In TNS version 25.04.1, and Authentik app version 2025.6.3, there is no option for a bootstrap password setting field, and environmental fields are offered. I’ve set two environmental fields: AUTHENTIK_BOOTSTRAP_PASSWORD, and AUTHENTIK_DEFAULT_PASSWORD to my desired login password, but both fail, disallowing access to the server UI. How do I set the initial server UI password?
dan
July 1, 2025, 3:20pm
2
There is no default password; you set up the admin password at first login. To do that, you need to browse to http://ip:port/if/flow/initial-setup/, where ip:port represents the IP and port used by your Authentik installation.
Thanks for the reply. Now that URL for initial setup is not indicated as an option for first login in the “Application Info” or “Notes” tiles, and it should be. So whomever is setting up this app needs to do that as an initial link for setup. Sometimes it’s hard to state the obvious.
dan
July 1, 2025, 3:56pm
4
That would be good, to be sure, but users need to get accustomed to checking the docs for the software they’re installing–that’s where I got that URL.
Agreed on checking the Docs, which is what I did, but that link information didn’t come up on a quick look and I just didn’t feel like digging any deeper at that moment just to get initial access.
It’s always easy to just say dig into the Docs for the information you need and that’s true, but why not just state it in the install notes like all the others?
You can always PR the information yourself on the TrueNAS GitHub (GitHub - truenas/apps ). With the community apps, there’s little to no documentation, so basically, if the person who provides the app doesn’t document this on top of doing the work for adding the app to the catalog, then the community or someone else has to step
mkarwin
September 28, 2025, 6:25am
7
Any idea how to tackle: “Flow does not apply to current user.” shown after hitting that initial-setup flow (server logs show: “event”: “f(exec): Flow not applicable to current user”, “exc”: “FlowNonApplicableException()”, “flow_slug”: “initial-setup”)?Automated install | authentik one should be able to automate the akadmin credentials with the 3 variables set, but whether with or without them in the additional environment variables, for me the initial-setup returns the same error and the default flow of default-authentication-flow does not recognise akadmin user (it’s hanging on username input, not progressing further).I can't log in to authentik | authentik steps to reset the password for the akadmin user yields “CommandError: aborted” without any change to the UI accessibility in my instance…
Not to my knowledge. I uninstalled the application.
Secret nor db password shall not contain special chars e.g. !@#%^&*
echo "$(openssl rand -base64 36 | tr -dc 'a-zA-Z0-9' | tr -d '\n')" for db passwordecho "$(openssl rand -base64 60 | tr -dc 'a-zA-Z0-9' | tr -d '\n')" for secret
But this does not help
I had a similar issue. I found this github issue with helpful information:
opened 12:19AM - 11 Jan 24 UTC
question
**Describe your question/**
Simply set up Authentik in portainer with a stack.
…
**Relevant infos**
Debian 12, Portainer BE 2.19.4, Docker-ce 5:24.0.7, Docker Compose 2.21.0, Authentik 2023.10.6
**Screenshots**
**Logs**
```
INF | auth_via=unauthenticated event=/if/flow/initial-setup/ host=10.0.0.70:9999 logger=authentik.asgi method=GET pid=21 remote=10.0.0.16 request_id=639062a4017c4e03af1af58f8247b99f runtime=45 scheme=http status=200 timestamp=2024-01-11T00:16:17.358773 user= user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/ws/client/ logger=authentik.asgi pid=22 remote=10.0.0.16 scheme=ws timestamp=2024-01-11T00:16:17.534925 user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | auth_via=unauthenticated event=/api/v3/flows/executor/initial-setup/?query= host=10.0.0.70:9999 logger=authentik.asgi method=GET pid=21 remote=10.0.0.16 request_id=5bf9263a3c6840c8a0e7c60cf86bd8ec runtime=166 scheme=http status=200 timestamp=2024-01-11T00:16:17.713295 user= user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
warning | auth_via=unauthenticated event=f(exec): Flow not applicable to current user exc=FlowNonApplicableException() flow_slug=initial-setup host=10.0.0.70:9999 logger=authentik.flows.views.executor pid=21 request_id=19be4616e2fa4f89aff2b6f7f7f8d0c2 timestamp=2024-01-11T00:16:28.714973
INF | auth_via=unauthenticated event=/api/v3/flows/executor/initial-setup/?query= host=10.0.0.70:9999 logger=authentik.asgi method=POST pid=21 remote=10.0.0.16 request_id=19be4616e2fa4f89aff2b6f7f7f8d0c2 runtime=18 scheme=http status=200 timestamp=2024-01-11T00:16:28.718903 user= user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | auth_via=unauthenticated event=/-/health/live/ host=localhost:8000 logger=authentik.asgi method=GET pid=21 remote=255.255.255.255 request_id=ef99c52845444c2ca14726005aff67ab runtime=24 scheme=http status=204 timestamp=2024-01-11T00:16:30.624566 user= user_agent=goauthentik.io/router/healthcheck
