Skip to main content

User interface overview

End-users who are accessing their applications via authentik typically only access the User interface, not the Admin interface. (There are exceptions; some end-users have permissions to also access the Admin interface, while some end-users never go to the User interface, but rather log directly into their application using authentik behind the scenes.)

Conversely, administrators for an authentik instance work primarily in the Admin interface; that is where administrators add applications, create new users and groups, manage system settings, and more.

info

This document covers the basic tasks that end-users accomplish in the User interface. All of our technical documentation is available to all users, just note that the vast majority of it is for the Admin interface because the User interface is for simple end-user tasks.

Access the User interface

As an end-user, you will typically first see the User interface when you log into authentik. The main page of the User interface is the My applications page, where all of the applications that you access via authentik.

To view your own settings click the gear icon in the upper right. The following sections are displayed on the page:

User details

This section of the User interface displays (and allows you to edit if you have the requisite permissions) the fields below. Note that these are the options available in a default authentik instance; administrators can customize which options show up here.

  • Username: the username is the unique identifier associated with the user, and is required for logging in. This value can only be edited by the user if the global System settings are configured to allow all users to change their username, or if the attribute goauthentik.io/user/can-change-username has been added to the Attributes field for a specific user (overriding the global System setting).
  • Name: a display name, or nickname, for the user. Similar to the username, this value can be set globally in System settings, or per user with the attribute goauthentik.io/user/can-change-name.
  • Email: the email address for the user. This value also can be set globally in System settings, or if the attribute goauthentik.io/user/can-change-email has been added to the Attributes field for a specific user (overriding the global System setting).
  • Locale: override any global locale settings and either choose a specific language or select Auto-Detect, which relies on the user's browser local settings.
  • Change your password: if a user has the permission to update their password, they can do so here.

Sessions

This tab shows all active sessions for the user. Here you can delete sessions, including the current one (which would result in an automatic log out) or a session on a remote device.

You can view applications to which you gave consent to allow authentik to share your profile user data with the application.

When an administrator adds this stage to an authorization flow, the user logging in is presented with a pop-up confirmation page asking if they agree to allow the application to directly request their account data (typically profile and email address) from the source. The user clicks Continue to give consent.

For more information refer to our documentation on the Consent stage.

MFA Devices

This is where a users can add and configure a new MFA device for accessing authentik. The three default options for MFA are:

  • Static tokens: authentik generates 6 single-use tokens.
  • TOTP device: using your preferred authenticator, scan the QR code, enter the code from the authenticator into the authentik prompt, and then click Continue. For authenticators that do not support QR scanning, you can copy the secret and paste it into you authenticator.
  • WebAuthn device: this option uses the WebAuthn/FIDO2/Passkeys Authenticator setup stage to allow the user to create a passkey for the device.

An authentik administrator can add additional MFA options for users, such as Email, SMS, or Duo, by adding the stage for that authentication method to the flow.

LDAP providers and MFA

Because LDAP does not natively support OTP, authentik supports appending the OTP code to the password for situations where the protocol is LDAP and they are required to use MFA. If enabled, the user can enter the authenticator's code as part of the bind/authentication password, separated by a semicolon. For example, for the password example-password and the MFA code 123456, the input in the password field must be example-password;123456.

Connected services

If an authentik administrator adds a source to the instance, such as GitHub, Discord, Google Workspace or Microsoft Entra ID, then users will see a list of those sources here and can choose to log in (Connect) using credentials from that source, or Disconnect form the service. Note that SCIM and LDAP sources are not displayed.

Tokens and App passwords

Tokens: Users can create a set of 6 token to use as standard access tokens for authorization, allowing a client application to access an API or other protected resource.

App password an App password can be used as a secondary form of authentication. For example, in situations where MFA is not natively supported for the protocol that the application uses, the App passwords behaves as the user's regular password.