website/docs: Fix trailing ID.

website/docs/add-secure-apps/flows-stages/flow/context/index.mdx

@@ -62,7 +62,7 @@ When an unauthenticated user attempts to access a secured resource, they are red
 
 When a user authenticates/enrolls via an external source, this will be set to the source they are using.
 
-#### `outpost` (dictionary) :ak-version[2024.10]
+#### `outpost` (dictionary):ak-version[2024.10]
 
 When a flow is executed by an Outpost (for example the [LDAP](../../../providers/ldap/index.md) or [RADIUS](../../../providers/radius/index.mdx)), this will be set to a dictionary containing the Outpost instance under the key `"instance"`.
 
@@ -76,7 +76,7 @@ This key is set to `True` when the flow is executed from an "SSO" context. For e
 
 This key is set when a flow execution is continued from a token. This happens for example when an [Email stage](../../stages/email/index.mdx) is used and the user clicks on the link within the email. The token object contains the key that was used to restore the flow execution.
 
-#### `is_redirected` (Flow object) :ak-version[2024.12]
+#### `is_redirected` (Flow object):ak-version[2024.12]
 
 This key is set when the current flow was reached through a [Redirect stage](../../stages/redirect/index.md) in Flow mode.
 
@@ -98,7 +98,7 @@ URL that the form will be submitted to.
 
 Key-value pairs of the data that is included in the form and will be submitted to `url`.
 
-#### Captcha stage :ak-version[2024.6]
+#### Captcha stage:ak-version[2024.6]
 
 ##### `captcha` (dictionary)
 
@@ -118,7 +118,7 @@ An optional list of all permissions that will be given to the application by gra
 
 #### Deny stage
 
-##### `deny_message` (string) :ak-version[2023.10]
+##### `deny_message` (string):ak-version[2023.10]
 
 Optionally overwrite the deny message shown, has a higher priority than the message configured in the stage.
 
@@ -134,7 +134,7 @@ If set, this must be a list of group objects and not group names.
 
 Path the `pending_user` will be written to. If not set in the flow, falls back to the value set in the user_write stage, and otherwise to the `users` path.
 
-##### `user_type` (string) :ak-version[2023.10]
+##### `user_type` (string):ak-version[2023.10]
 
 Type the `pending_user` will be created as. Must be one of `internal`, `external` or `service_account`.
 
@@ -198,7 +198,7 @@ If _Show matched user_ is disabled, this key will be set to the user identifier
 
 #### Redirect stage
 
-##### `redirect_stage_target` (string) :ak-version[2024.12]
+##### `redirect_stage_target` (string):ak-version[2024.12]
 
 [Set this key](../../../../customize/policies/expression/managing_flow_context_keys.md) in an Expression Policy to override [Redirect stage](../../stages/redirect/index.md) to force it to redirect to a certain URL or flow. This is useful when a flow requires that the redirection target be decided dynamically.
 

website/docs/add-secure-apps/flows-stages/flow/examples/snippets.mdx

@@ -2,7 +2,7 @@
 title: Example policy snippets for flows
 ---
 
-### Redirect current flow to another URL :ak-version[2022.7]
+### Redirect current flow to another URL:ak-version[2022.7]
 
 ```python
 plan = request.context.get("flow_plan")

website/docs/add-secure-apps/flows-stages/stages/authenticator_duo/index.mdx

@@ -10,7 +10,7 @@ Copy all of the integration key, secret key and API hostname, and paste them in
 
 Devices created reference the stage they were created with, since the API credentials are needed to authenticate. This also means when the stage is deleted, all devices are removed.
 
-## Importing users :ak-version[2022.9]
+## Importing users:ak-version[2022.9]
 
 :::info
 Due to the way the Duo API works, authentik can only automatically import existing Duo users when a Duo MFA or higher license is active.
@@ -20,7 +20,7 @@ To import a device, open the Stages list in the authentik Admin interface. On th
 
 The Duo username can be found by navigating to your Duo Admin dashboard and selecting _Users_ in the sidebar. Optionally if you have multiple users with the same username, you can click on a User and copy their ID from the URL, and use that to import the device.
 
-### Older versions :ak-version[2021.9.1]
+### Older versions:ak-version[2021.9.1]
 
 You can call the `/api/v3/stages/authenticator/duo/{stage_uuid}/import_devices/` endpoint ([see here](https://goauthentik.io/api/#post-/stages/authenticator/duo/-stage_uuid-/import_devices/)) using the following parameters:
 

website/docs/add-secure-apps/flows-stages/stages/authenticator_sms/index.mdx

@@ -46,7 +46,7 @@ return {
 }
 ```
 
