Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
fix: support client_id form field on introspect endpoint for federated client assertions (#1343 )
2026-02-27 23:43:52 +00:00 · 2026-02-25 21:05:36 -08:00 · 2026-02-25 20:57:47 -08:00 · 2026-02-25 19:08:45 -08:00 · 2026-02-23 20:36:19 +01:00 · 2026-02-23 20:36:00 +01:00
72 changed files with 511 additions and 388 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -2,7 +2,9 @@
  "name": "pocket-id",
  "image": "mcr.microsoft.com/devcontainers/typescript-node:1-22-bookworm",
  "features": {
-    "ghcr.io/devcontainers/features/go:1": {}
+    "ghcr.io/devcontainers/features/go:1": {
+      "version": "1.26"
+    }
  },
  "customizations": {
    "vscode": {
--- a/.github/workflows/backend-linter.yml
+++ b/.github/workflows/backend-linter.yml
@@ -32,9 +32,9 @@ jobs:
          go-version-file: backend/go.mod

      - name: Run Golangci-lint
-        uses: golangci/golangci-lint-action@v8.0.0
+        uses: golangci/golangci-lint-action@v9.0.0
        with:
-          version: v2.4.0
+          version: v2.9.0
          args: --build-tags=exclude_frontend
          working-directory: backend
          only-new-issues: ${{ github.event_name == 'pull_request' }}
--- a/.github/workflows/build-next.yml
+++ b/.github/workflows/build-next.yml
@@ -27,7 +27,7 @@ jobs:
      - name: Setup Node.js
        uses: actions/setup-node@v5
        with:
-          node-version: 22
+          node-version: 24

      - name: Setup Go
        uses: actions/setup-go@v6
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -78,7 +78,7 @@ jobs:
      - name: Setup Node.js
        uses: actions/setup-node@v5
        with:
-          node-version: 22
+          node-version: 24

      - name: Cache Playwright Browsers
        uses: actions/cache@v4
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,7 +21,7 @@ jobs:
      - name: Setup Node.js
        uses: actions/setup-node@v5
        with:
-          node-version: 22
+          node-version: 24
      - uses: actions/setup-go@v6
        with:
          go-version-file: "backend/go.mod"
--- a/.github/workflows/svelte-check.yml
+++ b/.github/workflows/svelte-check.yml
@@ -42,7 +42,7 @@ jobs:
      - name: Setup Node.js
        uses: actions/setup-node@v5
        with:
-          node-version: 22
+          node-version: 24

      - name: Install dependencies
        run: pnpm --filter pocket-id-frontend install --frozen-lockfile
--- a/.version
+++ b/.version
@@ -1 +1 @@
-2.2.0
+2.3.0
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,44 @@
+## v2.3.0
+
+### Bug Fixes
+
+- ENCRYPTION_KEY needed for version and help commands ([#1256](https://github.com/pocket-id/pocket-id/pull/1256) by @kmendell)
+- prevent deletion of OIDC provider logo for non admin/anonymous users ([#1267](https://github.com/pocket-id/pocket-id/pull/1267) by @HiMoritz)
+- add `type="url"` to url inputs ([bb7b0d5](https://github.com/pocket-id/pocket-id/commit/bb7b0d56084df49b6a003cc3eaf076884e2cbf60) by @stonith404)
+- increase rate limit for frontend and api requests ([aab7e36](https://github.com/pocket-id/pocket-id/commit/aab7e364e85f1ce13950da93cc50324328cdd96d) by @stonith404)
+- decode URL-encoded client ID and secret in Basic auth ([#1263](https://github.com/pocket-id/pocket-id/pull/1263) by @ypomortsev)
+- token endpoint must not accept params as query string args ([#1321](https://github.com/pocket-id/pocket-id/pull/1321) by @ItalyPaleAle)
+- left align input error messages ([b3fe143](https://github.com/pocket-id/pocket-id/commit/b3fe14313684f9d8c389ed93ea8e479e3681b5c6) by @stonith404)
+- disallow API key renewal and creation with API key authentication ([#1334](https://github.com/pocket-id/pocket-id/pull/1334) by @stonith404)
+
+### Features
+
+- add VERSION_CHECK_DISABLED environment variable ([#1254](https://github.com/pocket-id/pocket-id/pull/1254) by @dihmandrake)
+- add support for HTTP/2 ([56afebc](https://github.com/pocket-id/pocket-id/commit/56afebc242be7ed14b58185425d6445bf18f640a) by @stonith404)
+- manageability of uncompressed geolite db file ([#1234](https://github.com/pocket-id/pocket-id/pull/1234) by @gucheen)
+- add JWT ID for generated tokens ([#1322](https://github.com/pocket-id/pocket-id/pull/1322) by @imnotjames)
+- current version api endpoint ([#1310](https://github.com/pocket-id/pocket-id/pull/1310) by @kmendell)
+
+### Other
+
+- bump @sveltejs/kit from 2.49.2 to 2.49.5 in the npm_and_yarn group across 1 directory ([#1240](https://github.com/pocket-id/pocket-id/pull/1240) by @dependabot[bot])
+- bump svelte from 5.46.1 to 5.46.4 in the npm_and_yarn group across 1 directory ([#1242](https://github.com/pocket-id/pocket-id/pull/1242) by @dependabot[bot])
+- bump devalue to 5.6.2 ([9dbc02e](https://github.com/pocket-id/pocket-id/commit/9dbc02e56871b2de6a39c443e1455efc26a949f7) by @kmendell)
+- upgrade deps ([4811625](https://github.com/pocket-id/pocket-id/commit/4811625cdd64b47ea67b7a9b03396e455896ccd6) by @kmendell)
+- add Estonian files ([53ef61a](https://github.com/pocket-id/pocket-id/commit/53ef61a3e5c4b77edec49d41ab94302bfec84269) by @kmendell)
+- update AAGUIDs ([#1257](https://github.com/pocket-id/pocket-id/pull/1257) by @github-actions[bot])
+- add Norwegian language files ([80558c5](https://github.com/pocket-id/pocket-id/commit/80558c562533e7b4d658d5baa4221d8cd209b47d) by @stonith404)
+- run formatter ([60825c5](https://github.com/pocket-id/pocket-id/commit/60825c5743b0e233ab622fd4d0ea04eb7ab59529) by @kmendell)
+- bump axios from 1.13.2 to 1.13.5 in the npm_and_yarn group across 1 directory ([#1309](https://github.com/pocket-id/pocket-id/pull/1309) by @dependabot[bot])
+- update dependenicies ([94a4897](https://github.com/pocket-id/pocket-id/commit/94a48977ba24e099b6221838d620c365eb1d4bf4) by @kmendell)
+- update AAGUIDs ([#1316](https://github.com/pocket-id/pocket-id/pull/1316) by @github-actions[bot])
+- bump svelte from 5.46.4 to 5.51.5 in the npm_and_yarn group across 1 directory ([#1324](https://github.com/pocket-id/pocket-id/pull/1324) by @dependabot[bot])
+- bump @sveltejs/kit from 2.49.5 to 2.52.2 in the npm_and_yarn group across 1 directory ([#1327](https://github.com/pocket-id/pocket-id/pull/1327) by @dependabot[bot])
+- upgrade dependencies ([0678699](https://github.com/pocket-id/pocket-id/commit/0678699d0cce5448c425b2c16bedab5fc242cbf0) by @stonith404)
+- upgrade to node 24 and go 1.26.0 ([#1328](https://github.com/pocket-id/pocket-id/pull/1328) by @kmendell)
+
+**Full Changelog**: https://github.com/pocket-id/pocket-id/compare/v2.2.0...v2.3.0
+
 ## v2.2.0

 ### Bug Fixes
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -21,7 +21,6 @@ Before you submit the pull request for review please ensure that
  ```

  Where `TYPE` can be:
-
  - **feat** - is a new feature
  - **doc** - documentation only changes
  - **fix** - a bug fix
@@ -51,8 +50,8 @@ If you use [Dev Containers](https://code.visualstudio.com/docs/remote/containers

 If you don't use Dev Containers, you need to install the following tools manually:

- [Node.js](https://nodejs.org/en/download/) >= 22
- [Go](https://golang.org/doc/install) >= 1.25
+- [Node.js](https://nodejs.org/en/download/) >= 24
+- [Go](https://golang.org/doc/install) >= 1.26
 - [Git](https://git-scm.com/downloads)

 ### 2. Setup
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -1,6 +1,6 @@
 module github.com/pocket-id/pocket-id/backend

-go 1.25.0
+go 1.26.0

 require (
 	github.com/aws/aws-sdk-go-v2 v1.41.1
--- a/backend/internal/bootstrap/observability_boostrap.go
+++ b/backend/internal/bootstrap/observability_boostrap.go
@@ -118,11 +118,10 @@ func initOtelLogging(ctx context.Context, resource *resource.Resource) error {
 	// Set the logger provider globally
 	globallog.SetLoggerProvider(provider)

-	// Wrap the handler in a "fanout" one
-	handler = utils.LogFanoutHandler{
+	handler = slog.NewMultiHandler(
 		handler,
 		otelslog.NewHandler(common.Name, otelslog.WithLoggerProvider(provider)),
-	}
+	)

 	// Set the default slog to send logs to OTel and add the app name
 	log := slog.New(handler).
--- a/backend/internal/bootstrap/router_bootstrap.go
+++ b/backend/internal/bootstrap/router_bootstrap.go
@@ -85,7 +85,7 @@ func initRouter(db *gorm.DB, svc *services) (utils.Service, error) {
 	controller.NewAuditLogController(apiGroup, svc.auditLogService, authMiddleware)
 	controller.NewUserGroupController(apiGroup, authMiddleware, svc.userGroupService)
 	controller.NewCustomClaimController(apiGroup, authMiddleware, svc.customClaimService)
-	controller.NewVersionController(apiGroup, svc.versionService)
+	controller.NewVersionController(apiGroup, authMiddleware, svc.versionService)
 	controller.NewScimController(apiGroup, authMiddleware, svc.scimService)
 	controller.NewUserSignupController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), svc.userSignUpService, svc.appConfigService)

--- a/backend/internal/common/env_config.go
+++ b/backend/internal/common/env_config.go
@@ -106,7 +106,7 @@ func defaultConfig() EnvConfigSchema {

 func parseEnvConfig() error {
 	parsers := map[reflect.Type]env.ParserFunc{
-		reflect.TypeOf([]byte{}): func(value string) (interface{}, error) {
+		reflect.TypeFor[[]byte](): func(value string) (any, error) {
 			return []byte(value), nil
 		},
 	}
@@ -184,8 +184,8 @@ func ValidateEnvConfig(config *EnvConfigSchema) error {
 	}

 	// Validate LOCAL_IPV6_RANGES
-	ranges := strings.Split(config.LocalIPv6Ranges, ",")
-	for _, rangeStr := range ranges {
+	ranges := strings.SplitSeq(config.LocalIPv6Ranges, ",")
+	for rangeStr := range ranges {
 		rangeStr = strings.TrimSpace(rangeStr)
 		if rangeStr == "" {
 			continue
@@ -235,9 +235,9 @@ func prepareEnvConfig(config *EnvConfigSchema) error {
 		fieldType := typ.Field(i)

 		optionsTag := fieldType.Tag.Get("options")
-		options := strings.Split(optionsTag, ",")
+		options := strings.SplitSeq(optionsTag, ",")

-		for _, option := range options {
+		for option := range options {
 			switch option {
 			case "toLower":
 				if field.Kind() == reflect.String {
--- a/backend/internal/common/errors.go
+++ b/backend/internal/common/errors.go
@@ -20,7 +20,7 @@ type AlreadyInUseError struct {
 func (e *AlreadyInUseError) Error() string {
 	return e.Property + " is already in use"
 }
-func (e *AlreadyInUseError) HttpStatusCode() int { return 400 }
+func (e *AlreadyInUseError) HttpStatusCode() int { return http.StatusBadRequest }

 func (e *AlreadyInUseError) Is(target error) bool {
 	// Ignore the field property when checking if an error is of the type AlreadyInUseError
@@ -31,26 +31,26 @@ func (e *AlreadyInUseError) Is(target error) bool {
 type SetupAlreadyCompletedError struct{}

 func (e *SetupAlreadyCompletedError) Error() string       { return "setup already completed" }
-func (e *SetupAlreadyCompletedError) HttpStatusCode() int { return 400 }
+func (e *SetupAlreadyCompletedError) HttpStatusCode() int { return http.StatusConflict }

 type TokenInvalidOrExpiredError struct{}

 func (e *TokenInvalidOrExpiredError) Error() string       { return "token is invalid or expired" }
-func (e *TokenInvalidOrExpiredError) HttpStatusCode() int { return 400 }
+func (e *TokenInvalidOrExpiredError) HttpStatusCode() int { return http.StatusUnauthorized }

 type DeviceCodeInvalid struct{}

 func (e *DeviceCodeInvalid) Error() string {
 	return "one time access code must be used on the device it was generated for"
 }
-func (e *DeviceCodeInvalid) HttpStatusCode() int { return 400 }
+func (e *DeviceCodeInvalid) HttpStatusCode() int { return http.StatusUnauthorized }

 type TokenInvalidError struct{}

 func (e *TokenInvalidError) Error() string {
 	return "Token is invalid"
 }
-func (e *TokenInvalidError) HttpStatusCode() int { return 400 }
+func (e *TokenInvalidError) HttpStatusCode() int { return http.StatusUnauthorized }

 type OidcMissingAuthorizationError struct{}

@@ -60,46 +60,51 @@ func (e *OidcMissingAuthorizationError) HttpStatusCode() int { return http.Statu
 type OidcGrantTypeNotSupportedError struct{}

 func (e *OidcGrantTypeNotSupportedError) Error() string       { return "grant type not supported" }
-func (e *OidcGrantTypeNotSupportedError) HttpStatusCode() int { return 400 }
+func (e *OidcGrantTypeNotSupportedError) HttpStatusCode() int { return http.StatusBadRequest }

 type OidcMissingClientCredentialsError struct{}

 func (e *OidcMissingClientCredentialsError) Error() string       { return "client id or secret not provided" }
-func (e *OidcMissingClientCredentialsError) HttpStatusCode() int { return 400 }
+func (e *OidcMissingClientCredentialsError) HttpStatusCode() int { return http.StatusBadRequest }

 type OidcClientSecretInvalidError struct{}

 func (e *OidcClientSecretInvalidError) Error() string       { return "invalid client secret" }
-func (e *OidcClientSecretInvalidError) HttpStatusCode() int { return 400 }
+func (e *OidcClientSecretInvalidError) HttpStatusCode() int { return http.StatusUnauthorized }

 type OidcClientAssertionInvalidError struct{}

 func (e *OidcClientAssertionInvalidError) Error() string       { return "invalid client assertion" }
-func (e *OidcClientAssertionInvalidError) HttpStatusCode() int { return 400 }
+func (e *OidcClientAssertionInvalidError) HttpStatusCode() int { return http.StatusUnauthorized }

