goauthentik · melizeche · Dec 4, 2025 · Dec 4, 2025 · Dec 5, 2025 · Dec 5, 2025
@@ -11,11 +11,18 @@ To try out the release candidate, replace your Docker image tag with the latest
 
 ## Highlights
 
+- **Endpoint Devices**: Endpoint Devices is a new featureset for Windows, macOS, and Linux devices that enables SSH authentication, local device login, sudo authorization and more, all with authentik credentials.
+- **CSV Data Exports**: :ak-enterprise Now you can export user and event data in CSV format for backup or analysis purposes.
+- **RBAC Permissions**: Permissions are now granted exclusively via roles, and permission inheritance and basic object permissions have been enhanced.
+- **Passkey Autofill (WebAuthn Conditional UI)**: Passkeys now appear in the browser's autofill dropdown alongside saved passwords, enabling seamless passwordless login when focusing on input fields.
+
 ## Breaking changes
 
 ### Storage improvements
 
-Files stored by authentik are now served from the `/files` prefix, and not from `/media` anymore.
+File storage has been reworked to unify media file configuration (icons, branding options), and allow future uses of file storage including [CSV Data Exports](.).
+
+Files stored by authentik are now served from the `/files` prefix, and not from `/media` anymore. Any custom reverse proxy configuration handling those paths will need to be updated.
 
 #### Storage mount changes
 
@@ -39,6 +46,57 @@ New storage configuration options are available. See the [storage settings refer
 
 ## New features and improvements
 
+### Endpoint devices
+
+Endpoint Devices are end-user devices or servers authentication that are registered with authentik. #TODewi
+
+Devices can be integrated by installing the [authentik Agent](.) which supports:
+
+- [Local device login](.) with authentik credentials
+- [Connecting via SSH to Endpoint Devices](.) with authentik credentials
+- [Sudo authorization](.) with authentik credentials
+- [Authenticating to CLI applications](.) such as kubectl and AWS with authentik credentials
+
+Alternatively, [Connectors](.) allow authentik to be integrated with third party services like Fleet. This allows for device information to be reported to authentik for [Device Compliance](.) purposes.
+
+### CSV Data Exports :ak-enterprise
+
+authentik now allows you to export user and event data in CSV format for backup or analysis purposes. The exported content matches that returned by the API endpoints for the respective object types. You can access past data exports from **System Management** > **Data Exports**, where you can view the query used for each export, search by data type and user, download completed exports, and delete exports you no longer need.
+
+See [Data Exports documentation](../../sys-mgmt/data-exports.md) for more details.
+
+### Passkey Autofill (WebAuthn Conditional UI)
+
+WebAuthn Conditional UI allows passkeys to appear directly in the browser's autofill dropdown alongside saved passwords. When a user focuses on a login input field, their registered passkeys are presented as autofill options, enabling a seamless passwordless authentication experience without requiring users to explicitly select a passkey option first.
+
+This feature improves the discoverability of passkeys and reduces friction for users who have registered WebAuthn credentials, making passwordless login as intuitive as traditional password autofill.
+
+### RBAC Permissions
+
+Our RBAC now focuses more strongly on the use of roles to grant permissions to users and groups. The 2025.12 release also provides support for multiple parents for a group, inherited permissions from ancestors, allowing one or MORE roles to be assigned to a single group, and enforcement of unique names for groups. Additionally, object permissions are auto-assigned to the object's creator via managed roles, to ensure CRUD rights.
+
+### Files
+
+authentik now provides a centralized file management system for storing and organizing image files used throughout the platform. This includes application icons, source icons, and branding assets such as logos, favicons, and flow background images. Files can be uploaded and managed from **Customization** > **Files** in the Admin interface. By default, files are stored on disk, but S3 storage can also be configured.
+
+See [Files documentation](../../customize/files.md) for more details.
+
+### UI improvements on mobile and tablet devices
+
+Flows now work better on smaller screens, including fixes for scrollbars on mobile and tablet devices, smarter login card shadows, and better form label alignment. If you use custom styles, you may need to revise them.
+
+### Localization improvements
+
+A locale selector is now available on the login screen, allowing users to choose their preferred language before authenticating. The selected locale persists for the browser session, and after authentication, user attributes take priority over the session preference if configured. We've also improved locale detection and updated our locale management to make future translations easier.
+
+### Promoted source
+
+Sources can now be promoted to display as primary buttons on the login page instead of small icons. This allows administrators to emphasize preferred social login providers (such as Google, GitHub, or Discord) by giving them more visual prominence in the authentication flow, making it easier for users to identify and select their preferred login method.
+
+### Glossary
+
+We have replaced our too-short Terminology page with a more rich [Glossary](../../core/glossary/), with terms that are searchable by tags or first letter.
+
 ## Upgrading
 
 This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx).
@@ -64,7 +122,7 @@ Upgrade the Helm Chart to the new version, using the following commands:
 
 ```shell
 helm repo update
-helm upgrade authentik authentik/authentik -f values.yaml --version ^xxxx.x
+helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.12
 ```
 
 ## Minor changes/fixes