-## Verify only :ak-version[2022.6]
+## Verify only:ak-version[2022.6]
 
 To only verify the validity of a users' phone number, without saving it in an easily accessible way, you can enable this option. Phone numbers from devices enrolled through this stage will only have their hashed phone number saved. These devices can also not be used with the [Authenticator validation](../authenticator_validate/index.mdx) stage.
 

website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx

@@ -23,11 +23,11 @@ Keep in mind that when using Code-based devices (TOTP, Static and SMS), values l
 
 ### Options
 
-#### Less-frequent validation :ak-version[2022.5.1]
+#### Less-frequent validation:ak-version[2022.5.1]
 
 You can configure this stage to only ask for MFA validation if the user hasn't authenticated themselves within a defined time period. To configure this, set _Last validation threshold_ to any non-zero value. Any of the users devices within the selected classes are checked.
 
-#### Passwordless authentication :ak-version[2021.12.4]
+#### Passwordless authentication:ak-version[2021.12.4]
 
 :::caution
 Firefox has some known issues regarding TouchID (see https://bugzilla.mozilla.org/show_bug.cgi?id=1536482)
@@ -68,7 +68,7 @@ Logins which used Passwordless authentication have the _auth_method_ context var
 }
 ```
 
-#### WebAuthn Device type restrictions :ak-version[2024.4]
+#### WebAuthn Device type restrictions:ak-version[2024.4]
 
 Optionally restrict which WebAuthn device types can be used to authenticate.
 

website/docs/add-secure-apps/flows-stages/stages/authenticator_webauthn/index.mdx

@@ -18,7 +18,7 @@ Configure if the created authenticator is stored in the encrypted memory on the
 
 Configure if authentik will require either a removable device (like a YubiKey, Google Titan, etc) or a non-removable device (like Windows Hello, TouchID or password managers), or not send a requirement.
 
-#### Device type restrictions :ak-version[2024.4]
+#### Device type restrictions:ak-version[2024.4]
 
 Optionally restrict the types of devices allowed to be enrolled. This option can be used to ensure users are only able to enroll FIPS-compliant devices for example.
 

website/docs/add-secure-apps/flows-stages/stages/identification/index.mdx

@@ -30,7 +30,7 @@ To run a CAPTCHA process in the background while the user is entering their iden
 
 These fields specify if and which flows are linked on the form. The enrollment flow is linked as `Need an account? Sign up.`, and the recovery flow is linked as `Forgot username or password?`.
 
-## Pretend user exists :ak-version[2024.2]
+## Pretend user exists:ak-version[2024.2]
 
 When enabled, any user identifier will be accepted as valid (as long as they match the correct format, i.e. when [User fields](#user-fields) is set to only allow Emails, then the identifier still needs to be an Email). The stage will succeed and the flow will continue to the next stage. Stages like the [Password stage](../password/index.md) and [Email stage](../email/index.mdx) are aware of this "pretend" user and will behave the same as if the user would exist.
 

website/docs/add-secure-apps/providers/oauth2/client_credentials.mdx

@@ -30,7 +30,7 @@ In addition to that, with authentik 2024.4 it is also possible to pass the confi
 
 ### JWT-authentication
 
-#### Externally issued JWTs :ak-version[2022.4]
+#### Externally issued JWTs:ak-version[2022.4]
 
 You can authenticate and get a token using an existing JWT. For readability we will refer to the JWT issued by the external issuer/platform as input JWT, and the resulting JWT from authentik as the output JWT.
 
@@ -59,7 +59,7 @@ To dynamically limit access based on the claims of the tokens, you can use _[Exp
 return request.context["oauth_jwt"]["iss"] == "https://my.issuer"
 ```
 
-#### authentik-issued JWTs :ak-version[2024.12]
+#### authentik-issued JWTs:ak-version[2024.12]
 
 To allow federation between providers, modify the provider settings of the application (whose token will be used for authentication) to select the provider of the application to which you want to federate.
 

website/docs/add-secure-apps/providers/oauth2/index.mdx

@@ -176,6 +176,6 @@ When a _Signing Key_ is selected in the provider, the JWT will be signed asymmet
 
 When no _Signing Key_ is selected, the JWT will be signed symmetrically with the _Client secret_ of the provider, which can be seen in the provider settings.
 