 type OidcInvalidAuthorizationCodeError struct{}

 func (e *OidcInvalidAuthorizationCodeError) Error() string       { return "invalid authorization code" }
-func (e *OidcInvalidAuthorizationCodeError) HttpStatusCode() int { return 400 }
+func (e *OidcInvalidAuthorizationCodeError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OidcClientNotFoundError struct{}
+
+func (e *OidcClientNotFoundError) Error() string       { return "client not found" }
+func (e *OidcClientNotFoundError) HttpStatusCode() int { return http.StatusNotFound }

 type OidcMissingCallbackURLError struct{}

 func (e *OidcMissingCallbackURLError) Error() string {
 	return "unable to detect callback url, it might be necessary for an admin to fix this"
 }
-func (e *OidcMissingCallbackURLError) HttpStatusCode() int { return 400 }
+func (e *OidcMissingCallbackURLError) HttpStatusCode() int { return http.StatusBadRequest }

 type OidcInvalidCallbackURLError struct{}

 func (e *OidcInvalidCallbackURLError) Error() string {
 	return "invalid callback URL, it might be necessary for an admin to fix this"
 }
-func (e *OidcInvalidCallbackURLError) HttpStatusCode() int { return 400 }
+func (e *OidcInvalidCallbackURLError) HttpStatusCode() int { return http.StatusBadRequest }

 type FileTypeNotSupportedError struct{}

 func (e *FileTypeNotSupportedError) Error() string       { return "file type not supported" }
-func (e *FileTypeNotSupportedError) HttpStatusCode() int { return 400 }
+func (e *FileTypeNotSupportedError) HttpStatusCode() int { return http.StatusBadRequest }

 type FileTooLargeError struct {
 	MaxSize string
@@ -280,6 +285,13 @@ func (e *APIKeyExpirationDateError) Error() string {
 }
 func (e *APIKeyExpirationDateError) HttpStatusCode() int { return http.StatusBadRequest }

+type APIKeyAuthNotAllowedError struct{}
+
+func (e *APIKeyAuthNotAllowedError) Error() string {
+	return "API key authentication is not allowed for this endpoint"
+}
+func (e *APIKeyAuthNotAllowedError) HttpStatusCode() int { return http.StatusForbidden }
+
 type OidcInvalidRefreshTokenError struct{}

 func (e *OidcInvalidRefreshTokenError) Error() string {
--- a/backend/internal/controller/api_key_controller.go
+++ b/backend/internal/controller/api_key_controller.go
@@ -26,12 +26,11 @@ func NewApiKeyController(group *gin.RouterGroup, authMiddleware *middleware.Auth
 	uc := &ApiKeyController{apiKeyService: apiKeyService}

 	apiKeyGroup := group.Group("/api-keys")
-	apiKeyGroup.Use(authMiddleware.WithAdminNotRequired().Add())
 	{
-		apiKeyGroup.GET("", uc.listApiKeysHandler)
-		apiKeyGroup.POST("", uc.createApiKeyHandler)
-		apiKeyGroup.POST("/:id/renew", uc.renewApiKeyHandler)
-		apiKeyGroup.DELETE("/:id", uc.revokeApiKeyHandler)
+		apiKeyGroup.GET("", authMiddleware.WithAdminNotRequired().Add(), uc.listApiKeysHandler)
+		apiKeyGroup.POST("", authMiddleware.WithAdminNotRequired().WithApiKeyAuthDisabled().Add(), uc.createApiKeyHandler)
+		apiKeyGroup.POST("/:id/renew", authMiddleware.WithAdminNotRequired().WithApiKeyAuthDisabled().Add(), uc.renewApiKeyHandler)
+		apiKeyGroup.DELETE("/:id", authMiddleware.WithAdminNotRequired().Add(), uc.revokeApiKeyHandler)
 	}
 }

--- a/backend/internal/controller/oidc_controller.go
+++ b/backend/internal/controller/oidc_controller.go
@@ -335,11 +335,13 @@ func (oc *OidcController) introspectTokenHandler(c *gin.Context) {
 	)
 	creds.ClientID, creds.ClientSecret, ok = utils.OAuthClientBasicAuth(c.Request)
 	if !ok {
-		// If there's no basic auth, check if we have a bearer token
+		// If there's no basic auth, check if we have a bearer token (used as client assertion)
 		bearer, ok := utils.BearerAuth(c.Request)
 		if ok {
 			creds.ClientAssertionType = service.ClientAssertionTypeJWTBearer
 			creds.ClientAssertion = bearer
+			// When using client assertions, client_id can be passed as a form field
+			creds.ClientID = input.ClientID
 		}
 	}

@@ -662,8 +664,13 @@ func (oc *OidcController) updateAllowedUserGroupsHandler(c *gin.Context) {
 }

 func (oc *OidcController) deviceAuthorizationHandler(c *gin.Context) {
+	// Per RFC 8628 (OAuth 2.0 Device Authorization Grant), parameters for the device authorization request MUST be sent in the body of the POST request
+	// Gin's "ShouldBind" by default reads from the query string too, so we need to reset all query string args before invoking ShouldBind
+	c.Request.URL.RawQuery = ""
+
 	var input dto.OidcDeviceAuthorizationRequestDto
-	if err := c.ShouldBind(&input); err != nil {
+	err := c.ShouldBind(&input)
+	if err != nil {
 		_ = c.Error(err)
 		return
 	}
--- a/backend/internal/controller/version_controller.go
+++ b/backend/internal/controller/version_controller.go
@@ -5,14 +5,17 @@ import (
 	"time"

 	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

 // NewVersionController registers version-related routes.
-func NewVersionController(group *gin.RouterGroup, versionService *service.VersionService) {
+func NewVersionController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, versionService *service.VersionService) {
 	vc := &VersionController{versionService: versionService}
 	group.GET("/version/latest", vc.getLatestVersionHandler)
+	group.GET("/version/current", authMiddleware.WithAdminNotRequired().Add(), vc.getCurrentVersionHandler)
 }

 type VersionController struct {
@@ -38,3 +41,16 @@ func (vc *VersionController) getLatestVersionHandler(c *gin.Context) {
 		"latestVersion": tag,
 	})
 }
+
+// getCurrentVersionHandler godoc
+// @Summary Get current deployed version of Pocket ID
+// @Tags Version
+// @Produce json
+// @Success 200 {object} map[string]string "Current version information"
+// @Router /api/version/current [get]
+func (vc *VersionController) getCurrentVersionHandler(c *gin.Context) {
+
+	c.JSON(http.StatusOK, gin.H{
+		"currentVersion": common.Version,
+	})
+}
--- a/backend/internal/dto/dto_mapper_test.go
+++ b/backend/internal/dto/dto_mapper_test.go
@@ -9,7 +9,6 @@ import (

 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
-	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

 type sourceStruct struct {
@@ -60,11 +59,11 @@ type embeddedStruct struct {
 func TestMapStruct(t *testing.T) {
 	src := sourceStruct{
 		AString:            "abcd",
-		AStringPtr:         utils.Ptr("xyz"),
+		AStringPtr:         new("xyz"),
 		ABool:              true,
-		ABoolPtr:           utils.Ptr(false),
+		ABoolPtr:           new(false),
 		ACustomDateTime:    datatype.DateTime(time.Date(2025, 1, 2, 3, 4, 5, 0, time.UTC)),
-		ACustomDateTimePtr: utils.Ptr(datatype.DateTime(time.Date(2024, 1, 2, 3, 4, 5, 0, time.UTC))),
+		ACustomDateTimePtr: new(datatype.DateTime(time.Date(2024, 1, 2, 3, 4, 5, 0, time.UTC))),
 		ANilStringPtr:      nil,
 		ASlice:             []string{"a", "b", "c"},
 		AMap: map[string]int{
@@ -80,8 +79,8 @@ func TestMapStruct(t *testing.T) {
 			Bar: 111,
 		},

-		StringPtrToString:      utils.Ptr("foobar"),
-		EmptyStringPtrToString: utils.Ptr(""),
+		StringPtrToString:      new("foobar"),
+		EmptyStringPtrToString: new(""),
 		NilStringPtrToString:   nil,
 		IntToInt64:             99,
 		AuditLogEventToString:  model.AuditLogEventAccountCreated,
@@ -118,11 +117,11 @@ func TestMapStructList(t *testing.T) {
 	sources := []sourceStruct{
 		{
 			AString:            "first",
-			AStringPtr:         utils.Ptr("one"),
+			AStringPtr:         new("one"),
 			ABool:              true,
-			ABoolPtr:           utils.Ptr(false),
+			ABoolPtr:           new(false),
 			ACustomDateTime:    datatype.DateTime(time.Date(2025, 1, 2, 3, 4, 5, 0, time.UTC)),
-			ACustomDateTimePtr: utils.Ptr(datatype.DateTime(time.Date(2024, 1, 2, 3, 4, 5, 0, time.UTC))),
+			ACustomDateTimePtr: new(datatype.DateTime(time.Date(2024, 1, 2, 3, 4, 5, 0, time.UTC))),
 			ASlice:             []string{"a", "b"},
 			AMap: map[string]int{
 				"a": 1,
@@ -136,11 +135,11 @@ func TestMapStructList(t *testing.T) {
 		},
 		{
 			AString:            "second",
-			AStringPtr:         utils.Ptr("two"),
+			AStringPtr:         new("two"),
 			ABool:              false,
-			ABoolPtr:           utils.Ptr(true),
+			ABoolPtr:           new(true),
 			ACustomDateTime:    datatype.DateTime(time.Date(2026, 6, 7, 8, 9, 10, 0, time.UTC)),
-			ACustomDateTimePtr: utils.Ptr(datatype.DateTime(time.Date(2023, 6, 7, 8, 9, 10, 0, time.UTC))),
+			ACustomDateTimePtr: new(datatype.DateTime(time.Date(2023, 6, 7, 8, 9, 10, 0, time.UTC))),
 			ASlice:             []string{"c", "d", "e"},
 			AMap: map[string]int{
 				"c": 3,
--- a/backend/internal/dto/dto_normalize.go
+++ b/backend/internal/dto/dto_normalize.go
@@ -12,7 +12,7 @@ import (
 // Normalize iterates through an object and performs Unicode normalization on all string fields with the `unorm` tag.
 func Normalize(obj any) {
 	v := reflect.ValueOf(obj)
-	if v.Kind() != reflect.Ptr || v.IsNil() {
+	if v.Kind() != reflect.Pointer || v.IsNil() {
 		return
 	}
 	v = v.Elem()
@@ -21,7 +21,7 @@ func Normalize(obj any) {
 	if v.Kind() == reflect.Slice {
 		for i := 0; i < v.Len(); i++ {
 			elem := v.Index(i)
-			if elem.Kind() == reflect.Ptr && !elem.IsNil() && elem.Elem().Kind() == reflect.Struct {
+			if elem.Kind() == reflect.Pointer && !elem.IsNil() && elem.Elem().Kind() == reflect.Struct {
 				Normalize(elem.Interface())
 			} else if elem.Kind() == reflect.Struct && elem.CanAddr() {
 				Normalize(elem.Addr().Interface())
--- a/backend/internal/dto/oidc_dto.go
+++ b/backend/internal/dto/oidc_dto.go
@@ -98,7 +98,8 @@ type OidcCreateTokensDto struct {
 }

 type OidcIntrospectDto struct {
-	Token string `form:"token" binding:"required"`
+	Token    string `form:"token" binding:"required"`
+	ClientID string `form:"client_id"`
 }

 type OidcUpdateAllowedUserGroupsDto struct {
--- a/backend/internal/dto/scim_dto.go
+++ b/backend/internal/dto/scim_dto.go
@@ -67,7 +67,7 @@ type ScimResourceData struct {
 type ScimResourceMeta struct {
 	Location     string    `json:"location,omitempty"`
 	ResourceType string    `json:"resourceType,omitempty"`
-	Created      time.Time `json:"created,omitempty"`
+	Created      time.Time `json:"created"`
 	LastModified time.Time `json:"lastModified,omitempty"`
 	Version      string    `json:"version,omitempty"`
 }
--- a/backend/internal/dto/user_dto_test.go
+++ b/backend/internal/dto/user_dto_test.go
@@ -3,7 +3,6 @@ package dto
 import (
 	"testing"

-	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"github.com/stretchr/testify/require"
 )

@@ -17,7 +16,7 @@ func TestUserCreateDto_Validate(t *testing.T) {
 			name: "valid input",
 			input: UserCreateDto{
 				Username:    "testuser",
-				Email:       utils.Ptr("test@example.com"),
+				Email:       new("test@example.com"),
 				FirstName:   "John",
 				LastName:    "Doe",
 				DisplayName: "John Doe",
@@ -27,7 +26,7 @@ func TestUserCreateDto_Validate(t *testing.T) {
 		{
 			name: "missing username",
 			input: UserCreateDto{
-				Email:       utils.Ptr("test@example.com"),
+				Email:       new("test@example.com"),
 				FirstName:   "John",
 				LastName:    "Doe",
 				DisplayName: "John Doe",
@@ -37,7 +36,7 @@ func TestUserCreateDto_Validate(t *testing.T) {
 		{
 			name: "missing display name",
 			input: UserCreateDto{
-				Email:     utils.Ptr("test@example.com"),
+				Email:     new("test@example.com"),
 				FirstName: "John",
 				LastName:  "Doe",
 			},
@@ -47,7 +46,7 @@ func TestUserCreateDto_Validate(t *testing.T) {
 			name: "username contains invalid characters",
 			input: UserCreateDto{
 				Username:    "test/ser",
-				Email:       utils.Ptr("test@example.com"),
+				Email:       new("test@example.com"),
 				FirstName:   "John",
 				LastName:    "Doe",
 				DisplayName: "John Doe",
@@ -58,7 +57,7 @@ func TestUserCreateDto_Validate(t *testing.T) {
 			name: "invalid email",
 			input: UserCreateDto{
 				Username:    "testuser",
-				Email:       utils.Ptr("not-an-email"),
+				Email:       new("not-an-email"),
 				FirstName:   "John",
 				LastName:    "Doe",
 				DisplayName: "John Doe",
@@ -69,7 +68,7 @@ func TestUserCreateDto_Validate(t *testing.T) {
 			name: "first name too short",
 			input: UserCreateDto{
 				Username:    "testuser",
-				Email:       utils.Ptr("test@example.com"),
+				Email:       new("test@example.com"),
 				FirstName:   "",
 				LastName:    "Doe",
 				DisplayName: "John Doe",
@@ -80,7 +79,7 @@ func TestUserCreateDto_Validate(t *testing.T) {
 			name: "last name too long",
 			input: UserCreateDto{
 				Username:    "testuser",
-				Email:       utils.Ptr("test@example.com"),
+				Email:       new("test@example.com"),
 				FirstName:   "John",
 				LastName:    "abcdfghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz",
 				DisplayName: "John Doe",
--- a/backend/internal/middleware/auth_middleware.go
+++ b/backend/internal/middleware/auth_middleware.go
@@ -18,6 +18,7 @@ type AuthMiddleware struct {
 type AuthOptions struct {
 	AdminRequired   bool
 	SuccessOptional bool
+	AllowApiKeyAuth bool
 }

 func NewAuthMiddleware(
@@ -31,6 +32,7 @@ func NewAuthMiddleware(
 		options: AuthOptions{
 			AdminRequired:   true,
 			SuccessOptional: false,
+			AllowApiKeyAuth: true,
 		},
 	}
 }
@@ -59,6 +61,17 @@ func (m *AuthMiddleware) WithSuccessOptional() *AuthMiddleware {
 	return clone
 }

+// WithApiKeyAuthDisabled disables API key authentication fallback and requires JWT auth.
