release: 0.49.0

chore(translations): update translations via Crowdin (#467 )
chore(translations): fix typo in key
2026-02-22 21:13:53 +00:00 · 2025-04-20 20:00:09 +02:00 · 2025-04-20 17:59:49 +00:00 · 2025-04-20 19:51:12 +02:00 · 2025-04-20 19:03:58 +02:00 · 2025-04-20 18:54:45 +02:00
84 changed files with 1373 additions and 298 deletions
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1,2 +1,2 @@
 # These are supported funding model platforms
-github: stonith404
+github: [stonith404, kmendell]
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -19,21 +19,28 @@ jobs:
    timeout-minutes: 20
    runs-on: ubuntu-latest
    steps:
+      - uses: actions/checkout@v4
+
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build and export
        uses: docker/build-push-action@v6
        with:
-          tags: pocket-id/pocket-id:test
+          push: false
+          load: false
+          tags: pocket-id:test
          outputs: type=docker,dest=/tmp/docker-image.tar
          build-args: BUILD_TAGS=e2etest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

      - name: Upload Docker image artifact
        uses: actions/upload-artifact@v4
        with:
          name: docker-image
          path: /tmp/docker-image.tar
+          retention-days: 1

  test-sqlite:
    if: github.event.pull_request.head.ref != 'i18n_crowdin'
@@ -47,13 +54,22 @@ jobs:
          cache: "npm"
          cache-dependency-path: frontend/package-lock.json

+      - name: Cache Playwright Browsers
+        uses: actions/cache@v3
+        id: playwright-cache
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('frontend/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-playwright-
+
      - name: Download Docker image artifact
        uses: actions/download-artifact@v4
        with:
          name: docker-image
          path: /tmp

-      - name: Load Docker Image
+      - name: Load Docker image
        run: docker load -i /tmp/docker-image.tar

      - name: Install frontend dependencies
@@ -62,6 +78,7 @@ jobs:

      - name: Install Playwright Browsers
        working-directory: ./frontend
+        if: steps.playwright-cache.outputs.cache-hit != 'true'
        run: npx playwright install --with-deps chromium

      - name: Run Docker Container with Sqlite DB
@@ -69,7 +86,7 @@ jobs:
          docker run -d --name pocket-id-sqlite \
          -p 80:80 \
          -e APP_ENV=test \
-          pocket-id/pocket-id:test
+          pocket-id:test

          docker logs -f pocket-id-sqlite &> /tmp/backend.log &

@@ -77,16 +94,18 @@ jobs:
        working-directory: ./frontend
        run: npx playwright test

-      - uses: actions/upload-artifact@v4
-        if: always()
+      - name: Upload Frontend Test Report
+        uses: actions/upload-artifact@v4
+        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
        with:
          name: playwright-report-sqlite
          path: frontend/tests/.report
          include-hidden-files: true
          retention-days: 15

-      - uses: actions/upload-artifact@v4
-        if: always()
+      - name: Upload Backend Test Report
+        uses: actions/upload-artifact@v4
+        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
        with:
          name: backend-sqlite
          path: /tmp/backend.log
@@ -105,12 +124,39 @@ jobs:
          cache: "npm"
          cache-dependency-path: frontend/package-lock.json

+      - name: Cache Playwright Browsers
+        uses: actions/cache@v3
+        id: playwright-cache
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('frontend/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-playwright-
+
+      - name: Cache PostgreSQL Docker image
+        uses: actions/cache@v3
+        id: postgres-cache
+        with:
+          path: /tmp/postgres-image.tar
+          key: postgres-17-${{ runner.os }}
+
+      - name: Pull and save PostgreSQL image
+        if: steps.postgres-cache.outputs.cache-hit != 'true'
+        run: |
+          docker pull postgres:17
+          docker save postgres:17 > /tmp/postgres-image.tar
+
+      - name: Load PostgreSQL image from cache
+        if: steps.postgres-cache.outputs.cache-hit == 'true'
+        run: docker load < /tmp/postgres-image.tar
+
      - name: Download Docker image artifact
        uses: actions/download-artifact@v4
        with:
          name: docker-image
          path: /tmp
-      - name: Load Docker Image
+
+      - name: Load Docker image
        run: docker load -i /tmp/docker-image.tar

      - name: Install frontend dependencies
@@ -119,6 +165,7 @@ jobs:

      - name: Install Playwright Browsers
        working-directory: ./frontend
+        if: steps.playwright-cache.outputs.cache-hit != 'true'
        run: npx playwright install --with-deps chromium

      - name: Create Docker network
@@ -153,7 +200,7 @@ jobs:
          -e APP_ENV=test \
          -e DB_PROVIDER=postgres \
          -e DB_CONNECTION_STRING=postgresql://postgres:postgres@pocket-id-db:5432/pocket-id \
-          pocket-id/pocket-id:test
+          pocket-id:test

          docker logs -f pocket-id-postgres &> /tmp/backend.log &

@@ -161,7 +208,8 @@ jobs:
        working-directory: ./frontend
        run: npx playwright test

-      - uses: actions/upload-artifact@v4
+      - name: Upload Frontend Test Report
+        uses: actions/upload-artifact@v4
        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
        with:
          name: playwright-report-postgres
@@ -169,8 +217,9 @@ jobs:
          include-hidden-files: true
          retention-days: 15

-      - uses: actions/upload-artifact@v4
-        if: always()
+      - name: Upload Backend Test Report
+        uses: actions/upload-artifact@v4
+        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
        with:
          name: backend-postgres
          path: /tmp/backend.log
--- a/.version
+++ b/.version
@@ -1 +1 @@
-0.47.0
+0.49.0
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,37 @@
+## [](https://github.com/pocket-id/pocket-id/compare/v0.48.0...v) (2025-04-20)
+
+
+### Features
+
+* add ability to disable API key expiration email ([9122e75](https://github.com/pocket-id/pocket-id/commit/9122e75101ad39a40135ccf931eb2bfd351b5db6))
+* add ability to send login code via email ([#457](https://github.com/pocket-id/pocket-id/issues/457)) ([fe1c4b1](https://github.com/pocket-id/pocket-id/commit/fe1c4b18cdcc46a4256e0c111b34f1ce00f8e0e1))
+* add description to callback URL inputs ([eb689eb](https://github.com/pocket-id/pocket-id/commit/eb689eb56ec9eaf8b0fb1485040e26f841b9225d))
+* send email to user when api key expires within 7 days ([#451](https://github.com/pocket-id/pocket-id/issues/451)) ([26f01f2](https://github.com/pocket-id/pocket-id/commit/26f01f205be01fb8abd8c2e564c90c0fc4480ea5))
+
+
+### Bug Fixes
+
+* disable animations not respected on authorize and logout page ([e571996](https://github.com/pocket-id/pocket-id/commit/e571996cb57d04232c1f47ab337ad656f48bb3cb))
+* hide alternative sign in button if user is already authenticated ([4e05b82](https://github.com/pocket-id/pocket-id/commit/4e05b82f02740a4bae07cec6c6a64acd34ca0fc3))
+* locale change in dropdown doesn't work on first try ([60bad9e](https://github.com/pocket-id/pocket-id/commit/60bad9e9859d81c9967e6939e1ed10a65145a936))
+* remove limit of 20 callback URLs ([c37a3e0](https://github.com/pocket-id/pocket-id/commit/c37a3e0ed177c3bd2b9a618d1f4b0709004478b0))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.47.0...v) (2025-04-18)
+
+
+### Features
+
+* add gif support for logo and background image ([56a8b5d](https://github.com/pocket-id/pocket-id/commit/56a8b5d0c02643f869b77cf8475ddf2f9473880b))
+* disable/enable users ([#437](https://github.com/pocket-id/pocket-id/issues/437)) ([c843a60](https://github.com/pocket-id/pocket-id/commit/c843a60131b813177b1e270c4f5d97613c700efa))
+
+
+### Bug Fixes
+
+* add "type" as reserved claim ([0111a58](https://github.com/pocket-id/pocket-id/commit/0111a58dac0342c5ac2fa25a050e8773810d2b0a))
+* callback URL doesn't get rejected if it starts with a different string ([f0dce41](https://github.com/pocket-id/pocket-id/commit/f0dce41fbc5649b3a8fe65de36ca20efa521b880))
+* profile picture empty for users without first or last name ([#449](https://github.com/pocket-id/pocket-id/issues/449)) ([5a6dfd9](https://github.com/pocket-id/pocket-id/commit/5a6dfd9e505f4c84e91b4b378b082fab10e8a8a8))
+* user querying fails on global audit log page with Postgres ([84f1d5c](https://github.com/pocket-id/pocket-id/commit/84f1d5c906ec3f9a74ad3d2f36526eea847af5dd))
+
 ## [](https://github.com/pocket-id/pocket-id/compare/v0.46.0...v) (2025-04-16)


