Skip to content

Backups and Snapshots

KelTech Services edited this page Jul 13, 2026 · 1 revision

Backups & snapshots

What gets backed up

Config backups capture your IdP's configuration objects via its API: applications/clients, providers, flows, stages, policies, groups, mappings, zones, hooks, and more (the exact set depends on the provider). Each backup is a complete point-in-time snapshot, encrypted with a per-tenant data key before it touches disk.

Scheduling & retention

Each tenant has its own schedule (Daily/Weekly/Monthly with a time, or custom cron for anything else) and a retention count - how many snapshots to keep. Schedules run in the org timezone set in Settings. Backups queue and run one at a time, so same-time schedules never overload the host. Old snapshots past the retention count are pruned automatically after each successful backup. Manual backups any time with Backup now.

Snapshots

  • Browse - open any snapshot and inspect every object in it (searchable).

  • Diff - select any two snapshots and see exactly what was added, removed, or changed between them.

  • Restore… - see the Config restore doc.

What backups can't include

Identity providers deliberately redact secret material (client secrets, private keys, SAML signing certificates) from their export APIs; no backup product can capture them. A restored app therefore comes back with regenerated credentials; the restore report flags exactly which ones.

Full-DR for self-hosted Authentik

Optionally add a Postgres URL to an Authentik tenant and every config snapshot also stores an encrypted pg_dump of the Authentik database, the belt-and-suspenders option for self-hosters.

Clone this wiki locally