INF | event=/static/dist/flow/FlowInterface.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58933 runtime=0.294 scheme=http size=97 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/flow/PromptStage-8d0QKIjx.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58985 runtime=0.458 scheme=http size=20701 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/standalone/loading/index.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58987 runtime=0.449 scheme=http size=45761 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/standalone/loading/vendor-tE6fj0d6.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58987 runtime=12.725 scheme=http size=299257 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/flow/locale-en-oD1Dvgpn.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58985 runtime=21.229 scheme=http size=156981 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/flow/FlowInterface-xgZ9cG5z.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58988 runtime=25.638 scheme=http size=275317 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/standalone/loading/api-CiT45_yq.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58987 runtime=5.138 scheme=http size=345237 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/flow/api-MAwzzYsg.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58933 runtime=31.003 scheme=http size=1569092 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/flow/vendor-U84AyUBr.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58989 runtime=48.175 scheme=http size=835541 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/poly.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58986 runtime=75.906 scheme=http size=1611949 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | auth_via=unauthenticated event=/-/health/live/ host=localhost:8000 logger=authentik.asgi method=GET pid=22 remote=255.255.255.255 request_id=f5286c6e59a84751accd76696a52973c runtime=12 scheme=http status=204 timestamp=2024-01-11T00:17:00.618716 user= user_agent=goauthentik.io/router/healthcheck
INF | auth_via=unauthenticated event=/-/health/live/ host=localhost:8000 logger=authentik.asgi method=GET pid=22 remote=255.255.255.255 request_id=9e5e7fb88ea844bba5a97a4a529747ae runtime=12 scheme=http status=204 timestamp=2024-01-11T00:17:30.613058 user= user_agent=goauthentik.io/router/healthcheck
```
**Version and Deployment (please complete the following information):**
- authentik version: 2023.10.6
- Deployment: docker-compose via portainer stacks
**Additional context**
After seemingly sucessfully starting Authentik up, I go to if/flows/initial-setup, I enter in my email and password that I want to use, and every single time, I get this message showing up. What am I doing wrong??? What does it mean flow isn't applicable to current user? There are no users! I'm attempting to create the first one!!
Seems like is does not like special chars in the secret key: Request has been Denied. Flow does not apply to current user. What am I missing!? · Issue #8127 · goauthentik/authentik · GitHub
Seems like the docs should be updated from this
to this
opened 12:19AM - 11 Jan 24 UTC
question
**Describe your question/**
Simply set up Authentik in portainer with a stack.
…
**Relevant infos**
Debian 12, Portainer BE 2.19.4, Docker-ce 5:24.0.7, Docker Compose 2.21.0, Authentik 2023.10.6
**Screenshots**
**Logs**
```
INF | auth_via=unauthenticated event=/if/flow/initial-setup/ host=10.0.0.70:9999 logger=authentik.asgi method=GET pid=21 remote=10.0.0.16 request_id=639062a4017c4e03af1af58f8247b99f runtime=45 scheme=http status=200 timestamp=2024-01-11T00:16:17.358773 user= user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/ws/client/ logger=authentik.asgi pid=22 remote=10.0.0.16 scheme=ws timestamp=2024-01-11T00:16:17.534925 user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | auth_via=unauthenticated event=/api/v3/flows/executor/initial-setup/?query= host=10.0.0.70:9999 logger=authentik.asgi method=GET pid=21 remote=10.0.0.16 request_id=5bf9263a3c6840c8a0e7c60cf86bd8ec runtime=166 scheme=http status=200 timestamp=2024-01-11T00:16:17.713295 user= user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
warning | auth_via=unauthenticated event=f(exec): Flow not applicable to current user exc=FlowNonApplicableException() flow_slug=initial-setup host=10.0.0.70:9999 logger=authentik.flows.views.executor pid=21 request_id=19be4616e2fa4f89aff2b6f7f7f8d0c2 timestamp=2024-01-11T00:16:28.714973
