-e Update API Client

#### What's Changed
---

##### `GET` /providers/oauth2/{id}/

###### Return Type:

Changed response : **200 OK**

* Changed content type : `application/json`

    * Added property `refresh_token_threshold` (string)
        > When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).

##### `PUT` /providers/oauth2/{id}/

###### Request:

Changed content type : `application/json`

* Added property `refresh_token_threshold` (string)
    > When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).

###### Return Type:

Changed response : **200 OK**

* Changed content type : `application/json`

    * Added property `refresh_token_threshold` (string)
        > When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).

##### `PATCH` /providers/oauth2/{id}/

###### Request:

Changed content type : `application/json`

* Added property `refresh_token_threshold` (string)
    > When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).

###### Return Type:

Changed response : **200 OK**

* Changed content type : `application/json`

    * Added property `refresh_token_threshold` (string)
        > When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).

##### `GET` /oauth2/access_tokens/{id}/

###### Return Type:

Changed response : **200 OK**

* Changed content type : `application/json`

    * Changed property `provider` (object)
        > OAuth2Provider Serializer

        * Added property `refresh_token_threshold` (string)
            > When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).

##### `GET` /oauth2/authorization_codes/{id}/

###### Return Type:

Changed response : **200 OK**

* Changed content type : `application/json`

    * Changed property `provider` (object)
        > OAuth2Provider Serializer

        * Added property `refresh_token_threshold` (string)
            > When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).

##### `GET` /oauth2/refresh_tokens/{id}/

###### Return Type:

Changed response : **200 OK**

* Changed content type : `application/json`

    * Changed property `provider` (object)
        > OAuth2Provider Serializer

        * Added property `refresh_token_threshold` (string)
            > When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).

##### `POST` /providers/oauth2/

###### Request:

Changed content type : `application/json`

* Added property `refresh_token_threshold` (string)
    > When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).

###### Return Type:

Changed response : **201 Created**

* Changed content type : `application/json`

    * Added property `refresh_token_threshold` (string)
        > When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).

##### `GET` /providers/oauth2/

###### Return Type:

Changed response : **200 OK**

* Changed content type : `application/json`

    * Changed property `results` (array)

        Changed items (object):
            > OAuth2Provider Serializer

        * Added property `refresh_token_threshold` (string)
            > When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).

##### `PUT` /core/transactional/applications/

###### Request:

Changed content type : `application/json`

* Changed property `provider` (object)

    Updated `authentik_providers_oauth2.oauth2provider` provider_model:
    * Added property `refresh_token_threshold` (string)
        > When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).

##### `GET` /oauth2/access_tokens/

###### Return Type:

Changed response : **200 OK**

* Changed content type : `application/json`

    * Changed property `results` (array)

        Changed items (object):
            > Serializer for BaseGrantModel and RefreshToken

        * Changed property `provider` (object)
            > OAuth2Provider Serializer

            * Added property `refresh_token_threshold` (string)
                > When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).

##### `GET` /oauth2/authorization_codes/

###### Return Type:

Changed response : **200 OK**

* Changed content type : `application/json`

    * Changed property `results` (array)

        Changed items (object):
            > Serializer for BaseGrantModel and ExpiringBaseGrant

        * Changed property `provider` (object)
            > OAuth2Provider Serializer

            * Added property `refresh_token_threshold` (string)
                > When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).

##### `GET` /oauth2/refresh_tokens/

###### Return Type:

Changed response : **200 OK**

* Changed content type : `application/json`

    * Changed property `results` (array)

        Changed items (object):
            > Serializer for BaseGrantModel and RefreshToken

        * Changed property `provider` (object)
            > OAuth2Provider Serializer

            * Added property `refresh_token_threshold` (string)
                > When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).

Author: authentik-automation[bot]

README.md

@@ -16,7 +16,7 @@ This repo contains a generated API client to talk with authentik's API from Pyth
 This Python package is automatically generated by the [OpenAPI Generator](https://openapi-generator.tech) project:
 
 - API version: 2025.10.0-rc1
-- Package version: 2025.10.0-rc1-1758902937
+- Package version: 2025.10.0-rc1-1758925462
 - Generator version: 7.15.0
 - Build package: org.openapitools.codegen.languages.PythonClientCodegen
 

authentik_client/__init__.py

@@ -15,7 +15,7 @@
 """  # noqa: E501
 
 
-__version__ = "2025.10.0-rc1-1758902937"
+__version__ = "2025.10.0-rc1-1758925462"
 
 # Define package exports
 __all__ = [

authentik_client/api_client.py

@@ -92,7 +92,7 @@ def __init__(
             self.default_headers[header_name] = header_value
         self.cookie = cookie
         # Set default User-Agent.
-        self.user_agent = 'OpenAPI-Generator/2025.10.0-rc1-1758902937/python'
+        self.user_agent = 'OpenAPI-Generator/2025.10.0-rc1-1758925462/python'
         self.client_side_validation = configuration.client_side_validation
 
     def __enter__(self):

authentik_client/configuration.py

@@ -511,7 +511,7 @@ def to_debug_report(self) -> str:
                "OS: {env}\n"\
                "Python Version: {pyversion}\n"\
                "Version of the API: 2025.10.0-rc1\n"\
-               "SDK Package Version: 2025.10.0-rc1-1758902937".\
+               "SDK Package Version: 2025.10.0-rc1-1758925462".\
                format(env=sys.platform, pyversion=sys.version)
 
     def get_host_settings(self) -> List[HostSetting]:

authentik_client/models/o_auth2_provider.py

@@ -53,6 +53,7 @@ class OAuth2Provider(BaseModel):
     access_code_validity: Optional[StrictStr] = Field(default=None, description="Access codes not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).")
     access_token_validity: Optional[StrictStr] = Field(default=None, description="Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).")
     refresh_token_validity: Optional[StrictStr] = Field(default=None, description="Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).")
+    refresh_token_threshold: Optional[StrictStr] = Field(default=None, description="When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).")
     include_claims_in_id_token: Optional[StrictBool] = Field(default=None, description="Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint.")
     signing_key: Optional[UUID] = Field(default=None, description="Key used to sign the tokens.")
     encryption_key: Optional[UUID] = Field(default=None, description="Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs.")
@@ -62,7 +63,7 @@ class OAuth2Provider(BaseModel):
     issuer_mode: Optional[IssuerModeEnum] = Field(default=None, description="Configure how the issuer field of the ID Token should be filled.")
     jwt_federation_sources: Optional[List[UUID]] = None
     jwt_federation_providers: Optional[List[StrictInt]] = None
-    __properties: ClassVar[List[str]] = ["pk", "name", "authentication_flow", "authorization_flow", "invalidation_flow", "property_mappings", "component", "assigned_application_slug", "assigned_application_name", "assigned_backchannel_application_slug", "assigned_backchannel_application_name", "verbose_name", "verbose_name_plural", "meta_model_name", "client_type", "client_id", "client_secret", "access_code_validity", "access_token_validity", "refresh_token_validity", "include_claims_in_id_token", "signing_key", "encryption_key", "redirect_uris", "backchannel_logout_uri", "sub_mode", "issuer_mode", "jwt_federation_sources", "jwt_federation_providers"]
+    __properties: ClassVar[List[str]] = ["pk", "name", "authentication_flow", "authorization_flow", "invalidation_flow", "property_mappings", "component", "assigned_application_slug", "assigned_application_name", "assigned_backchannel_application_slug", "assigned_backchannel_application_name", "verbose_name", "verbose_name_plural", "meta_model_name", "client_type", "client_id", "client_secret", "access_code_validity", "access_token_validity", "refresh_token_validity", "refresh_token_threshold", "include_claims_in_id_token", "signing_key", "encryption_key", "redirect_uris", "backchannel_logout_uri", "sub_mode", "issuer_mode", "jwt_federation_sources", "jwt_federation_providers"]
 
