goauthentik · melizeche · Dec 12, 2025 · Dec 4, 2025 · Dec 4, 2025 · Dec 5, 2025
@@ -11,11 +11,18 @@ To try out the release candidate, replace your Docker image tag with the latest
 
 ## Highlights
 
+- **Endpoint Devices**: Endpoint Devices is a new featureset for Windows, macOS, and Linux devices that enables SSH authentication, local device login, sudo authorization and more, all with authentik credentials.
+- **CSV Data Exports**: Now you can export user and event data in CSV format for backup or analysis purposes.
+- **RBAC Permissions**: Permissions are now granted exclusively via roles, and permission inheritance and basic object permissions have been enhanced.
+- **Passkey Autofill (WebAuthn Conditional UI)**: Passkeys now appear in the browser's autofill dropdown alongside saved passwords, enabling seamless passwordless login when focusing on input fields.
+
 ## Breaking changes
 
 ### Storage improvements
 
-Files stored by authentik are now served from the `/files` prefix, and not from `/media` anymore.
+File storage has been reworked to unify media file configuration (icons, branding options), and allow future uses of file storage including [reports](#reports).
+
+Files stored by authentik are now served from the `/files` prefix, and not from `/media` anymore. Any custom reverse proxy configuration handling those paths will need to be updated.
 
 #### Storage mount changes
 
@@ -39,6 +46,49 @@ New storage configuration options are available. See the [storage settings refer
 
 ## New features and improvements
 
+### Endpoint devices
+
+Endpoint Devices are end-user devices or servers authentication that are registered with authentik. #TODewi
+
+Devices can be integrated by installing the [authentik Agent](./authentik-agent/index.mdx) which supports:
+
+- [Local device login](./device-authentication/local-device-login/index.mdx) with authentik credentials
+- [Connecting via SSH to Endpoint Devices](./device-authentication/ssh-authentication.mdx) with authentik credentials
+- [Sudo authorization](./device-authentication/sudo-authorization.md) with authentik credentials
+- [Authenticating to CLI applications](./device-authentication/cli-app-authentication/index.mdx) such as kubectl and AWS with authentik credentials
+
+Alternatively, [Connectors](./device-compliance/connectors.md) allow authentik to be integrated with third party services like Fleet. This allows for device information to be reported to authentik for [Device Compliance](./device-compliance/index.mdx) purposes.
+
+### UI Improvements on mobile and tablets devices
+
+Flows are now responsive on smaller screen sizes (if you have custom styles you may need to revise them) #TODO
+
+### Localization improvements
+
+We have improved locale detection and updated our locale management to make future translations easier. Locale selector is now available on the login screen #TODO
+
+### CSV Data Exports
+
+You can export object data about users and events as a CSV file, search and view previous exports and their queries, and delete exports that you no longer need.
+
+### Passkey Autofill (WebAuthn Conditional UI)
+
+WebAuthn Conditional UI allows passkeys to appear directly in the browser's autofill dropdown alongside saved passwords. When a user focuses on a login input field, their registered passkeys are presented as autofill options, enabling a seamless passwordless authentication experience without requiring users to explicitly select a passkey option first.
+
+This feature improves the discoverability of passkeys and reduces friction for users who have registered WebAuthn credentials, making passwordless login as intuitive as traditional password autofill.
+
+### RBAC Permissions
+
+Our RBAC now focuses more strongly on the use of roles to grant permissions to users and groups. The 2025.12 release also provides support for multiple parents for a group, inherited permissions from ancestors, allowing one or MORE roles to be assigned to a single group, and enforcement of unique names for groups. Additionally, object permissions are auto-assigned to the object's creator via managed roles, to ensure CRUD rights.
+
+### Files
+
+### Promoted source
+
+### Glossary
+
+We have replaced our too-short Terminology page with a more rich [Glossary](../core/glossary/), with terms that are searchable by tags or first letter.
+
 ## Upgrading
 
 This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx).