inspector displayed to the right.
+4. The selected flow launches in a new browser tab, with the flow inspector displayed to the right.
 
-### Additional ways to access the Flow Inspector
+### Additional ways to access the flow inspector
 
-Alternatively, a user with the correct permission can launch the Inspector by adding the query parameter `?inspector` to the URL after the URL opens on a flow.
+Alternatively, a user with the correct permission can launch the inspector by adding the query parameter `?inspector` to the URL after the URL opens on a flow.
 
-Users with permissions to access the Flow Inspector see a button in the top right of the [default flow executor](./executors/if-flow.md) to open the Inspector.
+Users with permissions to access the flow inspector see a button in the top-right corner of the [default flow executor](./executors/if-flow.md) to open the inspector.
 
-When developing authentik with the debug mode enabled, the Inspector is enabled by default and can be accessed by both unauthenticated users and standard users. However the debug mode should only be used for the development of authentik. So unless you are a developer and need the more verbose error information, the best practice for using the Flow Inspector is to assign the permission, not use debug mode.
+When developing authentik with the debug mode enabled, the inspector is enabled by default and can be accessed by both unauthenticated users and standard users. However, debug mode should only be used for the development of authentik. Unless you are a developer and need the more verbose error information, the best practice for using the flow inspector is to assign the permission, not use debug mode.
 
 :::info Troubleshooting
 
-- If the Flow Inspector does not launch and a "Bad request" error displays, this is likely either because you selected a flow that has a policy bound directly to it that prevents access (so the Inspector won't open because the flow can't be executed) or because you do not have [view permission](../../../users-sources/access-control/manage_permissions.md#view-permissions) on that specific flow.
+- If the flow inspector does not launch and a "Bad request" error displays, this is likely either because you selected a flow that has a policy bound directly to it that prevents access (so the inspector won't open because the flow can't be executed) or because you do not have [view permission](../../../users-sources/access-control/manage_permissions.md#view-permissions) on that specific flow.
   :::
 
-### Flow Inspector Details
+### Flow inspector details
 
-The following information is shown in the Inspector:
+The following information is shown in the inspector:
 
 #### Next stage
 
-This is the currently planned next stage. If you have stage bindings configured to `Evaluate when flow is planned`, then you will see the result here. If, however, you have them configured to re-evaluate (`Evaluate when stage is run`), then this will not show up, since the results will vary based on your input.
+This is the currently planned next stage. If you have stage bindings configured to `Evaluate when flow is planned`, then you see the result here. If, however, you have them configured to re-evaluate (`Evaluate when stage is run`), then this does not show up, because the results vary based on your input.
 
 The name and kind of the stage, as well as the unique ID, are shown.
 
@@ -55,9 +55,9 @@ Here you can see an overview of which stages have run, which is currently active
 
 #### Current plan context
 
-This shows you the current context. This will contain fields depending on the same, after an identification stage for example you would see "pending_user" defined.
+This shows the current context. The fields depend on the active stage; after an identification stage, for example, you would see "pending_user" defined.
 
-This data is not cleaned, so if your flow involves inputting a password, it will be shown here too.
+This data is not cleaned, so if your flow involves inputting a password, it is shown here too.
 
 #### Session ID
 

@@ -17,7 +17,7 @@ In which case, you must configure each user's email domain as a [verified custom
 Alternatively, if you need to provision users with email domains that you don't control, refer to [Email handling](./create-entra-provider.md#email-handling) for more information.
 :::
 
-## Configuring you Entra ID tenant
+## Configure your Entra ID tenant
 
 1. Log in to the [Entra ID admin center](https://entra.microsoft.com).
 2. Navigate to **App registrations**, click **New registration**, and set the following configurations:

@@ -7,7 +7,7 @@ For more information about using a Google Workspace provider, see the [Overview]
 
 Your Google Workspace organization must be configured before you [create a Google Workspace provider](./create-gws-provider.md).
 
-## Configure your Google Workspace Organization
+## Configure your Google Workspace organization
 
 The main steps to configure your Google Workspace organization are:
 
@@ -27,7 +27,7 @@ The main steps to configure your Google Workspace organization are:
 
 ### Create a service account
 
-1. After the new Admin SDK API is enabled (it might take a few minutes), return to the Google Cloud console home page by clicking on **Google Cloud** in the upper left.
+1. After the new Admin SDK API is enabled (it might take a few minutes), return to the Google Cloud console home page by clicking on **Google Cloud** in the upper-left.
 2. Use the search bar to find and navigate to the **IAM** page.
 3. On the **IAM** page, click **Service Accounts** in the left navigation pane.
 4. At the top of the **Service Accounts** page, click **Create Service Account**.
@@ -38,7 +38,7 @@ The main steps to configure your Google Workspace organization are:
 ### Configure service account key and scopes
 
 1. On the **Service accounts** page, click the account that you just created.
-2. Click the **Keys** tab at top of the page, then click **Add Key** > **Create new key**.
+2. Click the **Keys** tab at the top of the page, then click **Add Key** > **Create new key**.
 3. Select **JSON** as the key type, then click **Create**.
    A pop-up displays with the private key. The key can be saved to your computer as a JSON file. This key will be required when creating the Google Workspace provider in authentik.
 