+func (m *AuthMiddleware) WithApiKeyAuthDisabled() *AuthMiddleware {
+	clone := &AuthMiddleware{
+		apiKeyMiddleware: m.apiKeyMiddleware,
+		jwtMiddleware:    m.jwtMiddleware,
+		options:          m.options,
+	}
+	clone.options.AllowApiKeyAuth = false
+	return clone
+}
+
 func (m *AuthMiddleware) Add() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		userID, isAdmin, err := m.jwtMiddleware.Verify(c, m.options.AdminRequired)
@@ -79,6 +92,21 @@ func (m *AuthMiddleware) Add() gin.HandlerFunc {
 			return
 		}

+		if !m.options.AllowApiKeyAuth {
+			if m.options.SuccessOptional {
+				c.Next()
+				return
+			}
+
+			c.Abort()
+			if c.GetHeader("X-API-Key") != "" {
+				_ = c.Error(&common.APIKeyAuthNotAllowedError{})
+				return
+			}
+			_ = c.Error(err)
+			return
+		}
+
 		// JWT auth failed, try API key auth
 		userID, isAdmin, err = m.apiKeyMiddleware.Verify(c, m.options.AdminRequired)
 		if err == nil {
--- a/backend/internal/middleware/auth_middleware_test.go
+++ b/backend/internal/middleware/auth_middleware_test.go
@@ -0,0 +1,104 @@
+package middleware
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/require"
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	testutils "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
+)
+
+func TestWithApiKeyAuthDisabled(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+
+	originalEnvConfig := common.EnvConfig
+	defer func() {
+		common.EnvConfig = originalEnvConfig
+	}()
+	common.EnvConfig.AppURL = "https://test.example.com"
+	common.EnvConfig.EncryptionKey = []byte("0123456789abcdef0123456789abcdef")
+
+	db := testutils.NewDatabaseForTest(t)
+
+	appConfigService, err := service.NewAppConfigService(t.Context(), db)
+	require.NoError(t, err)
+
+	jwtService, err := service.NewJwtService(t.Context(), db, appConfigService)
+	require.NoError(t, err)
+
+	userService := service.NewUserService(db, jwtService, nil, nil, appConfigService, nil, nil, nil, nil)
+	apiKeyService, err := service.NewApiKeyService(t.Context(), db, nil)
+	require.NoError(t, err)
+
+	authMiddleware := NewAuthMiddleware(apiKeyService, userService, jwtService)
+
+	user := createUserForAuthMiddlewareTest(t, db)
+	jwtToken, err := jwtService.GenerateAccessToken(user)
+	require.NoError(t, err)
+
+	_, apiKeyToken, err := apiKeyService.CreateApiKey(t.Context(), user.ID, dto.ApiKeyCreateDto{
+		Name:      "Middleware API Key",
+		ExpiresAt: datatype.DateTime(time.Now().Add(24 * time.Hour)),
+	})
+	require.NoError(t, err)
+
+	router := gin.New()
+	router.Use(NewErrorHandlerMiddleware().Add())
+	router.GET("/api/protected", authMiddleware.WithAdminNotRequired().WithApiKeyAuthDisabled().Add(), func(c *gin.Context) {
+		c.Status(http.StatusNoContent)
+	})
+
+	t.Run("rejects API key auth when API key auth is disabled", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/api/protected", nil)
+		req.Header.Set("X-API-Key", apiKeyToken)
+		recorder := httptest.NewRecorder()
+
+		router.ServeHTTP(recorder, req)
+
+		require.Equal(t, http.StatusForbidden, recorder.Code)
+
+		var body map[string]string
+		err := json.Unmarshal(recorder.Body.Bytes(), &body)
+		require.NoError(t, err)
+		require.Equal(t, "API key authentication is not allowed for this endpoint", body["error"])
+	})
+
+	t.Run("allows JWT auth when API key auth is disabled", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/api/protected", nil)
+		req.Header.Set("Authorization", "Bearer "+jwtToken)
+		recorder := httptest.NewRecorder()
+
+		router.ServeHTTP(recorder, req)
+
+		require.Equal(t, http.StatusNoContent, recorder.Code)
+	})
+}
+
+func createUserForAuthMiddlewareTest(t *testing.T, db *gorm.DB) model.User {
+	t.Helper()
+
+	email := "auth@example.com"
+	user := model.User{
+		Username:    "auth-user",
+		Email:       &email,
+		FirstName:   "Auth",
+		LastName:    "User",
+		DisplayName: "Auth User",
+	}
+
+	err := db.Create(&user).Error
+	require.NoError(t, err)
+
+	return user
+}
--- a/backend/internal/model/app_config_test.go
+++ b/backend/internal/model/app_config_test.go
@@ -70,13 +70,12 @@ func TestAppConfigVariable_AsMinutesDuration(t *testing.T) {
 // - dto.AppConfigDto should not include "internal" fields from model.AppConfig
 // This test is primarily meant to catch discrepancies between the two structs as fields are added or removed over time
 func TestAppConfigStructMatchesUpdateDto(t *testing.T) {
-	appConfigType := reflect.TypeOf(model.AppConfig{})
-	updateDtoType := reflect.TypeOf(dto.AppConfigUpdateDto{})
+	appConfigType := reflect.TypeFor[model.AppConfig]()
+	updateDtoType := reflect.TypeFor[dto.AppConfigUpdateDto]()

 	// Process AppConfig fields
 	appConfigFields := make(map[string]string)
-	for i := 0; i < appConfigType.NumField(); i++ {
-		field := appConfigType.Field(i)
+	for field := range appConfigType.Fields() {
 		if field.Tag.Get("key") == "" {
 			// Skip internal fields
 			continue
@@ -91,9 +90,7 @@ func TestAppConfigStructMatchesUpdateDto(t *testing.T) {

 	// Process AppConfigUpdateDto fields
 	dtoFields := make(map[string]string)
-	for i := 0; i < updateDtoType.NumField(); i++ {
-		field := updateDtoType.Field(i)
-
+	for field := range updateDtoType.Fields() {
 		// Extract the json name from the tag (takes the part before any binding constraints)
 		jsonTag := field.Tag.Get("json")
 		jsonName, _, _ := strings.Cut(jsonTag, ",")
--- a/backend/internal/model/webauthn.go
+++ b/backend/internal/model/webauthn.go
@@ -58,7 +58,7 @@ type ReauthenticationToken struct {
 type AuthenticatorTransportList []protocol.AuthenticatorTransport //nolint:recvcheck

 // Scan and Value methods for GORM to handle the custom type
-func (atl *AuthenticatorTransportList) Scan(value interface{}) error {
+func (atl *AuthenticatorTransportList) Scan(value any) error {
 	return utils.UnmarshalJSONFromDatabase(atl, value)
 }

@@ -69,7 +69,7 @@ func (atl AuthenticatorTransportList) Value() (driver.Value, error) {
 type CredentialParameters []protocol.CredentialParameter //nolint:recvcheck

 // Scan and Value methods for GORM to handle the custom type
-func (cp *CredentialParameters) Scan(value interface{}) error {
+func (cp *CredentialParameters) Scan(value any) error {
 	return utils.UnmarshalJSONFromDatabase(cp, value)
 }

--- a/backend/internal/service/api_key_service.go
+++ b/backend/internal/service/api_key_service.go
@@ -77,6 +77,9 @@ func (s *ApiKeyService) CreateApiKey(ctx context.Context, userID string, input d
 		Create(&apiKey).
 		Error
 	if err != nil {
+		if errors.Is(err, gorm.ErrDuplicatedKey) {
+			return model.ApiKey{}, "", &common.AlreadyInUseError{Property: "API key name"}
+		}
 		return model.ApiKey{}, "", err
 	}

@@ -170,7 +173,7 @@ func (s *ApiKeyService) ValidateApiKey(ctx context.Context, apiKey string) (mode
 		Clauses(clause.Returning{}).
 		Where("key = ? AND expires_at > ?", hashedKey, datatype.DateTime(now)).
 		Updates(&model.ApiKey{
-			LastUsedAt: utils.Ptr(datatype.DateTime(now)),
+			LastUsedAt: new(datatype.DateTime(now)),
 		}).
 		Preload("User").
 		First(&key).
--- a/backend/internal/service/app_config_service.go
+++ b/backend/internal/service/app_config_service.go
@@ -186,8 +186,7 @@ func (s *AppConfigService) UpdateAppConfig(ctx context.Context, input dto.AppCon
 	rt := reflect.ValueOf(input).Type()
 	rv := reflect.ValueOf(input)
 	dbUpdate := make([]model.AppConfigVariable, 0, rt.NumField())
-	for i := range rt.NumField() {
-		field := rt.Field(i)
+	for field := range rt.Fields() {
 		value := rv.FieldByName(field.Name).String()

 		// Get the value of the json tag, taking only what's before the comma
--- a/backend/internal/service/e2etest_service.go
+++ b/backend/internal/service/e2etest_service.go
@@ -81,7 +81,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 					ID: "f4b89dc2-62fb-46bf-9f5f-c34f4eafe93e",
 				},
 				Username:      "tim",
-				Email:         utils.Ptr("tim.cook@test.com"),
+				Email:         new("tim.cook@test.com"),
 				EmailVerified: true,
 				FirstName:     "Tim",
 				LastName:      "Cook",
@@ -93,7 +93,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 					ID: "1cd19686-f9a6-43f4-a41f-14a0bf5b4036",
 				},
 				Username:      "craig",
-				Email:         utils.Ptr("craig.federighi@test.com"),
+				Email:         new("craig.federighi@test.com"),
 				EmailVerified: false,
 				FirstName:     "Craig",
 				LastName:      "Federighi",
@@ -105,7 +105,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 					ID: "d9256384-98ad-49a7-bc58-99ad0b4dc23c",
 				},
 				Username:    "eddy",
-				Email:       utils.Ptr("eddy.cue@test.com"),
+				Email:       new("eddy.cue@test.com"),
 				FirstName:   "Eddy",
 				LastName:    "Cue",
 				DisplayName: "Eddy Cue",
@@ -171,12 +171,12 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 					ID: "3654a746-35d4-4321-ac61-0bdcff2b4055",
 				},
 				Name:               "Nextcloud",
-				LaunchURL:          utils.Ptr("https://nextcloud.local"),
+				LaunchURL:          new("https://nextcloud.local"),
 				Secret:             "$2a$10$9dypwot8nGuCjT6wQWWpJOckZfRprhe2EkwpKizxS/fpVHrOLEJHC", // w2mUeZISmEvIDMEDvpY0PnxQIpj1m3zY
 				CallbackURLs:       model.UrlList{"http://nextcloud/auth/callback"},
 				LogoutCallbackURLs: model.UrlList{"http://nextcloud/auth/logout/callback"},
-				ImageType:          utils.StringPointer("png"),
-				CreatedByID:        utils.Ptr(users[0].ID),
+				ImageType:          new("png"),
+				CreatedByID:        new(users[0].ID),
 			},
 			{
 				Base: model.Base{
@@ -185,7 +185,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 				Name:              "Immich",
 				Secret:            "$2a$10$Ak.FP8riD1ssy2AGGbG.gOpnp/rBpymd74j0nxNMtW0GG1Lb4gzxe", // PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x
 				CallbackURLs:      model.UrlList{"http://immich/auth/callback"},
-				CreatedByID:       utils.Ptr(users[1].ID),