--- a/backend/go.mod
+++ b/backend/go.mod
@@ -1,6 +1,6 @@
 module github.com/pocket-id/pocket-id/backend

-go 1.24
+go 1.24.0

 require (
 	github.com/caarlos0/env/v11 v11.3.1
@@ -79,7 +79,7 @@ require (
 	go.uber.org/atomic v1.11.0 // indirect
 	golang.org/x/arch v0.13.0 // indirect
 	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
-	golang.org/x/net v0.36.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sync v0.12.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -255,8 +255,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
-golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
--- a/backend/internal/bootstrap/router_bootstrap.go
+++ b/backend/internal/bootstrap/router_bootstrap.go
@@ -49,7 +49,7 @@ func initRouter(ctx context.Context, db *gorm.DB, appConfigService *service.AppC
 	oidcService := service.NewOidcService(db, jwtService, appConfigService, auditLogService, customClaimService)
 	userGroupService := service.NewUserGroupService(db, appConfigService)
 	ldapService := service.NewLdapService(db, appConfigService, userService, userGroupService)
-	apiKeyService := service.NewApiKeyService(db)
+	apiKeyService := service.NewApiKeyService(db, emailService)

 	rateLimitMiddleware := middleware.NewRateLimitMiddleware()

@@ -61,9 +61,10 @@ func initRouter(ctx context.Context, db *gorm.DB, appConfigService *service.AppC
 	job.RegisterLdapJobs(ctx, ldapService, appConfigService)
 	job.RegisterDbCleanupJobs(ctx, db)
 	job.RegisterFileCleanupJobs(ctx, db)
+	job.RegisterApiKeyExpiryJob(ctx, apiKeyService, appConfigService)

 	// Initialize middleware for specific routes
-	authMiddleware := middleware.NewAuthMiddleware(apiKeyService, jwtService)
+	authMiddleware := middleware.NewAuthMiddleware(apiKeyService, userService, jwtService)
 	fileSizeLimitMiddleware := middleware.NewFileSizeLimitMiddleware()

 	// Set up API routes
--- a/backend/internal/common/errors.go
+++ b/backend/internal/common/errors.go
@@ -82,11 +82,6 @@ type FileTypeNotSupportedError struct{}
 func (e *FileTypeNotSupportedError) Error() string       { return "file type not supported" }
 func (e *FileTypeNotSupportedError) HttpStatusCode() int { return 400 }

-type InvalidCredentialsError struct{}
-
-func (e *InvalidCredentialsError) Error() string       { return "no user found with provided credentials" }
-func (e *InvalidCredentialsError) HttpStatusCode() int { return 400 }
-
 type FileTooLargeError struct {
 	MaxSize string
 }
@@ -229,8 +224,7 @@ type InvalidUUIDError struct{}
 func (e *InvalidUUIDError) Error() string {
 	return "Invalid UUID"
 }
-
-type InvalidEmailError struct{}
+func (e *InvalidUUIDError) HttpStatusCode() int { return http.StatusBadRequest }

 type OneTimeAccessDisabledError struct{}

@@ -244,31 +238,34 @@ type InvalidAPIKeyError struct{}
 func (e *InvalidAPIKeyError) Error() string {
 	return "Invalid Api Key"
 }
+func (e *InvalidAPIKeyError) HttpStatusCode() int { return http.StatusUnauthorized }

 type NoAPIKeyProvidedError struct{}

 func (e *NoAPIKeyProvidedError) Error() string {
 	return "No API Key Provided"
 }
+func (e *NoAPIKeyProvidedError) HttpStatusCode() int { return http.StatusUnauthorized }

 type APIKeyNotFoundError struct{}

 func (e *APIKeyNotFoundError) Error() string {
 	return "API Key Not Found"
 }
+func (e *APIKeyNotFoundError) HttpStatusCode() int { return http.StatusUnauthorized }

 type APIKeyExpirationDateError struct{}

 func (e *APIKeyExpirationDateError) Error() string {
 	return "API Key expiration time must be in the future"
 }
+func (e *APIKeyExpirationDateError) HttpStatusCode() int { return http.StatusBadRequest }

 type OidcInvalidRefreshTokenError struct{}

 func (e *OidcInvalidRefreshTokenError) Error() string {
 	return "refresh token is invalid or expired"
 }
-
 func (e *OidcInvalidRefreshTokenError) HttpStatusCode() int {
 	return http.StatusBadRequest
 }
@@ -278,7 +275,6 @@ type OidcMissingRefreshTokenError struct{}
 func (e *OidcMissingRefreshTokenError) Error() string {
 	return "refresh token is required"
 }
-
 func (e *OidcMissingRefreshTokenError) HttpStatusCode() int {
 	return http.StatusBadRequest
 }
@@ -288,7 +284,15 @@ type OidcMissingAuthorizationCodeError struct{}
 func (e *OidcMissingAuthorizationCodeError) Error() string {
 	return "authorization code is required"
 }
-
 func (e *OidcMissingAuthorizationCodeError) HttpStatusCode() int {
 	return http.StatusBadRequest
 }
+
+type UserDisabledError struct{}
+
+func (e *UserDisabledError) Error() string {
+	return "User account is disabled"
+}
+func (e *UserDisabledError) HttpStatusCode() int {
+	return http.StatusForbidden
+}
--- a/backend/internal/controller/user_controller.go
+++ b/backend/internal/controller/user_controller.go
@@ -43,9 +43,10 @@ func NewUserController(group *gin.RouterGroup, authMiddleware *middleware.AuthMi

 	group.POST("/users/me/one-time-access-token", authMiddleware.WithAdminNotRequired().Add(), uc.createOwnOneTimeAccessTokenHandler)
 	group.POST("/users/:id/one-time-access-token", authMiddleware.Add(), uc.createAdminOneTimeAccessTokenHandler)
+	group.POST("/users/:id/one-time-access-email", authMiddleware.Add(), uc.RequestOneTimeAccessEmailAsAdminHandler)
 	group.POST("/one-time-access-token/:token", rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), uc.exchangeOneTimeAccessTokenHandler)
 	group.POST("/one-time-access-token/setup", uc.getSetupAccessTokenHandler)
-	group.POST("/one-time-access-email", rateLimitMiddleware.Add(rate.Every(10*time.Minute), 3), uc.requestOneTimeAccessEmailHandler)
+	group.POST("/one-time-access-email", rateLimitMiddleware.Add(rate.Every(10*time.Minute), 3), uc.RequestOneTimeAccessEmailAsUnauthenticatedUserHandler)

 	group.DELETE("/users/:id/profile-picture", authMiddleware.Add(), uc.resetUserProfilePictureHandler)
 	group.DELETE("/users/me/profile-picture", authMiddleware.WithAdminNotRequired().Add(), uc.resetCurrentUserProfilePictureHandler)
@@ -356,18 +357,63 @@ func (uc *UserController) createOwnOneTimeAccessTokenHandler(c *gin.Context) {
 	uc.createOneTimeAccessTokenHandler(c, true)
 }

+// createAdminOneTimeAccessTokenHandler godoc
+// @Summary Create one-time access token for user (admin)
+// @Description Generate a one-time access token for a specific user (admin only)
+// @Tags Users
+// @Param id path string true "User ID"
+// @Param body body dto.OneTimeAccessTokenCreateDto true "Token options"
+// @Success 201 {object} object "{ \"token\": \"string\" }"
+// @Router /api/users/{id}/one-time-access-token [post]
 func (uc *UserController) createAdminOneTimeAccessTokenHandler(c *gin.Context) {
 	uc.createOneTimeAccessTokenHandler(c, false)
 }

-func (uc *UserController) requestOneTimeAccessEmailHandler(c *gin.Context) {
-	var input dto.OneTimeAccessEmailDto
+// RequestOneTimeAccessEmailAsUnauthenticatedUserHandler godoc
+// @Summary Request one-time access email
+// @Description Request a one-time access email for unauthenticated users
+// @Tags Users
+// @Accept json
+// @Produce json
+// @Param body body dto.OneTimeAccessEmailAsUnauthenticatedUserDto true "Email request information"
+// @Success 204 "No Content"
+// @Router /api/one-time-access-email [post]
+func (uc *UserController) RequestOneTimeAccessEmailAsUnauthenticatedUserHandler(c *gin.Context) {
+	var input dto.OneTimeAccessEmailAsUnauthenticatedUserDto
 	if err := c.ShouldBindJSON(&input); err != nil {
 		_ = c.Error(err)
 		return
 	}