     model_config = ConfigDict(
         populate_by_name=True,
@@ -175,6 +176,7 @@ def from_dict(cls, obj: Optional[Dict[str, Any]]) -> Optional[Self]:
             "access_code_validity": obj.get("access_code_validity"),
             "access_token_validity": obj.get("access_token_validity"),
             "refresh_token_validity": obj.get("refresh_token_validity"),
+            "refresh_token_threshold": obj.get("refresh_token_threshold"),
             "include_claims_in_id_token": obj.get("include_claims_in_id_token"),
             "signing_key": obj.get("signing_key"),
             "encryption_key": obj.get("encryption_key"),

authentik_client/models/o_auth2_provider_request.py

@@ -44,6 +44,7 @@ class OAuth2ProviderRequest(BaseModel):
     access_code_validity: Optional[Annotated[str, Field(min_length=1, strict=True)]] = Field(default=None, description="Access codes not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).")
     access_token_validity: Optional[Annotated[str, Field(min_length=1, strict=True)]] = Field(default=None, description="Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).")
     refresh_token_validity: Optional[Annotated[str, Field(min_length=1, strict=True)]] = Field(default=None, description="Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).")
+    refresh_token_threshold: Optional[Annotated[str, Field(min_length=1, strict=True)]] = Field(default=None, description="When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).")
     include_claims_in_id_token: Optional[StrictBool] = Field(default=None, description="Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint.")
     signing_key: Optional[UUID] = Field(default=None, description="Key used to sign the tokens.")
     encryption_key: Optional[UUID] = Field(default=None, description="Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs.")
@@ -53,7 +54,7 @@ class OAuth2ProviderRequest(BaseModel):
     issuer_mode: Optional[IssuerModeEnum] = Field(default=None, description="Configure how the issuer field of the ID Token should be filled.")
     jwt_federation_sources: Optional[List[UUID]] = None
     jwt_federation_providers: Optional[List[StrictInt]] = None
-    __properties: ClassVar[List[str]] = ["name", "authentication_flow", "authorization_flow", "invalidation_flow", "property_mappings", "client_type", "client_id", "client_secret", "access_code_validity", "access_token_validity", "refresh_token_validity", "include_claims_in_id_token", "signing_key", "encryption_key", "redirect_uris", "backchannel_logout_uri", "sub_mode", "issuer_mode", "jwt_federation_sources", "jwt_federation_providers"]
+    __properties: ClassVar[List[str]] = ["name", "authentication_flow", "authorization_flow", "invalidation_flow", "property_mappings", "client_type", "client_id", "client_secret", "access_code_validity", "access_token_validity", "refresh_token_validity", "refresh_token_threshold", "include_claims_in_id_token", "signing_key", "encryption_key", "redirect_uris", "backchannel_logout_uri", "sub_mode", "issuer_mode", "jwt_federation_sources", "jwt_federation_providers"]
 
     model_config = ConfigDict(
         populate_by_name=True,
@@ -139,6 +140,7 @@ def from_dict(cls, obj: Optional[Dict[str, Any]]) -> Optional[Self]:
             "access_code_validity": obj.get("access_code_validity"),
             "access_token_validity": obj.get("access_token_validity"),
             "refresh_token_validity": obj.get("refresh_token_validity"),
+            "refresh_token_threshold": obj.get("refresh_token_threshold"),
             "include_claims_in_id_token": obj.get("include_claims_in_id_token"),
             "signing_key": obj.get("signing_key"),
             "encryption_key": obj.get("encryption_key"),