-### Encryption :ak-version[2024.10]
+### Encryption:ak-version[2024.10]
 
 authentik can also encrypt JWTs (turning them into JWEs) it issues by selecting an _Encryption Key_ in the provider. When selected, all JWTs will be encrypted symmetrically using the selected certificate. authentik uses the `RSA-OAEP-256` algorithm with the `A256CBC-HS512` encryption method.

website/docs/add-secure-apps/providers/proxy/header_authentication.mdx

@@ -25,7 +25,7 @@ By default, when _Intercept header authentication_ is enabled, authentik will in
 
 If the proxied application requires usage of the "Authorization" header, the setting should be disabled. When this setting is disabled, authentik will still attempt to interpret the "Authorization" header, and fall back to the default behaviour if it can't.
 
-### Receiving HTTP Basic authentication :ak-version[2023.1]
+### Receiving HTTP Basic authentication:ak-version[2023.1]
 
 Proxy providers can receive HTTP basic authentication credentials. The password is expected to be an _App password_, as the credentials are used internally with the [OAuth2 machine-to-machine authentication flow](../oauth2/client_credentials.mdx).
 
@@ -39,7 +39,7 @@ It is **strongly** recommended that the client sending requests with HTTP-Basic
 
 Starting with authentik 2023.2, logging in with the reserved username `goauthentik.io/token` will behave as if a bearer token was used. All the same options as below apply. This is to allow token-based authentication for applications which might only support basic authentication.
 
-### Receiving HTTP Bearer authentication :ak-version[2023.1]
+### Receiving HTTP Bearer authentication:ak-version[2023.1]
 
 Proxy providers can receive HTTP bearer authentication credentials. The token is expected to be a JWT token issued for the proxy provider. This is described [here](../oauth2/client_credentials.mdx), using the _client_id_ value shown in the admin interface. Both static and JWT authentication methods are supported.
 

website/docs/customize/blueprints/export.mdx

@@ -2,7 +2,7 @@
 title: Export
 ---
 
-## Global export :ak-version[2022.8.2]
+## Global export:ak-version[2022.8.2]
 
 To migrate existing configurations to blueprints, run `ak export_blueprint` within any authentik Worker container. This will output a blueprint for most currently created objects. Some objects will not be exported as they might have dependencies on other things.
 

website/docs/customize/blueprints/index.mdx

@@ -55,7 +55,7 @@ To push a blueprint to an OCI-compatible registry, [ORAS](https://oras.land/) ca
 oras push ghcr.io/<username>/blueprint/<blueprint name>:latest <yaml file>:application/vnd.goauthentik.blueprint.v1+yaml
 ```
 
-## Storage - Internal :ak-version[2023.1]
+## Storage - Internal:ak-version[2023.1]
 
 Blueprints can be stored in authentik's database, which allows blueprints to be managed via external configuration management tools like Terraform.
 

website/docs/customize/blueprints/v1/models.mdx

@@ -4,7 +4,7 @@ Some models behave differently and allow for access to different API fields when
 
 ## `authentik_core.token`
 
-### `key` :ak-version[2023.4]
+### `key`:ak-version[2023.4]
 
 Via the standard API, a token's key cannot be changed, it can only be rotated. This is to ensure a high entropy in it's key, and to prevent insecure data from being used. However, when provisioning tokens via a blueprint, it may be required to set a token to an existing value.
 
@@ -26,7 +26,7 @@ For example:
 
 ## `authentik_core.user`
 
-### `password` :ak-version[2023.6]
+### `password`:ak-version[2023.6]
 
 Via the standard API, a user's password can only be set via the separate `/api/v3/core/users/<id>/set_password/` endpoint. In blueprints, the password of a user can be set using the `password` field.
 
@@ -45,7 +45,7 @@ For example:
       password: this-should-be-a-long-value
 ```
 
-### `permissions` :ak-version[2024.8]
+### `permissions`:ak-version[2024.8]
 
 The `permissions` field can be used to set global permissions for a user. A full list of possible permissions is included in the JSON schema for blueprints.
 
@@ -63,7 +63,7 @@ For example:
 
 ## `authentik_core.application`
 
-### `icon` :ak-version[2023.5]
+### `icon`:ak-version[2023.5]
 
 Application icons can be directly set to URLs with the `icon` field.
 
@@ -81,7 +81,7 @@ For example:
 
 ## `authentik_sources_oauth.oauthsource`, `authentik_sources_saml.samlsource`, `authentik_sources_plex.plexsource`
 
-### `icon` :ak-version[2023.5]
+### `icon`:ak-version[2023.5]
 
 Source icons can be directly set to URLs with the `icon` field.
 