-	err := uc.userService.RequestOneTimeAccessEmail(c.Request.Context(), input.Email, input.RedirectPath)
+	err := uc.userService.RequestOneTimeAccessEmailAsUnauthenticatedUser(c.Request.Context(), input.Email, input.RedirectPath)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// RequestOneTimeAccessEmailAsAdminHandler godoc
+// @Summary Request one-time access email (admin)
+// @Description Request a one-time access email for a specific user (admin only)
+// @Tags Users
+// @Accept json
+// @Produce json
+// @Param id path string true "User ID"
+// @Param body body dto.OneTimeAccessEmailAsAdminDto true "Email request options"
+// @Success 204 "No Content"
+// @Router /api/users/{id}/one-time-access-email [post]
+func (uc *UserController) RequestOneTimeAccessEmailAsAdminHandler(c *gin.Context) {
+	var input dto.OneTimeAccessEmailAsAdminDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	userID := c.Param("id")
+
+	err := uc.userService.RequestOneTimeAccessEmailAsAdmin(c.Request.Context(), userID, input.ExpiresAt)
 	if err != nil {
 		_ = c.Error(err)
 		return
--- a/backend/internal/dto/api_key_dto.go
+++ b/backend/internal/dto/api_key_dto.go
@@ -11,12 +11,13 @@ type ApiKeyCreateDto struct {
 }

 type ApiKeyDto struct {
-	ID          string             `json:"id"`
-	Name        string             `json:"name"`
-	Description string             `json:"description"`
-	ExpiresAt   datatype.DateTime  `json:"expiresAt"`
-	LastUsedAt  *datatype.DateTime `json:"lastUsedAt"`
-	CreatedAt   datatype.DateTime  `json:"createdAt"`
+	ID                  string             `json:"id"`
+	Name                string             `json:"name"`
+	Description         string             `json:"description"`
+	ExpiresAt           datatype.DateTime  `json:"expiresAt"`
+	LastUsedAt          *datatype.DateTime `json:"lastUsedAt"`
+	CreatedAt           datatype.DateTime  `json:"createdAt"`
+	ExpirationEmailSent bool               `json:"expirationEmailSent"`
 }

 type ApiKeyResponseDto struct {
--- a/backend/internal/dto/app_config_dto.go
+++ b/backend/internal/dto/app_config_dto.go
@@ -12,36 +12,39 @@ type AppConfigVariableDto struct {
 }

 type AppConfigUpdateDto struct {
-	AppName                            string `json:"appName" binding:"required,min=1,max=30"`
-	SessionDuration                    string `json:"sessionDuration" binding:"required"`
-	EmailsVerified                     string `json:"emailsVerified" binding:"required"`
-	DisableAnimations                  string `json:"disableAnimations" binding:"required"`
-	AllowOwnAccountEdit                string `json:"allowOwnAccountEdit" binding:"required"`
-	SmtpHost                           string `json:"smtpHost"`
-	SmtpPort                           string `json:"smtpPort"`
-	SmtpFrom                           string `json:"smtpFrom" binding:"omitempty,email"`
-	SmtpUser                           string `json:"smtpUser"`
-	SmtpPassword                       string `json:"smtpPassword"`
-	SmtpTls                            string `json:"smtpTls" binding:"required,oneof=none starttls tls"`
-	SmtpSkipCertVerify                 string `json:"smtpSkipCertVerify"`
-	LdapEnabled                        string `json:"ldapEnabled" binding:"required"`
-	LdapUrl                            string `json:"ldapUrl"`
-	LdapBindDn                         string `json:"ldapBindDn"`
-	LdapBindPassword                   string `json:"ldapBindPassword"`
-	LdapBase                           string `json:"ldapBase"`
-	LdapUserSearchFilter               string `json:"ldapUserSearchFilter"`
-	LdapUserGroupSearchFilter          string `json:"ldapUserGroupSearchFilter"`
-	LdapSkipCertVerify                 string `json:"ldapSkipCertVerify"`
-	LdapAttributeUserUniqueIdentifier  string `json:"ldapAttributeUserUniqueIdentifier"`
-	LdapAttributeUserUsername          string `json:"ldapAttributeUserUsername"`
-	LdapAttributeUserEmail             string `json:"ldapAttributeUserEmail"`
-	LdapAttributeUserFirstName         string `json:"ldapAttributeUserFirstName"`
-	LdapAttributeUserLastName          string `json:"ldapAttributeUserLastName"`
-	LdapAttributeUserProfilePicture    string `json:"ldapAttributeUserProfilePicture"`
-	LdapAttributeGroupMember           string `json:"ldapAttributeGroupMember"`
-	LdapAttributeGroupUniqueIdentifier string `json:"ldapAttributeGroupUniqueIdentifier"`
-	LdapAttributeGroupName             string `json:"ldapAttributeGroupName"`
-	LdapAttributeAdminGroup            string `json:"ldapAttributeAdminGroup"`
-	EmailOneTimeAccessEnabled          string `json:"emailOneTimeAccessEnabled" binding:"required"`
-	EmailLoginNotificationEnabled      string `json:"emailLoginNotificationEnabled" binding:"required"`
+	AppName                                    string `json:"appName" binding:"required,min=1,max=30"`
+	SessionDuration                            string `json:"sessionDuration" binding:"required"`
+	EmailsVerified                             string `json:"emailsVerified" binding:"required"`
+	DisableAnimations                          string `json:"disableAnimations" binding:"required"`
+	AllowOwnAccountEdit                        string `json:"allowOwnAccountEdit" binding:"required"`
+	SmtpHost                                   string `json:"smtpHost"`
+	SmtpPort                                   string `json:"smtpPort"`
+	SmtpFrom                                   string `json:"smtpFrom" binding:"omitempty,email"`
+	SmtpUser                                   string `json:"smtpUser"`
+	SmtpPassword                               string `json:"smtpPassword"`
+	SmtpTls                                    string `json:"smtpTls" binding:"required,oneof=none starttls tls"`
+	SmtpSkipCertVerify                         string `json:"smtpSkipCertVerify"`
+	LdapEnabled                                string `json:"ldapEnabled" binding:"required"`
+	LdapUrl                                    string `json:"ldapUrl"`
+	LdapBindDn                                 string `json:"ldapBindDn"`
+	LdapBindPassword                           string `json:"ldapBindPassword"`
+	LdapBase                                   string `json:"ldapBase"`
+	LdapUserSearchFilter                       string `json:"ldapUserSearchFilter"`
+	LdapUserGroupSearchFilter                  string `json:"ldapUserGroupSearchFilter"`
+	LdapSkipCertVerify                         string `json:"ldapSkipCertVerify"`
+	LdapAttributeUserUniqueIdentifier          string `json:"ldapAttributeUserUniqueIdentifier"`
+	LdapAttributeUserUsername                  string `json:"ldapAttributeUserUsername"`
+	LdapAttributeUserEmail                     string `json:"ldapAttributeUserEmail"`
+	LdapAttributeUserFirstName                 string `json:"ldapAttributeUserFirstName"`
+	LdapAttributeUserLastName                  string `json:"ldapAttributeUserLastName"`
+	LdapAttributeUserProfilePicture            string `json:"ldapAttributeUserProfilePicture"`
+	LdapAttributeGroupMember                   string `json:"ldapAttributeGroupMember"`
+	LdapAttributeGroupUniqueIdentifier         string `json:"ldapAttributeGroupUniqueIdentifier"`
+	LdapAttributeGroupName                     string `json:"ldapAttributeGroupName"`
+	LdapAttributeAdminGroup                    string `json:"ldapAttributeAdminGroup"`
+	LdapSoftDeleteUsers                        string `json:"ldapSoftDeleteUsers"`
+	EmailOneTimeAccessAsAdminEnabled           string `json:"emailOneTimeAccessAsAdminEnabled" binding:"required"`
+	EmailOneTimeAccessAsUnauthenticatedEnabled string `json:"emailOneTimeAccessAsUnauthenticatedEnabled" binding:"required"`
+	EmailLoginNotificationEnabled              string `json:"emailLoginNotificationEnabled" binding:"required"`
+	EmailApiKeyExpirationEnabled               string `json:"emailApiKeyExpirationEnabled" binding:"required"`
 }
--- a/backend/internal/dto/user_dto.go
+++ b/backend/internal/dto/user_dto.go
@@ -13,6 +13,7 @@ type UserDto struct {
 	CustomClaims []CustomClaimDto `json:"customClaims"`
 	UserGroups   []UserGroupDto   `json:"userGroups"`
 	LdapID       *string          `json:"ldapId"`
+	Disabled     bool             `json:"disabled"`
 }

 type UserCreateDto struct {
@@ -22,6 +23,7 @@ type UserCreateDto struct {
 	LastName  string  `json:"lastName" binding:"required,min=1,max=50"`
 	IsAdmin   bool    `json:"isAdmin"`
 	Locale    *string `json:"locale"`
+	Disabled  bool    `json:"disabled"`
 	LdapID    string  `json:"-"`
 }