+				CreatedByID:       new(users[1].ID),
 				IsGroupRestricted: true,
 				AllowedUserGroups: []model.UserGroup{
 					userGroups[1],
@@ -200,7 +200,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 				CallbackURLs:       model.UrlList{"http://tailscale/auth/callback"},
 				LogoutCallbackURLs: model.UrlList{"http://tailscale/auth/logout/callback"},
 				IsGroupRestricted:  true,
-				CreatedByID:        utils.Ptr(users[0].ID),
+				CreatedByID:        new(users[0].ID),
 			},
 			{
 				Base: model.Base{
@@ -209,7 +209,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 				Name:              "Federated",
 				Secret:            "$2a$10$Ak.FP8riD1ssy2AGGbG.gOpnp/rBpymd74j0nxNMtW0GG1Lb4gzxe", // PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x
 				CallbackURLs:      model.UrlList{"http://federated/auth/callback"},
-				CreatedByID:       utils.Ptr(users[1].ID),
+				CreatedByID:       new(users[1].ID),
 				AllowedUserGroups: []model.UserGroup{},
 				Credentials: model.OidcClientCredentials{
 					FederatedIdentities: []model.OidcClientFederatedIdentity{
@@ -229,7 +229,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 				Name:              "SCIM Client",
 				Secret:            "$2a$10$h4wfa8gI7zavDAxwzSq1sOwYU4e8DwK1XZ8ZweNnY5KzlJ3Iz.qdK", // nQbiuMRG7FpdK2EnDd5MBivWQeKFXohn
 				CallbackURLs:      model.UrlList{"http://scimclient/auth/callback"},
-				CreatedByID:       utils.Ptr(users[0].ID),
+				CreatedByID:       new(users[0].ID),
 				IsGroupRestricted: true,
 				AllowedUserGroups: []model.UserGroup{
 					userGroups[0],
@@ -458,7 +458,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 			{
 				Key: jwkutils.PrivateKeyDBKey,
 				// {"alg":"RS256","d":"mvMDWSdPPvcum0c0iEHE2gbqtV2NKMmLwrl9E6K7g8lTV95SePLnW_bwyMPV7EGp7PQk3l17I5XRhFjze7GqTnFIOgKzMianPs7jv2ELtBMGK0xOPATgu1iGb70xZ6vcvuEfRyY3dJ0zr4jpUdVuXwKmx9rK4IdZn2dFCKfvSuspqIpz11RhF1ALrqDLkxGVv7ZwNh0_VhJZU9hcjG5l6xc7rQEKpPRkZp0IdjkGS8Z0FskoVaiRIWAbZuiVFB9WCW8k1czC4HQTPLpII01bUQx2ludbm0UlXRgVU9ptUUbU7GAImQqTOW8LfPGklEvcgzlIlR_oqw4P9yBxLi-yMQ","dp":"pvNCSnnhbo8Igw9psPR-DicxFnkXlu_ix4gpy6efTrxA-z1VDFDioJ814vKQNioYDzpyAP1gfMPhRkvG_q0hRZsJah3Sb9dfA-WkhSWY7lURQP4yIBTMU0PF_rEATuS7lRciYk1SOx5fqXZd3m_LP0vpBC4Ujlq6NAq6CIjCnms","dq":"TtUVGCCkPNgfOLmkYXu7dxxUCV5kB01-xAEK2OY0n0pG8vfDophH4_D_ZC7nvJ8J9uDhs_3JStexq1lIvaWtG99RNTChIEDzpdn6GH9yaVcb_eB4uJjrNm64FhF8PGCCwxA-xMCZMaARKwhMB2_IOMkxUbWboL3gnhJ2rDO_QO0","e":"AQAB","kid":"8uHDw3M6rf8","kty":"RSA","n":"yaeEL0VKoPBXIAaWXsUgmu05lAvEIIdJn0FX9lHh4JE5UY9B83C5sCNdhs9iSWzpeP11EVjWp8i3Yv2CF7c7u50BXnVBGtxpZpFC-585UXacoJ0chUmarL9GRFJcM1nPHBTFu68aRrn1rIKNHUkNaaxFo0NFGl_4EDDTO8HwawTjwkPoQlRzeByhlvGPVvwgB3Fn93B8QJ_cZhXKxJvjjrC_8Pk76heC_ntEMru71Ix77BoC3j2TuyiN7m9RNBW8BU5q6lKoIdvIeZfTFLzi37iufyfvMrJTixp9zhNB1NxlLCeOZl2MXegtiGqd2H3cbAyqoOiv9ihUWTfXj7SxJw","p":"_Yylc9e07CKdqNRD2EosMC2mrhrEa9j5oY_l00Qyy4-jmCA59Q9viyqvveRo0U7cRvFA5BWgWN6GGLh1DG3X-QBqVr0dnk3uzbobb55RYUXyPLuBZI2q6w2oasbiDwPdY7KpkVv_H-bpITQlyDvO8hhucA6rUV7F6KTQVz8M3Ms","q":"y5p3hch-7jJ21TkAhp_Vk1fLCAuD4tbErwQs2of9ja8sB4iJOs5Wn6HD3P7Mc8Plye7qaLHvzc8I5g0tPKWvC0DPd_FLPXiWwMVAzee3NUX_oGeJNOQp11y1w_KqdO9qZqHSEPZ3NcFL_SZMFgggxhM1uzRiPzsVN0lnD_6prZU","qi":"2Grt6uXHm61ji3xSdkBWNtUnj19vS1-7rFJp5SoYztVQVThf_W52BAiXKBdYZDRVoItC_VS2NvAOjeJjhYO_xQ_q3hK7MdtuXfEPpLnyXKkmWo3lrJ26wbeF6l05LexCkI7ShsOuSt-dsyaTJTszuKDIA6YOfWvfo3aVZmlWRaI","use":"sig"}
-				Value: utils.Ptr("7d/5hl7diJ2rnFL14hEAQf9tzpu29aqXQ8jpJ2iqqKUNFZpdOkEpud0CmRv4H3r8yyk2u/Gqqj9klSy58DJkYXGF5PAYgLyoBIb7L3JXWRbxg4cQ3QJCug13l2OTmpAKoVc+rmX8c3j3h1sNqyJ+7Ql5sS0jSeyiYgIsFNCdnK5alBDyvtcpe/QDpklmP4JCeVpvmf2rLGplk3g5UO5ydJ8UiDXxfDmi+gF6NKJvrGnnah8Ar3G/x88z+tTJtp0DIQFwxXwUM2XZqzEVGm8K2r0w5o9/Keh6bBBaiuH2C78ZOaijGV3DovhR+e9J0cYUYGwT42MZMx9fSWQ/lvWGGnf+Uq3MXJfjWSREfhkp8KTQwR9F7+dnVJWswOEk7jPR8I7hCWTMxJyvaFX3wgAXIVmhrgXZQQbYOqTt56IoqUl0xOJku8dA8opg2UcLlmmuOh6+hfkXKsiiS/H/9c1BVIGj1fCOiT6IePh4wKKSTbwJnPD5EKmdJpgTsUpjcDnXQKY4ReO0UpdRdKxwRDDLeQuG6j+ljGxR9GPudCU9Nmci6rFVI6n5LWYkQxBA1O73RpmXRZPDzntDfpXMEonkmSvOoxaCK2Id7CRKMdqvR0kEouwnhk5WSFtsfi3sA0pkXzPFxwZeWM8vFtbffZOZzXaOhxCOfcj1NClZohlZhyc4jvkxmrpY7PSaAzih0AmHI7y0LYFi6fZu/K4EheVa1+KF55nWZ8ARikHMWKAKkyExkTak7xyN884TDmzURRaPlQg4jzQte5WMNjAG/hlHibdMBNvgwiYd49ZxteJ8ABdbiXVRl+2JGbdjl2ubpQZwOn7bJKlqO56bIwsZ+e4+pXsuOGdBahkHrUjtMEmH3DZbGc6CJLbcmdhdpApLQRRcLAazxJhzAwJ47FRYsHsj57LnYNvmcKdIxw8rxCdLUuzz95uw0T3ankEO5J9sjem+HMEuKdwXK1UcuOn2rjR8Sd/BuvQmeso27dFbPXqXYNS90Ml45YyTvcKSiopD181oZR703TFUSpR7dsiqROMr+p/2jN9h6a8WbQ8xpksyclaQByY/M77AssbXnG6wfhRsntNIINCZLbBnjXOyz6ZHIC5K4tSTdcnWaiYPeRPQmnw9UUvHAcNU2yMWsy0eU377yDS0WstTxOdQutTdkczl8kv5Lo26JiEK7mSIuRK19ffF9Zz8FG8+eKv5zdyIPjyQRDYBysUoDv5huKe2eoxJu/MWS2Pql/ZtUGeD6Ozm3mCvh0vQ9ceagBkY6Ocm3du0ziAKP29Ri0mjg4DizVorbLzsh+EQH/s2Pi9MnjUZDlEmuLl2Xfp7/w4j/8u0N0tVR70VDFuGdKpTjFY3vS8EJrPtyMTM51x1D9rb8gIql8aR/rJw4YF+huxg1mv5n6+tGVqg5msbPmF12eJijP4lkmaRwIpLW5pJTtaDkUj7uOeu1mm4k+Dt5nh0/0jPHzrv6bcTCcbV7UjMHDoTXXqEpFAAJ66rHR7zdAJu+YKsnTIZyLmOpcowq7LL8G9qTvV0OSpyQWUIavRSgbDHFqEqRs+JU94jAzkq8nCY5MTd9m5sIv9InfdT3k+pwpsE/FKge8nghFLtbUrafGkzTky8SE2druvVcIvbfXMfLIKRUYjJgnWc0gQzF5J6pzXM7D2r/RG6JDzASqjlbURq6v9bhNerlOVdMujWKEEVcKWIzlbt4RkihRjM8AUqIZQOyicGQ+4yfIjAHw5viuABONYs3OIWULnFqJxdvS9rNKhfxSjIq9cfqyzevq2xrRoMXEonobh6M3bD2Vang8OAeVeD1OXWPERi4pepCYFS9RJ/Xa/UWxptsqSNuGcb3fAzQSmLpXLGdWRoKXvSe7EYgc0bGcLOjSTu5RURKo+EF9i4KT9EJauf6VXw5dTf/CCIJRXE1bWzXhSCFYntohYhX2ldOCDYpi/jFBC6Vtkw0ud3/xq8Nmhd5gUk+SpngByCZH3Pm3H+jvlbMpiqkDkm1v74hDX13Xhrcw2eWyuqKBVoRCCniUvwpYNbGvBfjC6Hcizv0Aybciwj+4nybt5EPoEUm6S6Gs7fG7QpPdvrzpAxX70MlmdkF/gwyuhbEeJhLK+WL7qAsN5CvHPzVbsIf90x+nGTtMJPgpxVr0tJMj+vprXV4WxutfARBiOnqe58MhA857sd+MzKBgKnoLOBRTiC3qc/0/ULwbG2HCCD7nmwzz7M4nUuMvo8rgS7z0BF68OClT8X3JwSXbL5Wg=="),
+				Value: new("7d/5hl7diJ2rnFL14hEAQf9tzpu29aqXQ8jpJ2iqqKUNFZpdOkEpud0CmRv4H3r8yyk2u/Gqqj9klSy58DJkYXGF5PAYgLyoBIb7L3JXWRbxg4cQ3QJCug13l2OTmpAKoVc+rmX8c3j3h1sNqyJ+7Ql5sS0jSeyiYgIsFNCdnK5alBDyvtcpe/QDpklmP4JCeVpvmf2rLGplk3g5UO5ydJ8UiDXxfDmi+gF6NKJvrGnnah8Ar3G/x88z+tTJtp0DIQFwxXwUM2XZqzEVGm8K2r0w5o9/Keh6bBBaiuH2C78ZOaijGV3DovhR+e9J0cYUYGwT42MZMx9fSWQ/lvWGGnf+Uq3MXJfjWSREfhkp8KTQwR9F7+dnVJWswOEk7jPR8I7hCWTMxJyvaFX3wgAXIVmhrgXZQQbYOqTt56IoqUl0xOJku8dA8opg2UcLlmmuOh6+hfkXKsiiS/H/9c1BVIGj1fCOiT6IePh4wKKSTbwJnPD5EKmdJpgTsUpjcDnXQKY4ReO0UpdRdKxwRDDLeQuG6j+ljGxR9GPudCU9Nmci6rFVI6n5LWYkQxBA1O73RpmXRZPDzntDfpXMEonkmSvOoxaCK2Id7CRKMdqvR0kEouwnhk5WSFtsfi3sA0pkXzPFxwZeWM8vFtbffZOZzXaOhxCOfcj1NClZohlZhyc4jvkxmrpY7PSaAzih0AmHI7y0LYFi6fZu/K4EheVa1+KF55nWZ8ARikHMWKAKkyExkTak7xyN884TDmzURRaPlQg4jzQte5WMNjAG/hlHibdMBNvgwiYd49ZxteJ8ABdbiXVRl+2JGbdjl2ubpQZwOn7bJKlqO56bIwsZ+e4+pXsuOGdBahkHrUjtMEmH3DZbGc6CJLbcmdhdpApLQRRcLAazxJhzAwJ47FRYsHsj57LnYNvmcKdIxw8rxCdLUuzz95uw0T3ankEO5J9sjem+HMEuKdwXK1UcuOn2rjR8Sd/BuvQmeso27dFbPXqXYNS90Ml45YyTvcKSiopD181oZR703TFUSpR7dsiqROMr+p/2jN9h6a8WbQ8xpksyclaQByY/M77AssbXnG6wfhRsntNIINCZLbBnjXOyz6ZHIC5K4tSTdcnWaiYPeRPQmnw9UUvHAcNU2yMWsy0eU377yDS0WstTxOdQutTdkczl8kv5Lo26JiEK7mSIuRK19ffF9Zz8FG8+eKv5zdyIPjyQRDYBysUoDv5huKe2eoxJu/MWS2Pql/ZtUGeD6Ozm3mCvh0vQ9ceagBkY6Ocm3du0ziAKP29Ri0mjg4DizVorbLzsh+EQH/s2Pi9MnjUZDlEmuLl2Xfp7/w4j/8u0N0tVR70VDFuGdKpTjFY3vS8EJrPtyMTM51x1D9rb8gIql8aR/rJw4YF+huxg1mv5n6+tGVqg5msbPmF12eJijP4lkmaRwIpLW5pJTtaDkUj7uOeu1mm4k+Dt5nh0/0jPHzrv6bcTCcbV7UjMHDoTXXqEpFAAJ66rHR7zdAJu+YKsnTIZyLmOpcowq7LL8G9qTvV0OSpyQWUIavRSgbDHFqEqRs+JU94jAzkq8nCY5MTd9m5sIv9InfdT3k+pwpsE/FKge8nghFLtbUrafGkzTky8SE2druvVcIvbfXMfLIKRUYjJgnWc0gQzF5J6pzXM7D2r/RG6JDzASqjlbURq6v9bhNerlOVdMujWKEEVcKWIzlbt4RkihRjM8AUqIZQOyicGQ+4yfIjAHw5viuABONYs3OIWULnFqJxdvS9rNKhfxSjIq9cfqyzevq2xrRoMXEonobh6M3bD2Vang8OAeVeD1OXWPERi4pepCYFS9RJ/Xa/UWxptsqSNuGcb3fAzQSmLpXLGdWRoKXvSe7EYgc0bGcLOjSTu5RURKo+EF9i4KT9EJauf6VXw5dTf/CCIJRXE1bWzXhSCFYntohYhX2ldOCDYpi/jFBC6Vtkw0ud3/xq8Nmhd5gUk+SpngByCZH3Pm3H+jvlbMpiqkDkm1v74hDX13Xhrcw2eWyuqKBVoRCCniUvwpYNbGvBfjC6Hcizv0Aybciwj+4nybt5EPoEUm6S6Gs7fG7QpPdvrzpAxX70MlmdkF/gwyuhbEeJhLK+WL7qAsN5CvHPzVbsIf90x+nGTtMJPgpxVr0tJMj+vprXV4WxutfARBiOnqe58MhA857sd+MzKBgKnoLOBRTiC3qc/0/ULwbG2HCCD7nmwzz7M4nUuMvo8rgS7z0BF68OClT8X3JwSXbL5Wg=="),
 			},
 		}

--- a/backend/internal/service/export_service.go
+++ b/backend/internal/service/export_service.go
@@ -129,39 +129,39 @@ func (s *ExportService) getScanValuesForTable(cols []string, types utils.DBSchem
 		case "boolean", "bool":
 			var x bool
 			if types[col].Nullable {
-				res[i] = utils.Ptr(utils.Ptr(x))
+				res[i] = new(new(x))
 			} else {
-				res[i] = utils.Ptr(x)
+				res[i] = new(x)
 			}
 		case "blob", "bytea", "jsonb":
 			// Treat jsonb columns as binary too
 			var x []byte
 			if types[col].Nullable {
-				res[i] = utils.Ptr(utils.Ptr(x))
+				res[i] = new(new(x))
 			} else {
-				res[i] = utils.Ptr(x)
+				res[i] = new(x)
 			}
 		case "timestamp", "timestamptz", "timestamp with time zone", "datetime":
 			var x datatype.DateTime
 			if types[col].Nullable {
-				res[i] = utils.Ptr(utils.Ptr(x))
+				res[i] = new(new(x))
 			} else {
-				res[i] = utils.Ptr(x)
+				res[i] = new(x)
 			}
 		case "integer", "int", "bigint":
 			var x int64
 			if types[col].Nullable {
-				res[i] = utils.Ptr(utils.Ptr(x))
+				res[i] = new(new(x))
 			} else {
-				res[i] = utils.Ptr(x)
+				res[i] = new(x)
 			}
 		default:
 			// Treat everything else as a string (including the "numeric" type)
 			var x string
 			if types[col].Nullable {
-				res[i] = utils.Ptr(utils.Ptr(x))
+				res[i] = new(new(x))
 			} else {
-				res[i] = utils.Ptr(x)
+				res[i] = new(x)
 			}
 		}
 	}
--- a/backend/internal/service/jwt_service.go
+++ b/backend/internal/service/jwt_service.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"time"

+	"github.com/google/uuid"
 	"github.com/lestrrat-go/jwx/v3/jwa"
 	"github.com/lestrrat-go/jwx/v3/jwk"
 	"github.com/lestrrat-go/jwx/v3/jwt"
@@ -193,6 +194,7 @@ func (s *JwtService) GenerateAccessToken(user model.User) (string, error) {
 		Expiration(now.Add(s.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes())).