@@ -54,7 +54,7 @@ The main steps to configure your Google Workspace organization are:
 6. Log in to the Admin Console, and then navigate to **Security** > **Access and data control** > **API controls**.
 7. On the **API controls** page, click **Manage Domain Wide Delegation**.
 8. On the **Domain Wide Delegation** page, click **Add new**.
-9. In the **Add a new client ID** box, paste in the Client ID that you copied from the Admin console earlier (the value from the downloaded JSON file) and paste in the following scope documents:
+9. In the **Add a new client ID** box, paste in the Client ID that you copied from the Admin console earlier (the value from the downloaded JSON file) and paste in the following scopes:
     - `https://www.googleapis.com/auth/admin.directory.user`
     - `https://www.googleapis.com/auth/admin.directory.group`
     - `https://www.googleapis.com/auth/admin.directory.group.member`

@@ -5,7 +5,7 @@ slug: /providers
 
 import DocCardList from "@theme/DocCardList";
 
-A Provider is an authentication method, a service that is used by authentik to authenticate the user for the associated application. Common Providers are OpenID Connect (OIDC)/OAuth2, LDAP, SAML, a generic proxy provider, and others.
+A provider is an authentication method, a service that is used by authentik to authenticate the user for the associated application. Common providers are OpenID Connect (OIDC)/OAuth2, LDAP, SAML, a generic proxy provider, and others.
 
 Providers are the "other half" of [applications](../applications/index.md). They typically exist in a 1-to-1 relationship; each application needs a provider and every provider can be used with one application.
 
@@ -15,7 +15,7 @@ Applications can use additional providers to augment the functionality of the ma
 
 When you create certain types of providers, you need to select specific [flows](../flows-stages/flow/index.md) to apply to users who access authentik via the provider. To learn more, refer to our [default flow documentation](../flows-stages/flow/examples/default_flows.md).
 
-You can also create a SAML provider by uploading an SP metadata XML file that contains the service provider's configuration data. SAML metadata is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). An SP metadata XML file typically contains the SP certificate, the entity ID, the Assertion Consumer Service URL (ACS URL), and a log out URL (SingleLogoutService).
+You can also create a SAML provider by uploading an SP metadata XML file that contains the service provider's configuration data. SAML metadata is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). An SP metadata XML file typically contains the SP certificate, the entity ID, the Assertion Consumer Service URL (ACS URL), and a logout URL (SingleLogoutService).
 
 To learn more about each provider type, refer to the documentation for each provider:
 

@@ -8,8 +8,8 @@ To create a provider along with the corresponding application that uses it for a
 2. Navigate to **Applications > Applications** and click **New Provider** to create an application and provider pair.
 3. On the **New application** page, define the application settings, and then click **Next**.
 4. Select **OAuth2/OIDC** as the **Provider Type**, and then click **Next**.
-5. On the **Configure OAuth2/OpenId Provider** page, provide the configuration settings and then click **Submit** to create both the application and the provider.
+5. On the **Configure OAuth2/OpenID Provider** page, provide the configuration settings and then click **Submit** to create both the application and the provider.
 
 :::info
-Optionally, configure the provider with the `offline_access` scope mapping. By default, applications only receive an access token. To receive a refresh token, applications and authentik must be configured to request the `offline_access` scope. Do this in the Scope mapping area on the **Configure OAuth2/OpenId Provider** page.
+Optionally, configure the provider with the `offline_access` scope mapping. By default, applications only receive an access token. To receive a refresh token, applications and authentik must be configured to request the `offline_access` scope. Do this in the Scope mapping area on the **Configure OAuth2/OpenID Provider** page.
 :::
@@ -10,7 +10,7 @@ It's important to understand how authentik works with and supports the OAuth 2.0
 
 authentik can act either as the OP, (OpenID Provider, with authentik as the IdP), or as the RP (Relying Party, or the application that uses OAuth 2.0 to authenticate). If you want to configure authentik as an OP, then you create a provider, then use the OAuth 2.0 provider. If you want authentik to serve as the RP, then configure a [source](../../../users-sources/sources/index.md). Of course, authentik can serve as both the RP and OP, if you want to use the authentik OAuth provider and also use sources.
 
-All standard OAuth 2.0 flows (authorization code, client_credentials, implicit, hybrid, device code) and grant types are supported in authentik, and we follow the [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html). OAuth 2.0 in authentik supports OAuth, PKCE, [Github compatibility](./github-compatibility.md) and the RP receives data from our scope mapping system.
+All standard OAuth 2.0 flows (authorization code, client_credentials, implicit, hybrid, device code) and grant types are supported in authentik, and we follow the [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html). OAuth 2.0 in authentik supports OAuth, PKCE, [GitHub compatibility](./github-compatibility.md), and the RP receives data from our scope mapping system.
 
 The authentik OAuth 2.0 provider comes with all the standard functionality and features of OAuth 2.0, including the OAuth 2.0 security principles such as no cleartext storage of credentials, configurable encryption, configurable short expiration times, and the configuration of automatic rotation of refresh tokens. In short, our OAuth 2.0 protocol support provides full coverage.