@@ -30,11 +32,15 @@ type OneTimeAccessTokenCreateDto struct {
 	ExpiresAt time.Time `json:"expiresAt" binding:"required"`
 }

-type OneTimeAccessEmailDto struct {
+type OneTimeAccessEmailAsUnauthenticatedUserDto struct {
 	Email        string `json:"email" binding:"required,email"`
 	RedirectPath string `json:"redirectPath"`
 }

+type OneTimeAccessEmailAsAdminDto struct {
+	ExpiresAt time.Time `json:"expiresAt" binding:"required"`
+}
+
 type UserUpdateUserGroupDto struct {
 	UserGroupIds []string `json:"userGroupIds" binding:"required"`
 }
--- a/backend/internal/job/api_key_expiry_job.go
+++ b/backend/internal/job/api_key_expiry_job.go
@@ -0,0 +1,53 @@
+package job
+
+import (
+	"context"
+	"log"
+
+	"github.com/go-co-op/gocron/v2"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+type ApiKeyEmailJobs struct {
+	apiKeyService    *service.ApiKeyService
+	appConfigService *service.AppConfigService
+}
+
+func RegisterApiKeyExpiryJob(ctx context.Context, apiKeyService *service.ApiKeyService, appConfigService *service.AppConfigService) {
+	jobs := &ApiKeyEmailJobs{
+		apiKeyService:    apiKeyService,
+		appConfigService: appConfigService,
+	}
+
+	scheduler, err := gocron.NewScheduler()
+	if err != nil {
+		log.Fatalf("Failed to create a new scheduler: %v", err)
+	}
+
+	registerJob(ctx, scheduler, "ExpiredApiKeyEmailJob", "0 0 * * *", jobs.checkAndNotifyExpiringApiKeys)
+
+	scheduler.Start()
+}
+
+func (j *ApiKeyEmailJobs) checkAndNotifyExpiringApiKeys(ctx context.Context) error {
+	// Skip if the feature is disabled
+	if !j.appConfigService.GetDbConfig().EmailApiKeyExpirationEnabled.IsTrue() {
+		return nil
+	}
+
+	apiKeys, err := j.apiKeyService.ListExpiringApiKeys(ctx, 7)
+	if err != nil {
+		log.Printf("Failed to list expiring API keys: %v", err)
+		return err
+	}
+
+	for _, key := range apiKeys {
+		if key.User.Email == "" {
+			continue
+		}
+		if err := j.apiKeyService.SendApiKeyExpiringSoonEmail(ctx, key); err != nil {
+			log.Printf("Failed to send email for key %s: %v", key.ID, err)
+		}
+	}
+	return nil
+}
--- a/backend/internal/middleware/api_key_auth.go
+++ b/backend/internal/middleware/api_key_auth.go
@@ -41,7 +41,10 @@ func (m *ApiKeyAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (userI
 		return "", false, &common.NotSignedInError{}
 	}

-	// Check if the user is an admin
+	if user.Disabled {
+		return "", false, &common.UserDisabledError{}
+	}
+
 	if adminRequired && !user.IsAdmin {
 		return "", false, &common.MissingPermissionError{}
 	}
--- a/backend/internal/middleware/auth_middleware.go
+++ b/backend/internal/middleware/auth_middleware.go
@@ -19,11 +19,12 @@ type AuthOptions struct {

 func NewAuthMiddleware(
 	apiKeyService *service.ApiKeyService,
+	userService *service.UserService,
 	jwtService *service.JwtService,
 ) *AuthMiddleware {
 	return &AuthMiddleware{
 		apiKeyMiddleware: NewApiKeyAuthMiddleware(apiKeyService, jwtService),
-		jwtMiddleware:    NewJwtAuthMiddleware(jwtService),
+		jwtMiddleware:    NewJwtAuthMiddleware(jwtService, userService),
 		options: AuthOptions{
 			AdminRequired:   true,
 			SuccessOptional: false,
@@ -57,12 +58,13 @@ func (m *AuthMiddleware) WithSuccessOptional() *AuthMiddleware {

 func (m *AuthMiddleware) Add() gin.HandlerFunc {
 	return func(c *gin.Context) {
-		// First try JWT auth
 		userID, isAdmin, err := m.jwtMiddleware.Verify(c, m.options.AdminRequired)
 		if err == nil {
-			// JWT auth succeeded, continue with the request
 			c.Set("userID", userID)
 			c.Set("userIsAdmin", isAdmin)
+			if c.IsAborted() {
+				return
+			}
 			c.Next()
 			return
 		}
@@ -70,9 +72,11 @@ func (m *AuthMiddleware) Add() gin.HandlerFunc {
 		// JWT auth failed, try API key auth
 		userID, isAdmin, err = m.apiKeyMiddleware.Verify(c, m.options.AdminRequired)
 		if err == nil {
-			// API key auth succeeded, continue with the request
 			c.Set("userID", userID)
 			c.Set("userIsAdmin", isAdmin)
+			if c.IsAborted() {
+				return
+			}
 			c.Next()
 			return
 		}
--- a/backend/internal/middleware/jwt_auth.go
+++ b/backend/internal/middleware/jwt_auth.go
@@ -10,11 +10,12 @@ import (
 )

 type JwtAuthMiddleware struct {
-	jwtService *service.JwtService
+	userService *service.UserService
+	jwtService  *service.JwtService
 }

-func NewJwtAuthMiddleware(jwtService *service.JwtService) *JwtAuthMiddleware {
-	return &JwtAuthMiddleware{jwtService: jwtService}
+func NewJwtAuthMiddleware(jwtService *service.JwtService, userService *service.UserService) *JwtAuthMiddleware {
+	return &JwtAuthMiddleware{jwtService: jwtService, userService: userService}
 }

 func (m *JwtAuthMiddleware) Add(adminRequired bool) gin.HandlerFunc {
@@ -55,12 +56,16 @@ func (m *JwtAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (subject
 		return
 	}

-	// Check if the user is an admin
-	isAdmin, err = service.GetIsAdmin(token)
+	user, err := m.userService.GetUser(c, subject)
 	if err != nil {
-		return "", false, &common.TokenInvalidError{}
+		return "", false, &common.NotSignedInError{}
 	}
-	if adminRequired && !isAdmin {
+
+	if user.Disabled {
+		return "", false, &common.UserDisabledError{}
+	}
+
+	if adminRequired && !user.IsAdmin {
 		return "", false, &common.MissingPermissionError{}
 	}

--- a/backend/internal/model/api_key.go
+++ b/backend/internal/model/api_key.go
@@ -5,11 +5,12 @@ import datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 type ApiKey struct {
 	Base

-	Name        string `sortable:"true"`
-	Key         string
-	Description *string
-	ExpiresAt   datatype.DateTime  `sortable:"true"`
-	LastUsedAt  *datatype.DateTime `sortable:"true"`
+	Name                string `sortable:"true"`
+	Key                 string
+	Description         *string
+	ExpiresAt           datatype.DateTime  `sortable:"true"`
+	LastUsedAt          *datatype.DateTime `sortable:"true"`
+	ExpirationEmailSent bool