 		IssuedAt(now).
 		Issuer(s.envConfig.AppURL).
+		JwtID(uuid.New().String()).
 		Build()
 	if err != nil {
 		return "", fmt.Errorf("failed to build token: %w", err)
@@ -247,6 +249,7 @@ func (s *JwtService) BuildIDToken(userClaims map[string]any, clientID string, no
 		Expiration(now.Add(1 * time.Hour)).
 		IssuedAt(now).
 		Issuer(s.envConfig.AppURL).
+		JwtID(uuid.New().String()).
 		Build()
 	if err != nil {
 		return nil, fmt.Errorf("failed to build token: %w", err)
@@ -336,6 +339,7 @@ func (s *JwtService) BuildOAuthAccessToken(user model.User, clientID string) (jw
 		Expiration(now.Add(1 * time.Hour)).
 		IssuedAt(now).
 		Issuer(s.envConfig.AppURL).
+		JwtID(uuid.New().String()).
 		Build()
 	if err != nil {
 		return nil, fmt.Errorf("failed to build token: %w", err)
--- a/backend/internal/service/jwt_service_test.go
+++ b/backend/internal/service/jwt_service_test.go
@@ -20,13 +20,14 @@ import (

 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
-	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	jwkutils "github.com/pocket-id/pocket-id/backend/internal/utils/jwk"
 	testutils "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
 )

 const testEncryptionKey = "0123456789abcdef0123456789abcdef"

+const uuidRegexPattern = "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$"
+
 func newTestEnvConfig() *common.EnvConfigSchema {
 	return &common.EnvConfigSchema{
 		AppURL:        "https://test.example.com",
@@ -303,7 +304,7 @@ func TestGenerateVerifyAccessToken(t *testing.T) {

 		user := model.User{
 			Base:    model.Base{ID: "user123"},
-			Email:   utils.Ptr("user@example.com"),
+			Email:   new("user@example.com"),
 			IsAdmin: false,
 		}

@@ -323,6 +324,9 @@ func TestGenerateVerifyAccessToken(t *testing.T) {
 		audience, ok := claims.Audience()
 		_ = assert.True(t, ok, "Audience not found in token") &&
 			assert.Equal(t, []string{service.envConfig.AppURL}, audience, "Audience should contain the app URL")
+		jwtID, ok := claims.JwtID()
+		_ = assert.True(t, ok, "JWT ID not found in token") &&
+			assert.Regexp(t, uuidRegexPattern, jwtID, "JWT ID is not a UUID")

 		expectedExp := time.Now().Add(1 * time.Hour)
 		expiration, ok := claims.Expiration()
@@ -336,7 +340,7 @@ func TestGenerateVerifyAccessToken(t *testing.T) {

 		adminUser := model.User{
 			Base:    model.Base{ID: "admin123"},
-			Email:   utils.Ptr("admin@example.com"),
+			Email:   new("admin@example.com"),
 			IsAdmin: true,
 		}

@@ -388,7 +392,7 @@ func TestGenerateVerifyAccessToken(t *testing.T) {

 		user := model.User{
 			Base:    model.Base{ID: "eddsauser123"},
-			Email:   utils.Ptr("eddsauser@example.com"),
+			Email:   new("eddsauser@example.com"),
 			IsAdmin: true,
 		}

@@ -425,7 +429,7 @@ func TestGenerateVerifyAccessToken(t *testing.T) {

 		user := model.User{
 			Base:    model.Base{ID: "ecdsauser123"},
-			Email:   utils.Ptr("ecdsauser@example.com"),
+			Email:   new("ecdsauser@example.com"),
 			IsAdmin: true,
 		}

@@ -462,7 +466,7 @@ func TestGenerateVerifyAccessToken(t *testing.T) {

 		user := model.User{
 			Base:    model.Base{ID: "rsauser123"},
-			Email:   utils.Ptr("rsauser@example.com"),
+			Email:   new("rsauser@example.com"),
 			IsAdmin: true,
 		}

@@ -497,7 +501,7 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 	t.Run("generates and verifies ID token with standard claims", func(t *testing.T) {
 		service, _, _ := setupJwtService(t, mockConfig)

-		userClaims := map[string]interface{}{
+		userClaims := map[string]any{
 			"sub":   "user123",
 			"name":  "Test User",
 			"email": "user@example.com",
@@ -520,6 +524,9 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 		issuer, ok := claims.Issuer()
 		_ = assert.True(t, ok, "Issuer not found in token") &&
 			assert.Equal(t, service.envConfig.AppURL, issuer, "Issuer should match app URL")
+		jwtID, ok := claims.JwtID()
+		_ = assert.True(t, ok, "JWT ID not found in token") &&
+			assert.Regexp(t, uuidRegexPattern, jwtID, "JWT ID is not a UUID")

 		expectedExp := time.Now().Add(1 * time.Hour)
 		expiration, ok := claims.Expiration()
@@ -531,7 +538,7 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 	t.Run("can accept expired tokens if told so", func(t *testing.T) {
 		service, _, _ := setupJwtService(t, mockConfig)

-		userClaims := map[string]interface{}{
+		userClaims := map[string]any{
 			"sub":   "user123",
 			"name":  "Test User",
 			"email": "user@example.com",
@@ -579,7 +586,7 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 	t.Run("generates and verifies ID token with nonce", func(t *testing.T) {
 		service, _, _ := setupJwtService(t, mockConfig)

-		userClaims := map[string]interface{}{
+		userClaims := map[string]any{
 			"sub":  "user456",
 			"name": "Another User",
 		}
@@ -604,7 +611,7 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 	t.Run("fails verification with incorrect issuer", func(t *testing.T) {
 		service, _, _ := setupJwtService(t, mockConfig)

-		userClaims := map[string]interface{}{
+		userClaims := map[string]any{
 			"sub": "user789",
 		}
 		tokenString, err := service.GenerateIDToken(userClaims, "client-789", "")
@@ -626,7 +633,7 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 		require.True(t, ok)
 		assert.Equal(t, origKeyID, loadedKeyID, "Loaded key should have the same ID as the original")

-		userClaims := map[string]interface{}{
+		userClaims := map[string]any{
 			"sub":   "eddsauser456",
 			"name":  "EdDSA User",
 			"email": "eddsauser@example.com",
@@ -664,7 +671,7 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 		require.True(t, ok)
 		assert.Equal(t, origKeyID, loadedKeyID, "Loaded key should have the same ID as the original")

-		userClaims := map[string]interface{}{
+		userClaims := map[string]any{
 			"sub":   "ecdsauser456",
 			"email": "ecdsauser@example.com",
 		}
@@ -701,7 +708,7 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 		require.True(t, ok)
 		assert.Equal(t, origKeyID, loadedKeyID, "Loaded key should have the same ID as the original")

-		userClaims := map[string]interface{}{
+		userClaims := map[string]any{
 			"sub":   "rsauser456",
 			"name":  "RSA User",
 			"email": "rsauser@example.com",
@@ -734,7 +741,7 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {

 		user := model.User{
 			Base:  model.Base{ID: "user123"},
-			Email: utils.Ptr("user@example.com"),
+			Email: new("user@example.com"),
 		}
 		const clientID = "test-client-123"

@@ -754,6 +761,9 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {
 		issuer, ok := claims.Issuer()
 		_ = assert.True(t, ok, "Issuer not found in token") &&
 			assert.Equal(t, service.envConfig.AppURL, issuer, "Issuer should match app URL")
+		jwtID, ok := claims.JwtID()
+		_ = assert.True(t, ok, "JWT ID not found in token") &&
+			assert.Regexp(t, uuidRegexPattern, jwtID, "JWT ID is not a UUID")

 		expectedExp := time.Now().Add(1 * time.Hour)
 		expiration, ok := claims.Expiration()
@@ -814,7 +824,7 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {

 		user := model.User{
 			Base:  model.Base{ID: "eddsauser789"},
-			Email: utils.Ptr("eddsaoauth@example.com"),
+			Email: new("eddsaoauth@example.com"),
 		}
 		const clientID = "eddsa-oauth-client"

@@ -851,7 +861,7 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {

 		user := model.User{
 			Base:  model.Base{ID: "ecdsauser789"},
-			Email: utils.Ptr("ecdsaoauth@example.com"),
+			Email: new("ecdsaoauth@example.com"),
 		}
 		const clientID = "ecdsa-oauth-client"

@@ -888,7 +898,7 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {

 		user := model.User{
 			Base:  model.Base{ID: "rsauser789"},
-			Email: utils.Ptr("rsaoauth@example.com"),
+			Email: new("rsaoauth@example.com"),
 		}
 		const clientID = "rsa-oauth-client"

--- a/backend/internal/service/ldap_service.go
+++ b/backend/internal/service/ldap_service.go
@@ -529,7 +529,7 @@ func getDNProperty(property string, str string) string {
 	// First we split at the comma
 	property = strings.ToLower(property)
 	l := len(property) + 1
-	for _, v := range strings.Split(str, ",") {
+	for v := range strings.SplitSeq(str, ",") {
 		v = strings.TrimSpace(v)
 		if len(v) > l && strings.ToLower(v)[0:l] == property+"=" {
 			return v[l:]
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
@@ -731,7 +731,7 @@ func (s *OidcService) CreateClient(ctx context.Context, input dto.OidcClientCrea
 		Base: model.Base{
 			ID: input.ID,
 		},
-		CreatedByID: utils.Ptr(userID),
+		CreatedByID: new(userID),
 	}
 	updateOIDCClientModelFromDto(&client, &input.OidcClientUpdateDto)

@@ -1644,34 +1644,19 @@ func clientAuthCredentialsFromCreateTokensDto(d *dto.OidcCreateTokensDto) Client
 }

 func (s *OidcService) verifyClientCredentialsInternal(ctx context.Context, tx *gorm.DB, input ClientAuthCredentials, allowPublicClientsWithoutAuth bool) (client *model.OidcClient, err error) {
-	isClientAssertion := input.ClientAssertionType == ClientAssertionTypeJWTBearer && input.ClientAssertion != ""
-
-	// Determine the client ID based on the authentication method
-	var clientID string
-	switch {
-	case isClientAssertion:
-		// Extract client ID from the JWT assertion's 'sub' claim
-		clientID, err = s.extractClientIDFromAssertion(input.ClientAssertion)
-		if err != nil {
-			slog.Error("Failed to extract client ID from assertion", "error", err)
-			return nil, &common.OidcClientAssertionInvalidError{}
-		}
-	case input.ClientID != "":
-		// Use the provided client ID for other authentication methods
-		clientID = input.ClientID
-	default:
+	if input.ClientID == "" {
 		return nil, &common.OidcMissingClientCredentialsError{}
 	}

 	// Load the OIDC client's configuration
 	err = tx.
 		WithContext(ctx).
-		First(&client, "id = ?", clientID).
+		First(&client, "id = ?", input.ClientID).
 		Error
-	if err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) && isClientAssertion {
-			return nil, &common.OidcClientAssertionInvalidError{}
-		}
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		slog.WarnContext(ctx, "Client not found", slog.String("client", input.ClientID))
+		return nil, &common.OidcClientNotFoundError{}
+	} else if err != nil {
 		return nil, err
 	}

@@ -1686,7 +1671,7 @@ func (s *OidcService) verifyClientCredentialsInternal(ctx context.Context, tx *g
 		return client, nil

 	// Next, check if we want to use client assertions from federated identities
-	case isClientAssertion:
+	case input.ClientAssertionType == ClientAssertionTypeJWTBearer && input.ClientAssertion != "":
 		err = s.verifyClientAssertionFromFederatedIdentities(ctx, client, input)
 		if err != nil {
 			slog.WarnContext(ctx, "Invalid assertion for client", slog.String("client", client.ID), slog.Any("error", err))
@@ -1783,36 +1768,20 @@ func (s *OidcService) verifyClientAssertionFromFederatedIdentities(ctx context.C
 	// (Note: we don't use jwt.WithIssuer() because that would be redundant)
 	_, err = jwt.Parse(assertion,
 		jwt.WithValidate(true),
+
 		jwt.WithAcceptableSkew(clockSkew),
 		jwt.WithKeySet(jwks, jws.WithInferAlgorithmFromKey(true), jws.WithUseDefault(true)),
 		jwt.WithAudience(audience),
 		jwt.WithSubject(subject),
 	)
 	if err != nil {
-		return fmt.Errorf("client assertion is not valid: %w", err)
+		return fmt.Errorf("client assertion could not be verified: %w", err)
 	}

 	// If we're here, the assertion is valid
 	return nil
 }

-// extractClientIDFromAssertion extracts the client_id from the JWT assertion's 'sub' claim
-func (s *OidcService) extractClientIDFromAssertion(assertion string) (string, error) {
-	// Parse the JWT without verification first to get the claims
-	insecureToken, err := jwt.ParseInsecure([]byte(assertion))
-	if err != nil {
-		return "", fmt.Errorf("failed to parse JWT assertion: %w", err)
-	}
-
-	// Extract the subject claim which must be the client_id according to RFC 7523
-	sub, ok := insecureToken.Subject()
-	if !ok || sub == "" {
-		return "", fmt.Errorf("missing or invalid 'sub' claim in JWT assertion")
-	}
-
-	return sub, nil
-}
-
 func (s *OidcService) GetClientPreview(ctx context.Context, clientID string, userID string, scopes []string) (*dto.OidcClientPreviewDto, error) {
 	tx := s.db.Begin()
 	defer func() {
--- a/backend/internal/service/oidc_service_test.go
+++ b/backend/internal/service/oidc_service_test.go
@@ -229,6 +229,12 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 					Subject:  federatedClient.ID,
 					JWKS:     federatedClientIssuer + "/jwks.json",
 				},
+				{
+					Issuer:   "federated-issuer-2",
+					Audience: federatedClientAudience,
+					Subject:  "my-federated-client",
+					JWKS:     federatedClientIssuer + "/jwks.json",
+				},
 				{Issuer: federatedClientIssuerDefaults},
 			},
 		},
@@ -461,6 +467,43 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {

 				// Generate a token
 				input := dto.OidcCreateTokensDto{
+					ClientID:            federatedClient.ID,
+					ClientAssertion:     string(signedToken),
+					ClientAssertionType: ClientAssertionTypeJWTBearer,
+				}
+				createdToken, err := s.createTokenFromClientCredentials(t.Context(), input)
+				require.NoError(t, err)
+				require.NotNil(t, token)
+
+				// Verify the token
+				claims, err := s.jwtService.VerifyOAuthAccessToken(createdToken.AccessToken)
+				require.NoError(t, err, "Failed to verify generated token")
+
+				// Check the claims
+				subject, ok := claims.Subject()
+				_ = assert.True(t, ok, "User ID not found in token") &&
+					assert.Equal(t, "client-"+federatedClient.ID, subject, "Token subject should match federated client ID with prefix")
+				audience, ok := claims.Audience()
+				_ = assert.True(t, ok, "Audience not found in token") &&
+					assert.Equal(t, []string{federatedClient.ID}, audience, "Audience should contain the federated client ID")
+			})
+
+			t.Run("Succeeds with valid assertion and custom subject", func(t *testing.T) {
+				// Create JWT for federated identity
+				token, err := jwt.NewBuilder().