@@ -99,7 +99,7 @@ For example:
 
 ## `authentik_flows.flow`
 
-### `icon` :ak-version[2023.5]
+### `icon`:ak-version[2023.5]
 
 Flow backgrounds can be directly set to URLs with the `background` field.
 
@@ -119,7 +119,7 @@ For example:
 
 ## `authentik_rbac.role`
 
-### `permissions` :ak-version[2024.8]
+### `permissions`:ak-version[2024.8]
 
 The `permissions` field can be used to set global permissions for a role. A full list of possible permissions is included in the JSON schema for blueprints.
 

website/docs/customize/blueprints/v1/tags.mdx

@@ -301,7 +301,7 @@ The above example will resolve to something like this:
     - "bar: (index: 2, letter: r)"
 ```
 
-#### `!AtIndex` :ak-version[2024.12]
+#### `!AtIndex`:ak-version[2024.12]
 
 Minimal example:
 

website/docs/enterprise/manage-enterprise.mdx

@@ -109,7 +109,7 @@ The following events occur when a license expires or the internal/external user
 
     - Users can authenticate and authorize applications
     - Licenses can be modified
-    - Users can be modified/deleted :ak-version[2024.10.5]
+    - Users can be modified/deleted:ak-version[2024.10.5]
 
     After the violation is corrected (either the user count returns to be within the limits of the license or the license is renewed), authentik will return to the standard read-write mode and the notification will disappear.
 

website/docs/expressions/_functions.mdx

@@ -29,7 +29,7 @@ user = list_flatten(["foo"])
 # user = "foo"
 ```
 
-### `ak_call_policy(name: str, **kwargs) -> PolicyResult` :ak-version[2021.12]
+### `ak_call_policy(name: str, **kwargs) -> PolicyResult`:ak-version[2021.12]
 
 Call another policy with the name _name_. Current request is passed to policy. Key-word arguments
 can be used to modify the request's context.
@@ -70,7 +70,7 @@ Example:
 other_user = ak_user_by(username="other_user")
 ```
 
-### `ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool` :ak-version[2022.9]
+### `ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool`:ak-version[2022.9]
 
 Check if a user has any authenticator devices. Only fully validated devices are counted.
 
@@ -87,7 +87,7 @@ Example:
 return ak_user_has_authenticator(request.user)
 ```
 
-### `ak_create_event(action: str, **kwargs) -> None` :ak-version[2022.9]
+### `ak_create_event(action: str, **kwargs) -> None`:ak-version[2022.9]
 
 Create a new event with the action set to `action`. Any additional key-word parameters will be saved in the event context. Additionally, `context` will be set to the context in which this function is called.
 
@@ -101,7 +101,7 @@ Example:
 ak_create_event("my_custom_event", foo=request.user)
 ```
 
-### `ak_create_jwt(user: User, provider: OAuth2Provider | str, scopes: list[str], validity = "seconds=60") -> str | None` :ak-version[2025.2]
+### `ak_create_jwt(user: User, provider: OAuth2Provider | str, scopes: list[str], validity = "seconds=60") -> str | None`:ak-version[2025.2]
 
 Create a new JWT signed by the given `provider` for `user`.
 
@@ -136,7 +136,7 @@ ip_address('192.0.2.1') in ip_network('192.0.2.0/24')
 # evaluates to True
 ```
 
-## DNS resolution and reverse DNS lookups :ak-version[2023.3]
+## DNS resolution and reverse DNS lookups:ak-version[2023.3]
 
 To resolve a hostname to a list of IP addresses, use the functions `resolve_dns(hostname)` and `resolve_dns(hostname, ip_version)`.
 

website/docs/install-config/automated-install.mdx

@@ -8,11 +8,11 @@ To install authentik automatically (skipping the Out-of-box experience), you can
 
 Configure the default password for the `akadmin` user. Only read on the first startup. Can be used for any flow executor.
 
-### `AUTHENTIK_BOOTSTRAP_TOKEN` :ak-version[2021.8]
+### `AUTHENTIK_BOOTSTRAP_TOKEN`:ak-version[2021.8]
 
 Create a token for the default `akadmin` user. Only read on the first startup. The string you specify for this variable is the token key you can use to authenticate yourself to the API.
 
-### `AUTHENTIK_BOOTSTRAP_EMAIL` :ak-version[2023.3]
+### `AUTHENTIK_BOOTSTRAP_EMAIL`:ak-version[2023.3]
 
 Set the email address for the default `akadmin` user.