 	UserID string
 	User   User
--- a/backend/internal/model/app_config.go
+++ b/backend/internal/model/app_config.go
@@ -41,15 +41,17 @@ type AppConfig struct {
 	LogoLightImageType  AppConfigVariable `key:"logoLightImageType,internal"`  // Internal
 	LogoDarkImageType   AppConfigVariable `key:"logoDarkImageType,internal"`   // Internal
 	// Email
-	SmtpHost                      AppConfigVariable `key:"smtpHost"`
-	SmtpPort                      AppConfigVariable `key:"smtpPort"`
-	SmtpFrom                      AppConfigVariable `key:"smtpFrom"`
-	SmtpUser                      AppConfigVariable `key:"smtpUser"`
-	SmtpPassword                  AppConfigVariable `key:"smtpPassword"`
-	SmtpTls                       AppConfigVariable `key:"smtpTls"`
-	SmtpSkipCertVerify            AppConfigVariable `key:"smtpSkipCertVerify"`
-	EmailLoginNotificationEnabled AppConfigVariable `key:"emailLoginNotificationEnabled"`
-	EmailOneTimeAccessEnabled     AppConfigVariable `key:"emailOneTimeAccessEnabled,public"` // Public
+	SmtpHost                                   AppConfigVariable `key:"smtpHost"`
+	SmtpPort                                   AppConfigVariable `key:"smtpPort"`
+	SmtpFrom                                   AppConfigVariable `key:"smtpFrom"`
+	SmtpUser                                   AppConfigVariable `key:"smtpUser"`
+	SmtpPassword                               AppConfigVariable `key:"smtpPassword"`
+	SmtpTls                                    AppConfigVariable `key:"smtpTls"`
+	SmtpSkipCertVerify                         AppConfigVariable `key:"smtpSkipCertVerify"`
+	EmailLoginNotificationEnabled              AppConfigVariable `key:"emailLoginNotificationEnabled"`
+	EmailOneTimeAccessAsUnauthenticatedEnabled AppConfigVariable `key:"emailOneTimeAccessAsUnauthenticatedEnabled,public"` // Public
+	EmailOneTimeAccessAsAdminEnabled           AppConfigVariable `key:"emailOneTimeAccessAsAdminEnabled,public"`           // Public
+	EmailApiKeyExpirationEnabled               AppConfigVariable `key:"emailApiKeyExpirationEnabled"`
 	// LDAP
 	LdapEnabled                        AppConfigVariable `key:"ldapEnabled,public"` // Public
 	LdapUrl                            AppConfigVariable `key:"ldapUrl"`
@@ -69,6 +71,7 @@ type AppConfig struct {
 	LdapAttributeGroupUniqueIdentifier AppConfigVariable `key:"ldapAttributeGroupUniqueIdentifier"`
 	LdapAttributeGroupName             AppConfigVariable `key:"ldapAttributeGroupName"`
 	LdapAttributeAdminGroup            AppConfigVariable `key:"ldapAttributeAdminGroup"`
+	LdapSoftDeleteUsers                AppConfigVariable `key:"ldapSoftDeleteUsers"`
 }

 func (c *AppConfig) ToAppConfigVariableSlice(showAll bool) []AppConfigVariable {
@@ -76,7 +79,7 @@ func (c *AppConfig) ToAppConfigVariableSlice(showAll bool) []AppConfigVariable {
 	cfgValue := reflect.ValueOf(c).Elem()
 	cfgType := cfgValue.Type()

-	res := make([]AppConfigVariable, cfgType.NumField())
+	var res []AppConfigVariable

 	for i := range cfgType.NumField() {
 		field := cfgType.Field(i)
@@ -93,10 +96,12 @@ func (c *AppConfig) ToAppConfigVariableSlice(showAll bool) []AppConfigVariable {

 		fieldValue := cfgValue.Field(i)

-		res[i] = AppConfigVariable{
+		appConfigVariable := AppConfigVariable{
 			Key:   key,
 			Value: fieldValue.FieldByName("Value").String(),
 		}
+
+		res = append(res, appConfigVariable)
 	}

 	return res
--- a/backend/internal/model/user.go
+++ b/backend/internal/model/user.go
@@ -19,6 +19,7 @@ type User struct {
 	IsAdmin   bool   `sortable:"true"`
 	Locale    *string
 	LdapID    *string
+	Disabled  bool `sortable:"true"`

 	CustomClaims []CustomClaim
 	UserGroups   []UserGroup `gorm:"many2many:user_groups_users;"`
@@ -67,9 +68,12 @@ func (u User) WebAuthnCredentialDescriptors() (descriptors []protocol.Credential
 func (u User) FullName() string { return u.FirstName + " " + u.LastName }

 func (u User) Initials() string {
-	return strings.ToUpper(
-		utils.GetFirstCharacter(u.FirstName) + utils.GetFirstCharacter(u.LastName),
-	)
+	first := utils.GetFirstCharacter(u.FirstName)
+	last := utils.GetFirstCharacter(u.LastName)
+	if first == "" && last == "" && len(u.Username) >= 2 {
+		return strings.ToUpper(u.Username[:2])
+	}
+	return strings.ToUpper(first + last)
 }

 type OneTimeAccessToken struct {
--- a/backend/internal/service/api_key_service.go
+++ b/backend/internal/service/api_key_service.go
@@ -6,6 +6,7 @@ import (
 	"time"

 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"

 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
@@ -16,11 +17,12 @@ import (
 )

 type ApiKeyService struct {
-	db *gorm.DB
+	db           *gorm.DB
+	emailService *EmailService
 }

-func NewApiKeyService(db *gorm.DB) *ApiKeyService {
-	return &ApiKeyService{db: db}
+func NewApiKeyService(db *gorm.DB, emailService *EmailService) *ApiKeyService {
+	return &ApiKeyService{db: db, emailService: emailService}
 }

 func (s *ApiKeyService) ListApiKeys(ctx context.Context, userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.ApiKey, utils.PaginationResponse, error) {
@@ -117,3 +119,47 @@ func (s *ApiKeyService) ValidateApiKey(ctx context.Context, apiKey string) (mode

 	return key.User, nil
 }
+
+func (s *ApiKeyService) ListExpiringApiKeys(ctx context.Context, daysAhead int) ([]model.ApiKey, error) {
+	var keys []model.ApiKey
+	now := time.Now()
+	cutoff := now.AddDate(0, 0, daysAhead)
+
+	err := s.db.
+		WithContext(ctx).
+		Preload("User").
+		Where("expires_at > ? AND expires_at <= ? AND expiration_email_sent = ?", datatype.DateTime(now), datatype.DateTime(cutoff), false).
+		Find(&keys).
+		Error
+
+	return keys, err
+}
+
+func (s *ApiKeyService) SendApiKeyExpiringSoonEmail(ctx context.Context, apiKey model.ApiKey) error {
+	user := apiKey.User
+
+	if user.ID == "" {
+		if err := s.db.WithContext(ctx).First(&user, "id = ?", apiKey.UserID).Error; err != nil {
+			return err
+		}
+	}
+
+	err := SendEmail(ctx, s.emailService, email.Address{
+		Name:  user.FullName(),
+		Email: user.Email,
+	}, ApiKeyExpiringSoonTemplate, &ApiKeyExpiringSoonTemplateData{
+		ApiKeyName: apiKey.Name,
+		ExpiresAt:  apiKey.ExpiresAt.ToTime(),
+		Name:       user.FirstName,
+	})
+	if err != nil {
+		return err
+	}
+
+	// Mark the API key as having had an expiration email sent
+	return s.db.WithContext(ctx).
+		Model(&model.ApiKey{}).
+		Where("id = ?", apiKey.ID).
+		Update("expiration_email_sent", true).
+		Error
+}
--- a/backend/internal/service/app_config_service.go
+++ b/backend/internal/service/app_config_service.go
@@ -73,7 +73,9 @@ func (s *AppConfigService) getDefaultDbConfig() *model.AppConfig {
 		SmtpTls:                       model.AppConfigVariable{Value: "none"},
 		SmtpSkipCertVerify:            model.AppConfigVariable{Value: "false"},
 		EmailLoginNotificationEnabled: model.AppConfigVariable{Value: "false"},
-		EmailOneTimeAccessEnabled:     model.AppConfigVariable{Value: "false"},
+		EmailOneTimeAccessAsUnauthenticatedEnabled: model.AppConfigVariable{Value: "false"},
+		EmailOneTimeAccessAsAdminEnabled:           model.AppConfigVariable{Value: "false"},
+		EmailApiKeyExpirationEnabled:               model.AppConfigVariable{Value: "false"},
 		// LDAP
 		LdapEnabled:                        model.AppConfigVariable{Value: "false"},
 		LdapUrl:                            model.AppConfigVariable{},
@@ -93,6 +95,7 @@ func (s *AppConfigService) getDefaultDbConfig() *model.AppConfig {
 		LdapAttributeGroupUniqueIdentifier: model.AppConfigVariable{},
 		LdapAttributeGroupName:             model.AppConfigVariable{},
 		LdapAttributeAdminGroup:            model.AppConfigVariable{},
+		LdapSoftDeleteUsers:                model.AppConfigVariable{Value: "true"},
 	}
 }