authentik_client/models/patched_o_auth2_provider_request.py

@@ -44,6 +44,7 @@ class PatchedOAuth2ProviderRequest(BaseModel):
     access_code_validity: Optional[Annotated[str, Field(min_length=1, strict=True)]] = Field(default=None, description="Access codes not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).")
     access_token_validity: Optional[Annotated[str, Field(min_length=1, strict=True)]] = Field(default=None, description="Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).")
     refresh_token_validity: Optional[Annotated[str, Field(min_length=1, strict=True)]] = Field(default=None, description="Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).")
+    refresh_token_threshold: Optional[Annotated[str, Field(min_length=1, strict=True)]] = Field(default=None, description="When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).")
     include_claims_in_id_token: Optional[StrictBool] = Field(default=None, description="Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint.")
     signing_key: Optional[UUID] = Field(default=None, description="Key used to sign the tokens.")
     encryption_key: Optional[UUID] = Field(default=None, description="Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs.")
@@ -53,7 +54,7 @@ class PatchedOAuth2ProviderRequest(BaseModel):
     issuer_mode: Optional[IssuerModeEnum] = Field(default=None, description="Configure how the issuer field of the ID Token should be filled.")
     jwt_federation_sources: Optional[List[UUID]] = None
     jwt_federation_providers: Optional[List[StrictInt]] = None
-    __properties: ClassVar[List[str]] = ["name", "authentication_flow", "authorization_flow", "invalidation_flow", "property_mappings", "client_type", "client_id", "client_secret", "access_code_validity", "access_token_validity", "refresh_token_validity", "include_claims_in_id_token", "signing_key", "encryption_key", "redirect_uris", "backchannel_logout_uri", "sub_mode", "issuer_mode", "jwt_federation_sources", "jwt_federation_providers"]
+    __properties: ClassVar[List[str]] = ["name", "authentication_flow", "authorization_flow", "invalidation_flow", "property_mappings", "client_type", "client_id", "client_secret", "access_code_validity", "access_token_validity", "refresh_token_validity", "refresh_token_threshold", "include_claims_in_id_token", "signing_key", "encryption_key", "redirect_uris", "backchannel_logout_uri", "sub_mode", "issuer_mode", "jwt_federation_sources", "jwt_federation_providers"]
 
     model_config = ConfigDict(
         populate_by_name=True,
@@ -139,6 +140,7 @@ def from_dict(cls, obj: Optional[Dict[str, Any]]) -> Optional[Self]:
             "access_code_validity": obj.get("access_code_validity"),
             "access_token_validity": obj.get("access_token_validity"),
             "refresh_token_validity": obj.get("refresh_token_validity"),
+            "refresh_token_threshold": obj.get("refresh_token_threshold"),
             "include_claims_in_id_token": obj.get("include_claims_in_id_token"),
             "signing_key": obj.get("signing_key"),
             "encryption_key": obj.get("encryption_key"),

docs/ModelRequest.md

@@ -35,6 +35,7 @@ Name | Type | Description | Notes
 **access_code_validity** | **str** | Access codes not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3). | [optional] 
 **access_token_validity** | **str** | Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3). | [optional] 
 **refresh_token_validity** | **str** | Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3). | [optional] 
+**refresh_token_threshold** | **str** | When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3). | [optional] 
 **include_claims_in_id_token** | **bool** | Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint. | [optional] 
 **signing_key** | **str** | Key used to sign the SSF Events. | 
 **encryption_key** | **str** | Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs. | [optional] 

docs/OAuth2Provider.md

@@ -26,6 +26,7 @@ Name | Type | Description | Notes
 **access_code_validity** | **str** | Access codes not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3). | [optional] 
 **access_token_validity** | **str** | Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3). | [optional] 
 **refresh_token_validity** | **str** | Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3). | [optional] 
+**refresh_token_threshold** | **str** | When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3). | [optional] 
 **include_claims_in_id_token** | **bool** | Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint. | [optional] 
 **signing_key** | **str** | Key used to sign the tokens. | [optional] 
 **encryption_key** | **str** | Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs. | [optional] 

docs/OAuth2ProviderRequest.md

@@ -17,6 +17,7 @@ Name | Type | Description | Notes
 **access_code_validity** | **str** | Access codes not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3). | [optional] 
 **access_token_validity** | **str** | Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3). | [optional] 
 **refresh_token_validity** | **str** | Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3). | [optional] 
+**refresh_token_threshold** | **str** | When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3). | [optional] 
 **include_claims_in_id_token** | **bool** | Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint. | [optional] 
 **signing_key** | **str** | Key used to sign the tokens. | [optional] 
 **encryption_key** | **str** | Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs. | [optional]