-
-
Notifications
You must be signed in to change notification settings - Fork 0
Config Restore
Restore compares a snapshot against the live tenant and builds a plan: each object is create (missing live), update (differs), or identical. You always run a read-only preview first; nothing is written until you click Apply and confirm.
-
Pick and choose - every actionable row has a checkbox; restore all changes or just the ones you select.
-
Additive by design - restore creates and updates objects; it never deletes anything from the live tenant.
-
Smart matching - objects are matched by internal id first (so renames are updates), then by natural key (slug/name/label), so an object that was deleted and recreated is recognized instead of duplicated. References follow: a restored policy binding points at the recreated app's new id automatically.
-
Converges - run the same restore twice and the second pass reports "identical, nothing to do".
| Provider | Restorable | Not auto-restored (visible in plan) |
|---|---|---|
| Authentik | Applications, providers, flows, stages, policies, bindings, groups, mappings, certificates, brands | Blueprints, managed objects (Authentik-owned) |
| Okta | Apps, groups, network zones, all policy types, identity providers, event/inline hooks | Authorization servers, schemas (user/app), profile mappings (auto-regenerated with the app) |
| Auth0 | Clients, connections, resource servers, roles, rules | Tenant settings, branding, custom domains, actions |
Objects that can't be auto-restored still show in the plan when they differ, marked unsupported, so a deletion is never invisible.
IdPs never export secret material, so a recreated app comes back with a new client secret / signing certificate. The report marks these created_new_credentials: update the integration on the far end.
The "Restore into" selector can target a different tenant of the same provider, restoring a snapshot into another tenant to clone or promote configuration between environments.