@@ -150,11 +153,6 @@ func (s *AppConfigService) UpdateAppConfig(ctx context.Context, input dto.AppCon
 		return nil, &common.UiConfigDisabledError{}
 	}

-	// If EmailLoginNotificationEnabled is set to false (explicitly), disable the EmailOneTimeAccessEnabled
-	if input.EmailLoginNotificationEnabled == "false" {
-		input.EmailOneTimeAccessEnabled = "false"
-	}
-
 	// Start the transaction
 	tx, err := s.updateAppConfigStartTransaction(ctx)
 	if err != nil {
--- a/backend/internal/service/app_config_service_test.go
+++ b/backend/internal/service/app_config_service_test.go
@@ -447,44 +447,6 @@ func TestUpdateAppConfig(t *testing.T) {
 		}
 	})

-	t.Run("auto disables EmailOneTimeAccessEnabled when EmailLoginNotificationEnabled is false", func(t *testing.T) {
-		db := newAppConfigTestDatabaseForTest(t)
-
-		// Create a service with default config
-		service := &AppConfigService{
-			db: db,
-		}
-		err := service.LoadDbConfig(t.Context())
-		require.NoError(t, err)
-
-		// First enable both settings
-		err = service.UpdateAppConfigValues(t.Context(),
-			"emailLoginNotificationEnabled", "true",
-			"emailOneTimeAccessEnabled", "true",
-		)
-		require.NoError(t, err)
-
-		// Verify both are enabled
-		config := service.GetDbConfig()
-		require.True(t, config.EmailLoginNotificationEnabled.IsTrue())
-		require.True(t, config.EmailOneTimeAccessEnabled.IsTrue())
-
-		// Now disable EmailLoginNotificationEnabled
-		input := dto.AppConfigUpdateDto{
-			EmailLoginNotificationEnabled: "false",
-			// Don't set EmailOneTimeAccessEnabled, it should be auto-disabled
-		}
-
-		// Update config
-		_, err = service.UpdateAppConfig(t.Context(), input)
-		require.NoError(t, err)
-
-		// Verify EmailOneTimeAccessEnabled was automatically disabled
-		config = service.GetDbConfig()
-		require.False(t, config.EmailLoginNotificationEnabled.IsTrue())
-		require.False(t, config.EmailOneTimeAccessEnabled.IsTrue())
-	})
-
 	t.Run("cannot update when UiConfigDisabled is true", func(t *testing.T) {
 		// Save the original state and restore it after the test
 		originalUiConfigDisabled := common.EnvConfig.UiConfigDisabled
--- a/backend/internal/service/audit_log_service.go
+++ b/backend/internal/service/audit_log_service.go
@@ -90,7 +90,7 @@ func (s *AuditLogService) CreateNewSignInWithEmail(ctx context.Context, ipAddres
 			}

 			innerErr = SendEmail(innerCtx, s.emailService, email.Address{
-				Name:  user.Username,
+				Name:  user.FullName(),
 				Email: user.Email,
 			}, NewLoginTemplate, &NewLoginTemplateData{
 				IPAddress: ipAddress,
@@ -164,8 +164,8 @@ func (s *AuditLogService) ListUsernamesWithIds(ctx context.Context) (users map[s
 		WithContext(ctx).
 		Joins("User").
 		Model(&model.AuditLog{}).
-		Select("DISTINCT User.id, User.username").
-		Where("User.username IS NOT NULL")
+		Select("DISTINCT \"User\".id, \"User\".username").
+		Where("\"User\".username IS NOT NULL")

 	type Result struct {
 		ID       string `gorm:"column:id"`
--- a/backend/internal/service/custom_claim_service.go
+++ b/backend/internal/service/custom_claim_service.go
@@ -26,6 +26,7 @@ func isReservedClaim(key string) bool {
 		"email",
 		"preferred_username",
 		"groups",
+		TokenTypeClaim,
 		"sub",
 		"iss",
 		"aud",
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -104,10 +104,10 @@ func SendEmail[V any](ctx context.Context, srv *EmailService, toEmail email.Addr
 	// so we use the domain of the from address instead (the same as Thunderbird does)
 	// if the address does not have an @ (which would be unusual), we use hostname

-	from_address := dbConfig.SmtpFrom.Value
+	fromAddress := dbConfig.SmtpFrom.Value
 	domain := ""
-	if strings.Contains(from_address, "@") {
-		domain = strings.Split(from_address, "@")[1]
+	if strings.Contains(fromAddress, "@") {
+		domain = strings.Split(fromAddress, "@")[1]
 	} else {
 		hostname, err := os.Hostname()
 		if err != nil {
--- a/backend/internal/service/email_service_templates.go
+++ b/backend/internal/service/email_service_templates.go
@@ -42,6 +42,13 @@ var TestTemplate = email.Template[struct{}]{
 	},
 }

+var ApiKeyExpiringSoonTemplate = email.Template[ApiKeyExpiringSoonTemplateData]{
+	Path: "api-key-expiring-soon",
+	Title: func(data *email.TemplateData[ApiKeyExpiringSoonTemplateData]) string {
+		return fmt.Sprintf("API Key \"%s\" Expiring Soon", data.Data.ApiKeyName)
+	},
+}
+
 type NewLoginTemplateData struct {
 	IPAddress string
 	Country   string
@@ -54,7 +61,14 @@ type OneTimeAccessTemplateData = struct {
 	Code              string
 	LoginLink         string
 	LoginLinkWithCode string
+	ExpirationString  string
+}
+
+type ApiKeyExpiringSoonTemplateData struct {
+	Name       string
+	ApiKeyName string
+	ExpiresAt  time.Time
 }

 // this is list of all template paths used for preloading templates
-var emailTemplatesPaths = []string{NewLoginTemplate.Path, OneTimeAccessTemplate.Path, TestTemplate.Path}
+var emailTemplatesPaths = []string{NewLoginTemplate.Path, OneTimeAccessTemplate.Path, TestTemplate.Path, ApiKeyExpiringSoonTemplate.Path}
--- a/backend/internal/service/ldap_service.go
+++ b/backend/internal/service/ldap_service.go
@@ -279,6 +279,22 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 			Where("ldap_id = ?", ldapId).
 			First(&databaseUser).
 			Error
+
+		// If a user is found (even if disabled), enable them since they're now back in LDAP
+		if databaseUser.ID != "" && databaseUser.Disabled {
+			// Use the transaction instead of the direct context
+			err = tx.
+				WithContext(ctx).
+				Model(&model.User{}).
+				Where("id = ?", databaseUser.ID).
+				Update("disabled", false).
+				Error
+
+			if err != nil {
+				log.Printf("Failed to enable user %s: %v", databaseUser.Username, err)
+			}
+		}
+
 		if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
 			// This could error with ErrRecordNotFound and we want to ignore that here
 			return fmt.Errorf("failed to query for LDAP user ID '%s': %w", ldapId, err)
@@ -336,24 +352,32 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 	err = tx.
 		WithContext(ctx).
 		Find(&ldapUsersInDb, "ldap_id IS NOT NULL").
-		Select("ldap_id").
+		Select("id, username, ldap_id, disabled").
 		Error
 	if err != nil {
 		return fmt.Errorf("failed to fetch users from database: %w", err)
 	}

-	// Delete users that no longer exist in LDAP
+	// Mark users as disabled or delete users that no longer exist in LDAP
 	for _, user := range ldapUsersInDb {
+		// Skip if the user ID exists in the fetched LDAP results
 		if _, exists := ldapUserIDs[*user.LdapID]; exists {
 			continue
 		}

