What it controls
- User accounts — email login for people who need Outline or Mattermost.
- Groups — bundle permissions (e.g. core-dev, field-installer personas).
- SSO applications — Outline (OIDC) and Mattermost (OAuth) trust Authentik.
- Password flows — reset, recovery email, and optional MFA policies.
- OAuth providers — MCP server and other API clients authenticate through Authentik.
Day-to-day use
- Users sign in once at Authentik and land in Outline or Mattermost without a second password.
- Request a password reset from the login screen if locked out.
- Profile and security settings live in the Authentik user interface.
- New hires: admin creates account, user sets password on first login.
Admin maintenance
- Create, disable, and enable users from the Admin interface.
- Assign users to groups that match their role (dev, ops, installer).
- Manage application providers and redirect URLs when adding new SSO apps.
- Issue API tokens for service accounts (provisioning API, MCP, integrations).
- Review login events and failed attempts in Authentik logs.