INF | auth_via=unauthenticated event=/api/v3/flows/executor/initial-setup/?query= host=10.0.0.70:9999 logger=authentik.asgi method=POST pid=21 remote=10.0.0.16 request_id=19be4616e2fa4f89aff2b6f7f7f8d0c2 runtime=18 scheme=http status=200 timestamp=2024-01-11T00:16:28.718903 user= user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | auth_via=unauthenticated event=/-/health/live/ host=localhost:8000 logger=authentik.asgi method=GET pid=21 remote=255.255.255.255 request_id=ef99c52845444c2ca14726005aff67ab runtime=24 scheme=http status=204 timestamp=2024-01-11T00:16:30.624566 user= user_agent=goauthentik.io/router/healthcheck
INF | event=/static/dist/flow/FlowInterface.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58933 runtime=0.294 scheme=http size=97 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/flow/PromptStage-8d0QKIjx.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58985 runtime=0.458 scheme=http size=20701 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/standalone/loading/index.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58987 runtime=0.449 scheme=http size=45761 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/standalone/loading/vendor-tE6fj0d6.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58987 runtime=12.725 scheme=http size=299257 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/flow/locale-en-oD1Dvgpn.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58985 runtime=21.229 scheme=http size=156981 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/flow/FlowInterface-xgZ9cG5z.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58988 runtime=25.638 scheme=http size=275317 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/standalone/loading/api-CiT45_yq.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58987 runtime=5.138 scheme=http size=345237 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/flow/api-MAwzzYsg.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58933 runtime=31.003 scheme=http size=1569092 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/flow/vendor-U84AyUBr.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58989 runtime=48.175 scheme=http size=835541 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/poly.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58986 runtime=75.906 scheme=http size=1611949 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | auth_via=unauthenticated event=/-/health/live/ host=localhost:8000 logger=authentik.asgi method=GET pid=22 remote=255.255.255.255 request_id=f5286c6e59a84751accd76696a52973c runtime=12 scheme=http status=204 timestamp=2024-01-11T00:17:00.618716 user= user_agent=goauthentik.io/router/healthcheck
INF | auth_via=unauthenticated event=/-/health/live/ host=localhost:8000 logger=authentik.asgi method=GET pid=22 remote=255.255.255.255 request_id=9e5e7fb88ea844bba5a97a4a529747ae runtime=12 scheme=http status=204 timestamp=2024-01-11T00:17:30.613058 user= user_agent=goauthentik.io/router/healthcheck
```
**Version and Deployment (please complete the following information):**
- authentik version: 2023.10.6
- Deployment: docker-compose via portainer stacks
**Additional context**
After seemingly sucessfully starting Authentik up, I go to if/flows/initial-setup, I enter in my email and password that I want to use, and every single time, I get this message showing up. What am I doing wrong??? What does it mean flow isn't applicable to current user? There are no users! I'm attempting to create the first one!!
As a workaround use this to reset admin password: I can't log in to authentik | authentik
E.g. use web shell (System->Shell) and sudo -i to work as root.
# 1. Find compose file
$ docker ps
# Get id of one random authentik container
$ docker inspect 3cb04306f22c | grep compose
> "com.docker.compose.config-hash": >"7e16237e5f163a450a9b631e177dfccfbfe3d1ac3e0e9fe57f8a520349c43feb",
> "com.docker.compose.container-number": "1",
> "com.docker.compose.depends_on": >"permissions:service_completed_successfully:false,postgres:service_healthy:false",
> "com.docker.compose.image": >"sha256:a3390134336c8649e95b5efc209b139022320c6c441191f53d557a1a8f0fffae",
> "com.docker.compose.oneoff": "False",
> "com.docker.compose.project": "rendered",
> "com.docker.compose.project.config_files": "/mnt/.ix-apps/app_configs/authentik/>versions/1.1.3/templates/rendered/docker-compose.yaml",
> "com.docker.compose.project.working_dir": "/mnt/.ix-apps/app_configs/authentik/>versions/1.1.3/templates/rendered",
> "com.docker.compose.service": "authentik-server",
> "com.docker.compose.version": "2.38.1",
# We need the rendered compose file
cd /mnt/.ix-apps/app_configs/authentik/>versions/1.1.3/templates/rendered/docker-compose.yaml
# Run change password command. Note the changed name compared to authentic docs
docker compose exec authentik-server ak changepassword akadmin
You will get a prompt to enter a new password. This one can use to login to the admin panel via https page