+					Issuer("federated-issuer-2").
+					Audience([]string{federatedClientAudience}).
+					Subject("my-federated-client").
+					IssuedAt(time.Now()).
+					Expiration(time.Now().Add(10 * time.Minute)).
+					Build()
+				require.NoError(t, err)
+				signedToken, err := jwt.Sign(token, jwt.WithKey(jwa.ES256(), privateJWK))
+				require.NoError(t, err)
+
+				// Generate a token
+				input := dto.OidcCreateTokensDto{
+					ClientID:            federatedClient.ID,
 					ClientAssertion:     string(signedToken),
 					ClientAssertionType: ClientAssertionTypeJWTBearer,
 				}
@@ -483,6 +526,7 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {

 			t.Run("Fails with invalid assertion", func(t *testing.T) {
 				input := dto.OidcCreateTokensDto{
+					ClientID:            confidentialClient.ID,
 					ClientAssertion:     "invalid.jwt.token",
 					ClientAssertionType: ClientAssertionTypeJWTBearer,
 				}
--- a/backend/internal/service/scim_service.go
+++ b/backend/internal/service/scim_service.go
@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"net/url"
 	"path"
+	"slices"
 	"strconv"
 	"strings"
 	"time"
@@ -243,7 +244,7 @@ func (s *ScimService) SyncServiceProvider(ctx context.Context, serviceProviderID
 		return errors.Join(errs...)
 	}

-	provider.LastSyncedAt = utils.Ptr(datatype.DateTime(time.Now()))
+	provider.LastSyncedAt = new(datatype.DateTime(time.Now()))
 	if err := s.db.WithContext(ctx).Save(&provider).Error; err != nil {
 		return err
 	}
@@ -788,10 +789,8 @@ func ensureScimStatus(
 	resp *http.Response,
 	provider model.ScimServiceProvider,
 	allowedStatuses ...int) error {
-	for _, status := range allowedStatuses {
-		if resp.StatusCode == status {
-			return nil
-		}
+	if slices.Contains(allowedStatuses, resp.StatusCode) {
+		return nil
 	}

 	body := readScimErrorBody(resp.Body)
--- a/backend/internal/service/user_group_service.go
+++ b/backend/internal/service/user_group_service.go
@@ -162,7 +162,7 @@ func (s *UserGroupService) updateInternal(ctx context.Context, id string, input

 	group.Name = input.Name
 	group.FriendlyName = input.FriendlyName
-	group.UpdatedAt = utils.Ptr(datatype.DateTime(time.Now()))
+	group.UpdatedAt = new(datatype.DateTime(time.Now()))

 	err = tx.
 		WithContext(ctx).
@@ -228,7 +228,7 @@ func (s *UserGroupService) updateUsersInternal(ctx context.Context, id string, u
 	}

 	// Save the updated group
-	group.UpdatedAt = utils.Ptr(datatype.DateTime(time.Now()))
+	group.UpdatedAt = new(datatype.DateTime(time.Now()))

 	err = tx.
 		WithContext(ctx).
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -435,7 +435,7 @@ func (s *UserService) updateUserInternal(ctx context.Context, userID string, upd
 		}
 	}

-	user.UpdatedAt = utils.Ptr(datatype.DateTime(time.Now()))
+	user.UpdatedAt = new(datatype.DateTime(time.Now()))

 	err = tx.
 		WithContext(ctx).
@@ -501,9 +501,9 @@ func (s *UserService) UpdateUserGroups(ctx context.Context, id string, userGroup
 	}

 	// Update the UpdatedAt field for all affected groups
-	now := time.Now()
+	now := datatype.DateTime(time.Now())
 	for _, group := range groups {
-		group.UpdatedAt = utils.Ptr(datatype.DateTime(now))
+		group.UpdatedAt = &now
 		err = tx.WithContext(ctx).Save(&group).Error
 		if err != nil {
 			return model.User{}, err
@@ -636,7 +636,7 @@ func (s *UserService) VerifyEmail(ctx context.Context, userID string, token stri
 	}

 	user.EmailVerified = true
-	user.UpdatedAt = utils.Ptr(datatype.DateTime(time.Now()))
+	user.UpdatedAt = new(datatype.DateTime(time.Now()))
 	err = tx.WithContext(ctx).Save(&user).Error
 	if err != nil {
 		return err
--- a/backend/internal/utils/callback_url_util_test.go
+++ b/backend/internal/utils/callback_url_util_test.go
@@ -414,10 +414,10 @@ func TestGetCallbackURLFromList_LoopbackSpecialHandling(t *testing.T) {
 			expectMatch:      true,
 		},
 		{
-			name:             "IPv6 loopback without brackets in input",
-			urls:             []string{"http://[::1]/callback"},
-			inputCallbackURL: "http://::1:8080/callback",
-			expectedURL:      "http://::1:8080/callback",
+			name:             "IPv6 loopback with wildcard path",
+			urls:             []string{"http://[::1]/auth/*"},
+			inputCallbackURL: "http://[::1]:8080/auth/callback",
+			expectedURL:      "http://[::1]:8080/auth/callback",
 			expectMatch:      true,
 		},
 		{
@@ -462,6 +462,13 @@ func TestGetCallbackURLFromList_LoopbackSpecialHandling(t *testing.T) {
 			expectedURL:      "http://127.0.0.1:8080/callback",
 			expectMatch:      true,
 		},
+		{
+			name:             "wildcard matches IPv6 loopback",
+			urls:             []string{"*"},
+			inputCallbackURL: "http://[::1]:8080/callback",
+			expectedURL:      "http://[::1]:8080/callback",
+			expectMatch:      true,
+		},
 	}

 	for _, tt := range tests {
--- a/backend/internal/utils/ip_util.go
+++ b/backend/internal/utils/ip_util.go
@@ -87,9 +87,9 @@ func listContainsIP(ipNets []*net.IPNet, ip net.IP) bool {

 func loadLocalIPv6Ranges() {
 	localIPv6Ranges = nil
-	ranges := strings.Split(common.EnvConfig.LocalIPv6Ranges, ",")
+	ranges := strings.SplitSeq(common.EnvConfig.LocalIPv6Ranges, ",")

-	for _, rangeStr := range ranges {
+	for rangeStr := range ranges {
 		rangeStr = strings.TrimSpace(rangeStr)
 		if rangeStr == "" {
 			continue
--- a/backend/internal/utils/json_util.go
+++ b/backend/internal/utils/json_util.go
@@ -42,7 +42,7 @@ func (d *JSONDuration) UnmarshalJSON(b []byte) error {
 	}
 }

-func UnmarshalJSONFromDatabase(data interface{}, value any) error {
+func UnmarshalJSONFromDatabase(data any, value any) error {
 	switch v := value.(type) {
 	case []byte:
 		return json.Unmarshal(v, data)
--- a/backend/internal/utils/list_request_util.go
+++ b/backend/internal/utils/list_request_util.go
@@ -43,7 +43,7 @@ func ParseListRequestOptions(ctx *gin.Context) (listRequestOptions ListRequestOp
 	return listRequestOptions
 }

-func PaginateFilterAndSort(params ListRequestOptions, query *gorm.DB, result interface{}) (PaginationResponse, error) {
+func PaginateFilterAndSort(params ListRequestOptions, query *gorm.DB, result any) (PaginationResponse, error) {
 	meta := extractModelMetadata(result)

 	query = applyFilters(params.Filters, query, meta)
@@ -52,7 +52,7 @@ func PaginateFilterAndSort(params ListRequestOptions, query *gorm.DB, result int
 	return Paginate(params.Pagination.Page, params.Pagination.Limit, query, result)
 }

-func Paginate(page int, pageSize int, query *gorm.DB, result interface{}) (PaginationResponse, error) {
+func Paginate(page int, pageSize int, query *gorm.DB, result any) (PaginationResponse, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -117,8 +117,8 @@ func parseNestedFilters(ctx *gin.Context) map[string][]any {
 		// Keys can be "filters[field]" or "filters[field][0]"
 		raw := strings.TrimPrefix(key, "filters[")
 		// Take everything up to the first closing bracket
-		if idx := strings.IndexByte(raw, ']'); idx != -1 {
-			field := raw[:idx]
+		if before, _, ok := strings.Cut(raw, "]"); ok {
+			field := before
 			for _, v := range values {
 				result[field] = append(result[field], ConvertStringToType(v))
 			}
@@ -165,12 +165,12 @@ func applySorting(sortColumn string, sortDirection string, query *gorm.DB, meta
 }

 // extractModelMetadata extracts FieldMeta from the model struct using reflection
-func extractModelMetadata(model interface{}) map[string]FieldMeta {
+func extractModelMetadata(model any) map[string]FieldMeta {
 	meta := make(map[string]FieldMeta)

 	// Unwrap pointers and slices to get the element struct type
 	t := reflect.TypeOf(model)
-	for t.Kind() == reflect.Ptr || t.Kind() == reflect.Slice {
+	for t.Kind() == reflect.Pointer || t.Kind() == reflect.Slice {
 		t = t.Elem()
 		if t == nil {
 			return meta
@@ -180,8 +180,7 @@ func extractModelMetadata(model interface{}) map[string]FieldMeta {
 	// recursive parser that merges fields from embedded structs
 	var parseStruct func(reflect.Type)
 	parseStruct = func(st reflect.Type) {
-		for i := 0; i < st.NumField(); i++ {
-			field := st.Field(i)
+		for field := range st.Fields() {
 			ft := field.Type

 			// If the field is an embedded/anonymous struct, recurse into it
--- a/backend/internal/utils/ptr_util.go
+++ b/backend/internal/utils/ptr_util.go
@@ -1,10 +1,5 @@
 package utils

-// Ptr returns a pointer to the given value.
-func Ptr[T any](v T) *T {
-	return &v
-}
-
 // PtrOrNil returns a pointer to v if v is not the zero value of its type,
 // otherwise it returns nil.
 func PtrOrNil[T comparable](v T) *T {
--- a/backend/internal/utils/slogfanout.go
+++ b/backend/internal/utils/slogfanout.go
@@ -1,85 +0,0 @@
-package utils
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"log/slog"
-	"slices"
-)
-
-// This file contains code adapted from https://github.com/samber/slog-multi
-// Source: https://github.com/samber/slog-multi/blob/ced84707f45ec9848138349ed58de178eedaa6f2/pipe.go
-// Copyright (C) 2023 Samuel Berthe
-// License: MIT (https://github.com/samber/slog-multi/blob/ced84707f45ec9848138349ed58de178eedaa6f2/LICENSE)
-
-// LogFanoutHandler is a slog.Handler that sends logs to multiple destinations
-type LogFanoutHandler []slog.Handler
-
-// Implements slog.Handler
-func (h LogFanoutHandler) Enabled(ctx context.Context, l slog.Level) bool {
-	for i := range h {
-		if h[i].Enabled(ctx, l) {
-			return true
-		}
-	}
-
-	return false
-}
-
-// Implements slog.Handler
-func (h LogFanoutHandler) Handle(ctx context.Context, r slog.Record) error {
-	errs := make([]error, 0)
-	for i := range h {
-		if h[i].Enabled(ctx, r.Level) {
-			err := try(func() error {
-				return h[i].Handle(ctx, r.Clone())
-			})
-			if err != nil {
-				errs = append(errs, err)
-			}
-		}
-	}
-
-	return errors.Join(errs...)