-		err = s.userService.deleteUserInternal(ctx, user.ID, true, tx)
-		if err != nil {
-			return fmt.Errorf("failed to delete user '%s': %w", user.Username, err)
+		if dbConfig.LdapSoftDeleteUsers.IsTrue() {
+			err = s.userService.DisableUser(ctx, user.ID, tx)
+			if err != nil {
+				log.Printf("Failed to disable user %s: %v", user.Username, err)
+				continue
+			}
+		} else {
+			err = s.userService.DeleteUser(ctx, user.ID, true)
+			if err != nil {
+				log.Printf("Failed to delete user %s: %v", user.Username, err)
+				continue
+			}
 		}
-
-		log.Printf("Deleted user '%s'", user.Username)
 	}

 	return nil
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
@@ -955,7 +955,7 @@ func (s *OidcService) getCallbackURL(urls []string, inputCallbackURL string) (ca
 	}

 	for _, callbackPattern := range urls {
-		regexPattern := strings.ReplaceAll(regexp.QuoteMeta(callbackPattern), `\*`, ".*") + "$"
+		regexPattern := "^" + strings.ReplaceAll(regexp.QuoteMeta(callbackPattern), `\*`, ".*") + "$"
 		matched, err := regexp.MatchString(regexPattern, inputCallbackURL)
 		if err != nil {
 			return "", err
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -38,14 +38,19 @@ func NewUserService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditL

 func (s *UserService) ListUsers(ctx context.Context, searchTerm string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.User, utils.PaginationResponse, error) {
 	var users []model.User
-	query := s.db.WithContext(ctx).Model(&model.User{})
+	query := s.db.WithContext(ctx).
+		Model(&model.User{}).
+		Preload("UserGroups").
+		Preload("CustomClaims")

 	if searchTerm != "" {
 		searchPattern := "%" + searchTerm + "%"
-		query = query.Where("email LIKE ? OR first_name LIKE ? OR username LIKE ?", searchPattern, searchPattern, searchPattern)
+		query = query.Where("email LIKE ? OR first_name LIKE ? OR last_name LIKE ? OR username LIKE ?",
+			searchPattern, searchPattern, searchPattern, searchPattern)
 	}

 	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &users)
+
 	return users, pagination, err
 }

@@ -170,9 +175,28 @@ func (s *UserService) UpdateProfilePicture(userID string, file io.Reader) error
 }

 func (s *UserService) DeleteUser(ctx context.Context, userID string, allowLdapDelete bool) error {
-	return s.db.Transaction(func(tx *gorm.DB) error {
-		return s.deleteUserInternal(ctx, userID, allowLdapDelete, tx)
-	})
+	tx := s.db.Begin()
+
+	var user model.User
+	if err := tx.WithContext(ctx).First(&user, "id = ?", userID).Error; err != nil {
+		tx.Rollback()
+		return err
+	}
+
+	// Only soft-delete if user is LDAP and soft-delete is enabled and not allowing hard delete
+	if user.LdapID != nil && s.appConfigService.GetDbConfig().LdapSoftDeleteUsers.IsTrue() && !allowLdapDelete {
+		if !user.Disabled {
+			tx.Rollback()
+			return fmt.Errorf("LDAP user must be disabled before deletion")
+		}
+	}
+
+	// Otherwise, hard delete (local users or LDAP users when allowed)
+	if err := s.deleteUserInternal(ctx, userID, allowLdapDelete, tx); err != nil {
+		tx.Rollback()
+		return err
+	}
+	return tx.Commit().Error
 }

 func (s *UserService) deleteUserInternal(ctx context.Context, userID string, allowLdapDelete bool, tx *gorm.DB) error {
@@ -187,8 +211,8 @@ func (s *UserService) deleteUserInternal(ctx context.Context, userID string, all
 		return fmt.Errorf("failed to load user to delete: %w", err)
 	}

-	// Disallow deleting the user if it is an LDAP user and LDAP is enabled
-	if !allowLdapDelete && user.LdapID != nil && s.appConfigService.GetDbConfig().LdapEnabled.IsTrue() {
+	// Disallow deleting the user if it is an LDAP user, LDAP is enabled, and the user is not disabled
+	if !allowLdapDelete && !user.Disabled && user.LdapID != nil && s.appConfigService.GetDbConfig().LdapEnabled.IsTrue() {
 		return &common.LdapUserUpdateError{}
 	}

@@ -299,6 +323,7 @@ func (s *UserService) updateUserInternal(ctx context.Context, userID string, upd
 	user.Locale = updatedUser.Locale
 	if !updateOwnUser {
 		user.IsAdmin = updatedUser.IsAdmin
+		user.Disabled = updatedUser.Disabled
 	}

 	err = tx.
@@ -323,23 +348,24 @@ func (s *UserService) updateUserInternal(ctx context.Context, userID string, upd
 	return user, nil
 }

-func (s *UserService) RequestOneTimeAccessEmail(ctx context.Context, emailAddress, redirectPath string) error {
-	tx := s.db.Begin()
-	defer func() {
-		tx.Rollback()
-	}()
-
-	isDisabled := !s.appConfigService.GetDbConfig().EmailOneTimeAccessEnabled.IsTrue()
+func (s *UserService) RequestOneTimeAccessEmailAsAdmin(ctx context.Context, userID string, expiration time.Time) error {
+	isDisabled := !s.appConfigService.GetDbConfig().EmailOneTimeAccessAsAdminEnabled.IsTrue()
 	if isDisabled {
 		return &common.OneTimeAccessDisabledError{}
 	}

-	var user model.User
-	err := tx.
-		WithContext(ctx).
-		Where("email = ?", emailAddress).
-		First(&user).
-		Error
+	return s.requestOneTimeAccessEmailInternal(ctx, userID, "", expiration)
+
+}
+
+func (s *UserService) RequestOneTimeAccessEmailAsUnauthenticatedUser(ctx context.Context, userID, redirectPath string) error {
+	isDisabled := !s.appConfigService.GetDbConfig().EmailOneTimeAccessAsUnauthenticatedEnabled.IsTrue()
+	if isDisabled {
+		return &common.OneTimeAccessDisabledError{}
+	}
+
+	var userId string
+	err := s.db.Model(&model.User{}).Select("id").Where("email = ?", userID).First(&userId).Error
 	if err != nil {
 		// Do not return error if user not found to prevent email enumeration
 		if errors.Is(err, gorm.ErrRecordNotFound) {
@@ -349,7 +375,22 @@ func (s *UserService) RequestOneTimeAccessEmail(ctx context.Context, emailAddres
 		}
 	}

-	oneTimeAccessToken, err := s.createOneTimeAccessTokenInternal(ctx, user.ID, time.Now().Add(15*time.Minute), tx)
+	expiration := time.Now().Add(15 * time.Minute)
+	return s.requestOneTimeAccessEmailInternal(ctx, userId, redirectPath, expiration)
+}
+
+func (s *UserService) requestOneTimeAccessEmailInternal(ctx context.Context, userID, redirectPath string, expiration time.Time) error {
+	tx := s.db.Begin()
+	defer func() {
+		tx.Rollback()
+	}()
+
+	user, err := s.GetUser(ctx, userID)
+	if err != nil {
+		return err
+	}
+
+	oneTimeAccessToken, err := s.createOneTimeAccessTokenInternal(ctx, user.ID, expiration, tx)
 	if err != nil {
 		return err
 	}
@@ -374,12 +415,13 @@ func (s *UserService) RequestOneTimeAccessEmail(ctx context.Context, emailAddres
 		}

 		errInternal := SendEmail(innerCtx, s.emailService, email.Address{
-			Name:  user.Username,
+			Name:  user.FullName(),
 			Email: user.Email,
 		}, OneTimeAccessTemplate, &OneTimeAccessTemplateData{
 			Code:              oneTimeAccessToken,
 			LoginLink:         link,
 			LoginLinkWithCode: linkWithCode,
+			ExpirationString:  utils.DurationToString(time.Until(expiration).Round(time.Second)),
 		})
 		if errInternal != nil {
 			log.Printf("Failed to send email to '%s': %v\n", user.Email, errInternal)
@@ -606,3 +648,11 @@ func (s *UserService) ResetProfilePicture(userID string) error {

 	return nil
 }
+
+func (s *UserService) DisableUser(ctx context.Context, userID string, tx *gorm.DB) error {
+	return tx.WithContext(ctx).
+		Model(&model.User{}).
+		Where("id = ?", userID).
+		Update("disabled", true).
+		Error
+}
--- a/backend/internal/service/webauthn_service.go
+++ b/backend/internal/service/webauthn_service.go
@@ -244,6 +244,10 @@ func (s *WebAuthnService) VerifyLogin(ctx context.Context, sessionID string, cre
 		return model.User{}, "", err
 	}