-}
-
-// Implements slog.Handler
-func (h LogFanoutHandler) WithAttrs(attrs []slog.Attr) slog.Handler {
-	res := make(LogFanoutHandler, len(h))
-	for i, v := range h {
-		res[i] = v.WithAttrs(slices.Clone(attrs))
-	}
-	return res
-}
-
-// Implements slog.Handler
-func (h LogFanoutHandler) WithGroup(name string) slog.Handler {
-	// https://cs.opensource.google/go/x/exp/+/46b07846:slog/handler.go;l=247
-	if name == "" {
-		return h
-	}
-
-	res := make(LogFanoutHandler, len(h))
-	for i, v := range h {
-		res[i] = v.WithGroup(name)
-	}
-	return res
-}
-
-func try(callback func() error) (err error) {
-	defer func() {
-		r := recover()
-		if r != nil {
-			if e, ok := r.(error); ok {
-				err = e
-			} else {
-				err = fmt.Errorf("unexpected error: %+v", r)
-			}
-		}
-	}()
-
-	err = callback()
-
-	return
-}
--- a/backend/internal/utils/string_util.go
+++ b/backend/internal/utils/string_util.go
@@ -70,11 +70,6 @@ func GetHostnameFromURL(rawURL string) string {
 	return parsedURL.Hostname()
 }

-// StringPointer creates a string pointer from a string value
-func StringPointer(s string) *string {
-	return &s
-}
-
 func CapitalizeFirstLetter(str string) string {
 	if str == "" {
 		return ""
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -4,7 +4,7 @@
 ARG BUILD_TAGS=""

 # Stage 1: Build Frontend
-FROM node:22-alpine AS frontend-builder
+FROM node:24-alpine AS frontend-builder
 RUN corepack enable

 WORKDIR /build
@@ -18,7 +18,7 @@ COPY ./frontend ./frontend/
 RUN BUILD_OUTPUT_PATH=dist pnpm --filter pocket-id-frontend run build

 # Stage 2: Build Backend
-FROM golang:1.25-alpine AS backend-builder
+FROM golang:1.26-alpine AS backend-builder
 ARG BUILD_TAGS
 WORKDIR /build
 COPY ./backend/go.mod ./backend/go.sum ./
--- a/frontend/messages/cs.json
+++ b/frontend/messages/cs.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "Zadejte kód, který byl zobrazen v předchozím kroku.",
 	"authorize": "Autorizovat",
 	"federated_client_credentials": "Údaje o klientovi ve federaci",
-	"federated_client_credentials_description": "Pomocí federovaných přihlašovacích údajů klienta můžete ověřit klienty OIDC pomocí JWT tokenů vydaných třetí stranou.",
 	"add_federated_client_credential": "Přidat údaje federovaného klienta",
 	"add_another_federated_client_credential": "Přidat dalšího federovaného klienta",
 	"oidc_allowed_group_count": "Počet povolených skupin",
--- a/frontend/messages/da.json
+++ b/frontend/messages/da.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "Indtast koden, der blev vist i det forrige trin.",
 	"authorize": "Godkend",
 	"federated_client_credentials": "Federated klientlegitimationsoplysninger",
-	"federated_client_credentials_description": "Ved hjælp af federated klientlegitimationsoplysninger kan du godkende OIDC-klienter med JWT-tokens udstedt af tredjepartsudbydere.",
 	"add_federated_client_credential": "Tilføj federated klientlegitimation",
 	"add_another_federated_client_credential": "Tilføj endnu en federated klientlegitimation",
 	"oidc_allowed_group_count": "Tilladt antal grupper",
--- a/frontend/messages/de.json
+++ b/frontend/messages/de.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "Gib den Code ein, der im vorherigen Schritt angezeigt wurde.",
 	"authorize": "Autorisieren",
 	"federated_client_credentials": "Federated Client Credentials",
-	"federated_client_credentials_description": "Mit Hilfe von Verbund-Client-Anmeldeinformationen kannst du OIDC-Clients mit JWT-Tokens authentifizieren, die von Drittanbietern ausgestellt wurden.",
 	"add_federated_client_credential": "Föderierte Client-Anmeldeinfos hinzufügen",
 	"add_another_federated_client_credential": "Weitere Anmeldeinformationen für einen Verbundclient hinzufügen",
 	"oidc_allowed_group_count": "Erlaubte Gruppenanzahl",
--- a/frontend/messages/en.json
+++ b/frontend/messages/en.json
@@ -365,7 +365,7 @@
 	"enter_code_displayed_in_previous_step": "Enter the code that was displayed in the previous step.",
 	"authorize": "Authorize",
 	"federated_client_credentials": "Federated Client Credentials",
-	"federated_client_credentials_description": "Using federated client credentials, you can authenticate OIDC clients using JWT tokens issued by third-party authorities.",
+	"federated_client_credentials_description": "Federated client credentials allow authenticating OIDC clients without managing long-lived secrets. They leverage JWT tokens issued by third-party authorities for client assertions, e.g. workload identity tokens.",
 	"add_federated_client_credential": "Add Federated Client Credential",
 	"add_another_federated_client_credential": "Add another federated client credential",
 	"oidc_allowed_group_count": "Allowed Group Count",
--- a/frontend/messages/es.json
+++ b/frontend/messages/es.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "Introduce el código que se mostró en el paso anterior.",
 	"authorize": "Autorizar",
 	"federated_client_credentials": "Credenciales de cliente federadas",
-	"federated_client_credentials_description": "Mediante credenciales de cliente federadas, puedes autenticar clientes OIDC utilizando tokens JWT emitidos por autoridades de terceros.",
 	"add_federated_client_credential": "Añadir credenciales de cliente federado",
 	"add_another_federated_client_credential": "Añadir otra credencial de cliente federado",
 	"oidc_allowed_group_count": "Recuento de grupos permitidos",
--- a/frontend/messages/et.json
+++ b/frontend/messages/et.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "Enter the code that was displayed in the previous step.",
 	"authorize": "Authorize",
 	"federated_client_credentials": "Federated Client Credentials",
-	"federated_client_credentials_description": "Using federated client credentials, you can authenticate OIDC clients using JWT tokens issued by third-party authorities.",
 	"add_federated_client_credential": "Add Federated Client Credential",
 	"add_another_federated_client_credential": "Add another federated client credential",
 	"oidc_allowed_group_count": "Allowed Group Count",
--- a/frontend/messages/fi.json
+++ b/frontend/messages/fi.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "Syötä edellisessä vaiheessa näkynyt koodi.",
 	"authorize": "Salli",
 	"federated_client_credentials": "Federoidut asiakastunnukset",
-	"federated_client_credentials_description": "Yhdistettyjen asiakastunnistetietojen avulla voit todentaa OIDC-asiakkaat kolmannen osapuolen myöntämillä JWT-tunnuksilla.",
 	"add_federated_client_credential": "Lisää federoitu asiakastunnus",
 	"add_another_federated_client_credential": "Lisää toinen federoitu asiakastunnus",
 	"oidc_allowed_group_count": "Sallittujen ryhmien määrä",
--- a/frontend/messages/fr.json
+++ b/frontend/messages/fr.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "Entrez le code affiché à l'étape précédente.",
 	"authorize": "Autoriser",
 	"federated_client_credentials": "Identifiants client fédérés",
-	"federated_client_credentials_description": "Avec des identifiants clients fédérés, vous pouvez authentifier des clients OIDC avec des tokens JWT émis par des autorités tierces.",
 	"add_federated_client_credential": "Ajouter un identifiant client fédéré",
 	"add_another_federated_client_credential": "Ajouter un autre identifiant client fédéré",
 	"oidc_allowed_group_count": "Nombre de groupes autorisés",
--- a/frontend/messages/it.json
+++ b/frontend/messages/it.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "Inserisci il codice visualizzato nel passaggio precedente.",
 	"authorize": "Autorizza",
 	"federated_client_credentials": "Identità Federate",
-	"federated_client_credentials_description": "Utilizzando identità federate, è possibile autenticare i client OIDC utilizzando i token JWT emessi da autorità di terze parti.",
 	"add_federated_client_credential": "Aggiungi Identità Federata",
 	"add_another_federated_client_credential": "Aggiungi un'altra identità federata",
 	"oidc_allowed_group_count": "Numero Gruppi Consentiti",
--- a/frontend/messages/ja.json
+++ b/frontend/messages/ja.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "前のステップで表示されたコードを入力してください。",
 	"authorize": "Authorize",
 	"federated_client_credentials": "連携クライアントの資格情報",
-	"federated_client_credentials_description": "Using federated client credentials, you can authenticate OIDC clients using JWT tokens issued by third-party authorities.",
 	"add_federated_client_credential": "Add Federated Client Credential",
 	"add_another_federated_client_credential": "Add another federated client credential",
 	"oidc_allowed_group_count": "許可されたグループ数",
--- a/frontend/messages/ko.json
+++ b/frontend/messages/ko.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "이전 단계에 표시된 코드를 입력하세요.",
 	"authorize": "승인",
 	"federated_client_credentials": "연동 클라이언트 자격 증명",
-	"federated_client_credentials_description": "연동 클라이언트 자격 증명을 이용하여, OIDC 클라이언트를 제3자 인증 기관에서 발급한 JWT 토큰을 이용해 인증할 수 있습니다.",
 	"add_federated_client_credential": "연동 클라이언트 자격 증명 추가",
 	"add_another_federated_client_credential": "다른 연동 클라이언트 자격 증명 추가",
 	"oidc_allowed_group_count": "허용된 그룹 수",
--- a/frontend/messages/nl.json
+++ b/frontend/messages/nl.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "Voer de code in die in de vorige stap werd getoond.",
 	"authorize": "Autoriseren",
 	"federated_client_credentials": "Federatieve clientreferenties",
-	"federated_client_credentials_description": "Met federatieve clientreferenties kun je OIDC-clients verifiëren met JWT-tokens die zijn uitgegeven door andere instanties.",
 	"add_federated_client_credential": "Federatieve clientreferenties toevoegen",
 	"add_another_federated_client_credential": "Voeg nog een federatieve clientreferentie toe",
 	"oidc_allowed_group_count": "Aantal groepen met toegang",
--- a/frontend/messages/no.json
+++ b/frontend/messages/no.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "Enter the code that was displayed in the previous step.",
 	"authorize": "Authorize",
 	"federated_client_credentials": "Federated Client Credentials",
-	"federated_client_credentials_description": "Using federated client credentials, you can authenticate OIDC clients using JWT tokens issued by third-party authorities.",
 	"add_federated_client_credential": "Add Federated Client Credential",
 	"add_another_federated_client_credential": "Add another federated client credential",
 	"oidc_allowed_group_count": "Allowed Group Count",
--- a/frontend/messages/pl.json
+++ b/frontend/messages/pl.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "Wprowadź kod wyświetlony w poprzednim kroku.",
 	"authorize": "Autoryzuj",
 	"federated_client_credentials": "Połączone poświadczenia klienta",
-	"federated_client_credentials_description": "Korzystając z połączonych poświadczeń klienta, możecie uwierzytelnić klientów OIDC za pomocą tokenów JWT wydanych przez zewnętrzne organy.",
 	"add_federated_client_credential": "Dodaj poświadczenia klienta federacyjnego",
 	"add_another_federated_client_credential": "Dodaj kolejne poświadczenia klienta federacyjnego",
 	"oidc_allowed_group_count": "Dopuszczalna liczba grup",
--- a/frontend/messages/pt-BR.json
+++ b/frontend/messages/pt-BR.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "Digite o código que apareceu na etapa anterior.",
 	"authorize": "Autorizar",
 	"federated_client_credentials": "Credenciais de Cliente Federadas",
-	"federated_client_credentials_description": "Ao utilizar credenciais de cliente federadas, é possível autenticar clientes OIDC usando tokens JWT emitidos por autoridades de terceiros.",
 	"add_federated_client_credential": "Adicionar credencial de cliente federado",
 	"add_another_federated_client_credential": "Adicionar outra credencial de cliente federado",
 	"oidc_allowed_group_count": "Total de grupos permitidos",
--- a/frontend/messages/ru.json
+++ b/frontend/messages/ru.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "Введите код, который был отображен на предыдущем шаге.",
 	"authorize": "Авторизовать",
 	"federated_client_credentials": "Федеративные учетные данные клиента",
-	"federated_client_credentials_description": "Используя федеративные учетные данные клиента, вы можете аутентифицировать клиентов OIDC с помощью токенов JWT, выпущенных сторонними поставщиками удостоверений.",
 	"add_federated_client_credential": "Добавить федеративные учетные данные клиента",
 	"add_another_federated_client_credential": "Добавить другие федеративные учетные данные клиента",
 	"oidc_allowed_group_count": "Число разрешенных групп",
--- a/frontend/messages/sv.json
+++ b/frontend/messages/sv.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "Ange koden som visades i föregående steg.",
 	"authorize": "Godkänn",
 	"federated_client_credentials": "Federerade klientuppgifter",
-	"federated_client_credentials_description": "Med hjälp av federerade klientuppgifter kan du autentisera OIDC-klienter med JWT-tokens som utfärdats av externa auktoriteter.",
 	"add_federated_client_credential": "Lägg till federerad klientuppgift",
 	"add_another_federated_client_credential": "Lägg till ytterligare en federerad klientuppgift",
 	"oidc_allowed_group_count": "Tillåtet antal grupper",
--- a/frontend/messages/tr.json
+++ b/frontend/messages/tr.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "Önceki adımda görüntülenen kodu girin.",
 	"authorize": "Yetkilendir",
 	"federated_client_credentials": "Birleştirilmiş İstemci Kimlik Bilgileri",
-	"federated_client_credentials_description": "Birleşik istemci kimlik bilgilerini kullanarak, üçüncü taraf otoriteleri tarafından verilen JWT token'ları kullanarak OIDC istemcilerinin kimliklerini doğrulayabilirsiniz.",
 	"add_federated_client_credential": "Birleştirilmiş İstemci Kimlik Bilgisi Ekle",
 	"add_another_federated_client_credential": "Başka bir birleştirilmiş istemci kimlik bilgisi ekle",
 	"oidc_allowed_group_count": "İzin Verilen Grup Sayısı",
--- a/frontend/messages/uk.json
+++ b/frontend/messages/uk.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "Введіть код, який було показано на попередньому кроці.",
 	"authorize": "Авторизувати",
 	"federated_client_credentials": "Федеративні облікові дані клієнта",
-	"federated_client_credentials_description": "За допомогою федеративних облікових даних клієнта ви можете автентифікувати клієнтів OIDC за допомогою токенів JWT, виданих третіми сторонами.",
 	"add_federated_client_credential": "Додати федеративний обліковий запис клієнта",
 	"add_another_federated_client_credential": "Додати ще один федеративний обліковий запис клієнта",
 	"oidc_allowed_group_count": "Кількість дозволених груп",
@@ -457,59 +456,59 @@
 	"custom_client_id_description": "Встановіть власний ідентифікатор клієнта, якщо це вимагається вашим застосунком. В іншому випадку залиште поле порожнім, щоб згенерувати випадковий.",
 	"generated": "Створено",
 	"administration": "Адміністрування",
-	"group_rdn_attribute_description": "Атрибут, що використовується в розрізнювальному імені групи (DN).",
+	"group_rdn_attribute_description": "Атрибут, який використовується в DN (Distinguished Name) групи.",
 	"display_name_attribute": "Атрибут імені для відображення",
 	"display_name": "Ім'я для відображення",
 	"configure_application_images": "Налаштування зображень застосунку",
-	"ui_config_disabled_info_title": "Конфігурація інтерфейсу користувача вимкнена",
-	"ui_config_disabled_info_description": "Конфігурація інтерфейсу користувача вимкнена, оскільки налаштування конфігурації програми керуються через змінні середовища. Деякі налаштування можуть бути недоступними для редагування.",
+	"ui_config_disabled_info_title": "Налаштування через UI вимкнено",
+	"ui_config_disabled_info_description": "Налаштування через UI вимкнено, оскільки параметри конфігурації застосунку керуються через змінні середовища. Деякі налаштування можуть бути недоступні для редагування.",
 	"logo_from_url_description": "Вставте пряму URL-адресу зображення (svg, png, webp). Знайдіть іконки на <link  href=\"https://selfh.st/icons\">Selfh.st Icons</link> або <link href=\"https://dashboardicons.com\">Dashboard Icons</link>.",
 	"invalid_url": "Недійсна URL-адреса",
 	"require_user_email": "Потрібна адреса електронної пошти",
-	"require_user_email_description": "Вимагає від користувачів наявність адреси електронної пошти. Якщо ця опція вимкнена, користувачі без адреси електронної пошти не зможуть користуватися функціями, для яких потрібна адреса електронної пошти.",
+	"require_user_email_description": "Вимагає наявності електронної адреси у користувачів. Якщо вимкнено, користувачі без електронної адреси не зможуть користуватися функціями, які її вимагають.",
 	"view": "Перегляд",
-	"toggle_columns": "Перемикання стовпців",
-	"locale": "Локаль",
+	"toggle_columns": "Налаштувати стовпці",
+	"locale": "Мова",
 	"ldap_id": "LDAP-ідентифікатор",
-	"reauthentication": "Повторна аутентифікація",
+	"reauthentication": "Повторна автентифікація",
 	"clear_filters": "Очистити фільтри",
 	"default_profile_picture": "Стандартне зображення профілю",
 	"light": "Світла",
 	"dark": "Темна",
 	"system": "Системна",
 	"signup_token_user_groups_description": "Автоматично призначати ці групи користувачам, які реєструються за допомогою цього токена.",
-	"allowed_oidc_clients": "Дозволені клієнти OIDC",
-	"allowed_oidc_clients_description": "Виберіть клієнти OIDC, до яких члени цієї групи користувачів мають право входити.",
+	"allowed_oidc_clients": "Дозволені OIDC-клієнти",
+	"allowed_oidc_clients_description": "Оберіть OIDC-клієнти, до яких дозволено вхід членам цієї групи користувачів.",
 	"unrestrict_oidc_client": "Не обмежувати {clientName}",
-	"confirm_unrestrict_oidc_client_description": "Ви впевнені, що хочете зняти обмеження з клієнта OIDC <b>{clientName}</b>? Це призведе до видалення всіх групових призначень для цього клієнта, і будь-який користувач зможе увійти в систему.",
-	"allowed_oidc_clients_updated_successfully": "Дозволені клієнти OIDC успішно оновлені",
+	"confirm_unrestrict_oidc_client_description": "Ви впевнені, що хочете зняти обмеження з OIDC-клієнта <b>{clientName}</b>? Це видалить усі призначення груп для цього клієнта, і будь-який користувач зможе виконати вхід.",
+	"allowed_oidc_clients_updated_successfully": "Дозволені OIDC-клієнти успішно оновлено",
 	"yes": "Так",
 	"no": "Ні",
 	"restricted": "Обмежений",
-	"scim_provisioning": "Надання SCIM",
-	"scim_provisioning_description": "SCIM-провізінінг дозволяє автоматично надавати та скасовувати доступ користувачам і групам з вашого клієнта OIDC. Дізнайтеся більше в <link href='https://pocket-id.org/docs/configuration/scim'>документації</link>.",
+	"scim_provisioning": "Синхронізація SCIM",
+	"scim_provisioning_description": "Постачання користувачів через SCIM дозволяє автоматично додавати та видаляти користувачів і групи у вашому OIDC-клієнті. Дізнайтеся більше у <link href='https://pocket-id.org/docs/configuration/scim'>документації</link>.",
 	"scim_endpoint": "Кінцева точка SCIM",
 	"scim_token": "Токен SCIM",
 	"last_successful_sync_at": "Остання успішна синхронізація: {time}",
-	"scim_configuration_updated_successfully": "Конфігурація SCIM успішно оновлена.",
-	"scim_enabled_successfully": "SCIM успішно увімкнено.",
-	"scim_disabled_successfully": "SCIM успішно вимкнено.",
-	"disable_scim_provisioning": "Вимкнути надання SCIM",
-	"disable_scim_provisioning_confirm_description": "Ви впевнені, що хочете вимкнути надання доступу SCIM для <b>{clientName}</b>? Це зупинить всі автоматичні процеси надання та скасування доступу для користувачів і груп.",
+	"scim_configuration_updated_successfully": "Конфігурацію SCIM успішно оновлено.",
+	"scim_enabled_successfully": "Синхронізація SCIM успішно увімкнено.",
+	"scim_disabled_successfully": "Синхронізація SCIM успішно вимкнено.",
+	"disable_scim_provisioning": "Вимкнути SCIM синхронізацію",
+	"disable_scim_provisioning_confirm_description": "Ви впевнені, що хочете вимкнути постачання користувачів через SCIM для <b>{clientName}</b>? Це зупинить автоматичне додавання та видалення користувачів і груп.",
 	"scim_sync_failed": "Синхронізація SCIM не вдалася. Перевірте журнали сервера для отримання додаткової інформації.",
 	"scim_sync_successful": "Синхронізація SCIM успішно завершена.",
 	"save_and_sync": "Зберегти та синхронізувати",
-	"scim_save_changes_description": "Перед початком синхронізації SCIM необхідно зберегти зміни. Чи хочете ви зберегти зараз?",
+	"scim_save_changes_description": "Необхідно зберегти зміни перед запуском синхронізації SCIM. Бажаєте зберегти зараз?",
 	"scopes": "Області застосування",
 	"issuer_url": "URL емітента",
-	"smtp_field_required_when_other_provided": "Необхідно, якщо вказано будь-яке налаштування SMTP",
-	"smtp_field_required_when_email_enabled": "Необхідно, якщо увімкнено сповіщення електронною поштою",
+	"smtp_field_required_when_other_provided": "Обов'язково, якщо вказано будь-який параметр SMTP",
+	"smtp_field_required_when_email_enabled": "Обов'язково, якщо увімкнено сповіщення електронною поштою",
 	"renew": "Оновити",
 	"renew_api_key": "Оновити API-ключ",
 	"renew_api_key_description": "Оновлення API-ключа призведе до створення нового ключа. Обов'язково оновіть усі інтеграції, що використовують цей ключ.",
 	"api_key_renewed": "API-ключ оновлено",
 	"app_config_home_page": "Головна сторінка",
-	"app_config_home_page_description": "Сторінка, на яку перенаправляють користувачів після входу в систему.",
+	"app_config_home_page_description": "Сторінка, на яку користувачі перенаправляються після входу.",
 	"email_verification_warning": "Підтвердьте свою адресу електронної пошти",
 	"email_verification_warning_description": "Ваша електронна адреса ще не підтверджена. Будь ласка, підтвердьте її якомога швидше.",
 	"email_verification": "Перевірка електронної адреси",
--- a/frontend/messages/vi.json
+++ b/frontend/messages/vi.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "Nhập mã đã hiển thị ở bước trước.",
 	"authorize": "Cho phép",
 	"federated_client_credentials": "Thông Tin Xác Thực Của Federated Clients",
-	"federated_client_credentials_description": "Sử dụng thông tin xác thực của federated client, bạn có thể xác thực các client OIDC bằng cách sử dụng token JWT được cấp bởi các bên thứ ba.",
 	"add_federated_client_credential": "Thêm thông tin xác thực cho federated clients",
 	"add_another_federated_client_credential": "Thêm một thông tin xác thực cho federated clients khác",
 	"oidc_allowed_group_count": "Số lượng nhóm được phép",
--- a/frontend/messages/zh-CN.json
+++ b/frontend/messages/zh-CN.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "输入在上一步中显示的代码",
 	"authorize": "授权",
 	"federated_client_credentials": "联合身份",
-	"federated_client_credentials_description": "您可以使用联合身份，通过第三方授权机构签发的 JWT 令牌，对 OIDC 客户端进行认证。",
 	"add_federated_client_credential": "添加联合身份",
 	"add_another_federated_client_credential": "再添加一个联合身份",
 	"oidc_allowed_group_count": "允许的群组数量",
--- a/frontend/messages/zh-TW.json
+++ b/frontend/messages/zh-TW.json
@@ -365,7 +365,6 @@
 	"enter_code_displayed_in_previous_step": "請輸入上一步顯示的代碼。",
 	"authorize": "授權",
 	"federated_client_credentials": "聯邦身分",
-	"federated_client_credentials_description": "使用聯邦身分，您可以透過由第三方授權機構簽發的 JWT 令牌來驗證 OIDC 客戶端。",
 	"add_federated_client_credential": "增加聯邦身分",
 	"add_another_federated_client_credential": "新增另一組聯邦身分",
 	"oidc_allowed_group_count": "允許的群組數量",
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,63 +1,63 @@
 {
-	"name": "pocket-id-frontend",
-	"version": "2.2.0",
-	"private": true,
-	"type": "module",
-	"scripts": {
-		"preinstall": "npx only-allow pnpm",
-		"dev": "vite dev --port 3000",
-		"build": "vite build",
-		"preview": "vite preview --port 3000",
-		"check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
-		"check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
-		"lint": "prettier --check . && eslint .",
-		"format": "prettier --write ."
-	},
-	"dependencies": {
-		"@simplewebauthn/browser": "^13.2.2",
-		"@tailwindcss/vite": "^4.2.0",
-		"axios": "^1.13.5",
-		"clsx": "^2.1.1",
-		"date-fns": "^4.1.0",
-		"jose": "^6.1.3",
-		"qrcode": "^1.5.4",
-		"runed": "^0.37.1",
-		"sveltekit-superforms": "^2.30.0",
-		"tailwind-merge": "^3.5.0",
-		"zod": "^4.3.6"
-	},
-	"devDependencies": {
-		"@inlang/paraglide-js": "^2.12.0",
-		"@inlang/plugin-m-function-matcher": "^2.2.1",
-		"@inlang/plugin-message-format": "^4.3.0",
-		"@internationalized/date": "^3.11.0",
-		"@lucide/svelte": "^0.559.0",
-		"@sveltejs/adapter-static": "^3.0.10",
-		"@sveltejs/kit": "^2.53.0",
-		"@sveltejs/vite-plugin-svelte": "^6.2.4",
-		"@types/eslint": "^9.6.1",
-		"@types/node": "^24.10.13",
-		"@types/qrcode": "^1.5.6",
-		"bits-ui": "^2.16.2",
-		"eslint": "^9.39.3",
-		"eslint-config-prettier": "^10.1.8",
-		"eslint-plugin-svelte": "^3.15.0",
-		"formsnap": "^2.0.1",
-		"globals": "^16.5.0",
-		"mode-watcher": "^1.1.0",
-		"prettier": "^3.8.1",
-		"prettier-plugin-svelte": "^3.5.0",
-		"prettier-plugin-tailwindcss": "^0.7.2",
-		"rollup": "^4.59.0",
-		"svelte": "^5.53.2",
-		"svelte-check": "^4.4.3",
-		"svelte-sonner": "^1.0.7",
-		"tailwind-variants": "^3.2.2",
-		"tailwindcss": "^4.2.0",
-		"tslib": "^2.8.1",
-		"tw-animate-css": "^1.4.0",
-		"typescript": "^5.9.3",
-		"typescript-eslint": "^8.56.0",
-		"vite": "^7.3.1"
-	}
+  "name": "pocket-id-frontend",
+  "version": "2.3.0",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "preinstall": "npx only-allow pnpm",
+    "dev": "vite dev --port 3000",
+    "build": "vite build",
+    "preview": "vite preview --port 3000",
+    "check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
+    "check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
+    "lint": "prettier --check . && eslint .",
+    "format": "prettier --write ."
+  },
+  "dependencies": {
+    "@simplewebauthn/browser": "^13.2.2",
+    "@tailwindcss/vite": "^4.2.0",
+    "axios": "^1.13.5",
+    "clsx": "^2.1.1",
+    "date-fns": "^4.1.0",
+    "jose": "^6.1.3",
+    "qrcode": "^1.5.4",
+    "runed": "^0.37.1",
+    "sveltekit-superforms": "^2.30.0",
+    "tailwind-merge": "^3.5.0",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@inlang/paraglide-js": "^2.12.0",
+    "@inlang/plugin-m-function-matcher": "^2.2.1",
+    "@inlang/plugin-message-format": "^4.3.0",
+    "@internationalized/date": "^3.11.0",
+    "@lucide/svelte": "^0.559.0",
+    "@sveltejs/adapter-static": "^3.0.10",
+    "@sveltejs/kit": "^2.53.0",
+    "@sveltejs/vite-plugin-svelte": "^6.2.4",
+    "@types/eslint": "^9.6.1",
+    "@types/node": "^24.10.13",
+    "@types/qrcode": "^1.5.6",
+    "bits-ui": "^2.16.2",
+    "eslint": "^9.39.3",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-svelte": "^3.15.0",
+    "formsnap": "^2.0.1",
+    "globals": "^16.5.0",
+    "mode-watcher": "^1.1.0",
+    "prettier": "^3.8.1",
+    "prettier-plugin-svelte": "^3.5.0",
+    "prettier-plugin-tailwindcss": "^0.7.2",
+    "rollup": "^4.59.0",
+    "svelte": "^5.53.2",
+    "svelte-check": "^4.4.3",
+    "svelte-sonner": "^1.0.7",
+    "tailwind-variants": "^3.2.2",
+    "tailwindcss": "^4.2.0",
+    "tslib": "^2.8.1",
+    "tw-animate-css": "^1.4.0",
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.56.0",
+    "vite": "^7.3.1"
+  }
 }
--- a/frontend/src/lib/components/form/form-input.svelte
+++ b/frontend/src/lib/components/form/form-input.svelte
@@ -86,6 +86,6 @@
 		{/if}
 	{/if}
 	{#if input?.error}
-		<Field.Error>{input.error}</Field.Error>
+		<Field.Error class="text-start">{input.error}</Field.Error>
 	{/if}
 </Field.Field>
--- a/package.json
+++ b/package.json
@@ -12,5 +12,5 @@
    "test": "pnpm --filter pocket-id-tests test",
    "format": "pnpm --filter pocket-id-frontend format"
  },
-  "packageManager": "pnpm@10.27.0+sha512.72d699da16b1179c14ba9e64dc71c9a40988cbdc65c264cb0e489db7de917f20dcf4d64d8723625f2969ba52d4b7e2a1170682d9ac2a5dcaeaab732b7e16f04a"
+  "packageManager": "pnpm@10.30.1+sha512.3590e550d5384caa39bd5c7c739f72270234b2f6059e13018f975c313b1eb9fefcc09714048765d4d9efe961382c312e624572c0420762bdc5d5940cdf9be73a"
 }
--- a/tests/specs/oidc.spec.ts
+++ b/tests/specs/oidc.spec.ts
@@ -332,6 +332,7 @@ test.describe('Introspection endpoint', () => {
 				Authorization: 'Bearer ' + clientAssertion
 			},
 			form: {
+				client_id: oidcClients.federated.id,
 				token: validAccessToken
 			}
 		});
@@ -374,6 +375,7 @@ test.describe('Introspection endpoint', () => {
 				Authorization: 'Bearer ' + clientAssertion
 			},
 			form: {
+				client_id: oidcClients.federated.id,
 				token: validAccessToken
 			}
 		});
Author	SHA1	Message	Date
Alessandro (Ale) Segala	303d70de11	Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-02-25 21:05:36 -08:00
Copilot	8c96d1a671	fix: support client_id form field on introspect endpoint for federated client assertions (#1343 )	2026-02-25 20:57:47 -08:00
ItalyPaleAle	15b8b423bd	fix: federated client credentials not working if sub ≠ client_id Fixes a regression that broke federated client credentials when the "sub" is not the same as the client ID. See [this comment](https://github.com/pocket-id/pocket-id/issues/902#issuecomment-3961460340) with implementation notes and decisions around framing this in terms of identity federation, which is on purpose not compliant with RFC 7532 (however, it's possible to configure this to be fully RFC-7532 compliant) - Fixes #1333 - Closes #902 - Closes #991	2026-02-25 19:08:45 -08:00
Elias Schneider	375f0a0c34	release: 2.3.0	2026-02-23 20:36:19 +01:00
Elias Schneider	522a4eee00	chore(translations): update translations via Crowdin (#1335 )	2026-02-23 20:36:00 +01:00
Elias Schneider	0c41872cd4	fix: disallow API key renewal and creation with API key authentication (#1334 )	2026-02-23 20:34:25 +01:00
Elias Schneider	b3fe143136	fix: left align input error messages	2026-02-23 19:54:32 +01:00
Kyle Mendell	a90c8abe51	chore(deps): upgrade to node 24 and go 1.26.0 (#1328 ) Co-authored-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com> Co-authored-by: Elias Schneider <login@eliasschneider.com>	2026-02-23 19:50:44 +01:00
Kyle Mendell	ae269371da	feat: current version api endpoint (#1310 )	2026-02-22 10:39:19 -08:00
James Ward	27caaf2cac	feat: add JWT ID for generated tokens (#1322 )	2026-02-22 16:23:14 +00:00
@@ -1 +1 @@
 .2.0
 .3.0