+	if user.Disabled {
+		return model.User{}, "", &common.UserDisabledError{}
+	}
+
 	token, err := s.jwtService.GenerateAccessToken(*user)
 	if err != nil {
 		return model.User{}, "", err
--- a/backend/internal/utils/date_time_util.go
+++ b/backend/internal/utils/date_time_util.go
@@ -0,0 +1,52 @@
+package utils
+
+import (
+	"fmt"
+	"time"
+)
+
+// DurationToString converts a time.Duration to a human-readable string. Respects minutes, hours and days.
+func DurationToString(duration time.Duration) string {
+	// For a duration less than a day
+	if duration < 24*time.Hour {
+		hours := int(duration.Hours())
+		mins := int(duration.Minutes()) % 60
+
+		switch hours {
+		case 0:
+			return fmt.Sprintf("%d minutes", mins)
+		case 1:
+			if mins == 0 {
+				return "1 hour"
+			}
+			return fmt.Sprintf("1 hour and %d minutes", mins)
+		default:
+			if mins == 0 {
+				return fmt.Sprintf("%d hours", hours)
+			}
+			return fmt.Sprintf("%d hours and %d minutes", hours, mins)
+		}
+	} else {
+		// For durations of a day or more
+		days := int(duration.Hours() / 24)
+		hours := int(duration.Hours()) % 24
+
+		switch hours {
+		case 0:
+			if days == 1 {
+				return "1 day"
+			}
+			return fmt.Sprintf("%d days", days)
+		case 1:
+			if days == 1 {
+				return "1 day and 1 hour"
+			}
+			return fmt.Sprintf("%d days and 1 hour", days)
+		default:
+			if days == 1 {
+				return fmt.Sprintf("1 day and %d hours", hours)
+			}
+			return fmt.Sprintf("%d days and %d hours", days, hours)
+		}
+	}
+}
--- a/backend/internal/utils/file_util.go
+++ b/backend/internal/utils/file_util.go
@@ -30,6 +30,8 @@ func GetImageMimeType(ext string) string {
 		return "image/svg+xml"
 	case "ico":
 		return "image/x-icon"
+	case "gif":
+		return "image/gif"
 	default:
 		return ""
 	}
--- a/backend/resources/email-templates/api-key-expiring-soon_html.tmpl
+++ b/backend/resources/email-templates/api-key-expiring-soon_html.tmpl
@@ -0,0 +1,17 @@
+{{ define "base" }}
+    <div class="header">
+        <div class="logo">
+            <img src="{{ .LogoURL }}" alt="{{ .AppName }}" width="32" height="32" style="width: 32px; height: 32px; max-width: 32px;"/>
+            <h1>{{ .AppName }}</h1>
+        </div>
+        <div class="warning">Warning</div>
+    </div>
+    <div class="content">
+        <h2>API Key Expiring Soon</h2>
+        <p>
+            Hello {{ .Data.Name }},<br/><br/>
+            This is a reminder that your API key <strong>{{ .Data.ApiKeyName }}</strong> will expire on <strong>{{ .Data.ExpiresAt.Format "2006-01-02 15:04:05 MST" }}</strong>.<br/><br/>
+            Please generate a new API key if you need continued access.
+        </p>
+    </div>
+{{ end }}
--- a/backend/resources/email-templates/api-key-expiring-soon_text.tmpl
+++ b/backend/resources/email-templates/api-key-expiring-soon_text.tmpl
@@ -0,0 +1,10 @@
+{{ define "base" -}}
+API Key Expiring Soon
+====================
+
+Hello {{ .Data.Name }},
+
+This is a reminder that your API key "{{ .Data.ApiKeyName }}" will expire on {{ .Data.ExpiresAt.Format "2006-01-02 15:04:05 MST" }}.
+
+Please generate a new API key if you need continued access.
+{{ end -}}
--- a/backend/resources/email-templates/one-time-access_html.tmpl
+++ b/backend/resources/email-templates/one-time-access_html.tmpl
@@ -8,7 +8,7 @@
    <div class="content">
        <h2>Login Code</h2>
        <p class="message">
-            Click the button below to sign in to {{ .AppName }} with a login code.</br>Or visit <a href="{{ .Data.LoginLink }}">{{ .Data.LoginLink }}</a> and enter the code <strong>{{ .Data.Code }}</strong>.</br></br>This code expires in 15 minutes.
+            Click the button below to sign in to {{ .AppName }} with a login code.</br>Or visit <a href="{{ .Data.LoginLink }}">{{ .Data.LoginLink }}</a> and enter the code <strong>{{ .Data.Code }}</strong>.</br></br>This code expires in {{.Data.ExpirationString}}.
        </p>
        <div class="button-container">
            <a class="button" href="{{ .Data.LoginLinkWithCode }}" class="button">Sign In</a>
--- a/backend/resources/email-templates/one-time-access_text.tmpl
+++ b/backend/resources/email-templates/one-time-access_text.tmpl
@@ -2,7 +2,7 @@
 Login Code
 ====================

-Click the link below to sign in to {{ .AppName }} with a login code. This code expires in 15 minutes.
+Click the link below to sign in to {{ .AppName }} with a login code. This code expires in {{.Data.ExpirationString}}.

 {{ .Data.LoginLinkWithCode }}

--- a/backend/resources/migrations/postgres/20250412000000_add_user_disabled_field.down.sql
+++ b/backend/resources/migrations/postgres/20250412000000_add_user_disabled_field.down.sql
@@ -0,0 +1,4 @@
+DROP INDEX idx_users_disabled;
+
+ALTER TABLE users
+DROP COLUMN disabled;
--- a/backend/resources/migrations/postgres/20250412000000_add_user_disabled_field.up.sql
+++ b/backend/resources/migrations/postgres/20250412000000_add_user_disabled_field.up.sql
@@ -0,0 +1,2 @@
+ALTER TABLE users
+ADD COLUMN IF NOT EXISTS disabled BOOLEAN DEFAULT FALSE NOT NULL;
--- a/backend/resources/migrations/postgres/20250417120000_add_expiration_email_sent_to_api_keys.down.sql
+++ b/backend/resources/migrations/postgres/20250417120000_add_expiration_email_sent_to_api_keys.down.sql
@@ -0,0 +1,2 @@
+ALTER TABLE api_keys
+DROP COLUMN IF EXISTS expiration_email_sent;
--- a/backend/resources/migrations/postgres/20250417120000_add_expiration_email_sent_to_api_keys.up.sql
+++ b/backend/resources/migrations/postgres/20250417120000_add_expiration_email_sent_to_api_keys.up.sql
@@ -0,0 +1,2 @@
+ALTER TABLE api_keys
+ADD COLUMN expiration_email_sent BOOLEAN NOT NULL DEFAULT FALSE;
--- a/backend/resources/migrations/sqlite/20250412000000_add_user_disabled_field.down.sql
+++ b/backend/resources/migrations/sqlite/20250412000000_add_user_disabled_field.down.sql
@@ -0,0 +1,4 @@
+DROP INDEX idx_users_disabled;
+
+ALTER TABLE users
+DROP COLUMN disabled;
--- a/backend/resources/migrations/sqlite/20250412000000_add_user_disabled_field.up.sql
+++ b/backend/resources/migrations/sqlite/20250412000000_add_user_disabled_field.up.sql
@@ -0,0 +1,2 @@
+ALTER TABLE users
+ADD COLUMN disabled NUMERIC DEFAULT FALSE NOT NULL;
--- a/backend/resources/migrations/sqlite/20250417120000_add_expiration_email_sent_to_api_keys.down.sql
+++ b/backend/resources/migrations/sqlite/20250417120000_add_expiration_email_sent_to_api_keys.down.sql
@@ -0,0 +1,2 @@
+ALTER TABLE api_keys
+DROP COLUMN expiration_email_sent;
--- a/backend/resources/migrations/sqlite/20250417120000_add_expiration_email_sent_to_api_keys.up.sql
+++ b/backend/resources/migrations/sqlite/20250417120000_add_expiration_email_sent_to_api_keys.up.sql
@@ -0,0 +1,2 @@
+ALTER TABLE api_keys
+ADD COLUMN expiration_email_sent BOOLEAN NOT NULL DEFAULT 0;
--- a/frontend/messages/cs-CZ.json
+++ b/frontend/messages/cs-CZ.json
@@ -156,7 +156,7 @@
 	"actions": "Akce",
 	"images_updated_successfully": "Obrázky úspěšně aktualizovány",
 	"general": "Obecné",
-	"enable_email_notifications_to_alert_users_when_a_login_is_detected_from_a_new_device_or_location": "Povolte e-mailová oznámení pro upozornění uživatelů, pokud je zjištěno přihlášení z nového zařízení nebo umístění.",
+	"configure_smtp_to_send_emails": "Enable email notifications to alert users when a login is detected from a new device or location.",
 	"ldap": "LDAP",
 	"configure_ldap_settings_to_sync_users_and_groups_from_an_ldap_server": "Nastavte LDAP pro synchronizaci uživatelů a skupin z LDAP serveru.",
 	"images": "Obrázky",
@@ -180,7 +180,10 @@
 	"enabled_emails": "Povolené e-maily",
 	"email_login_notification": "E-mailovová oznámení o přihlášení",
 	"send_an_email_to_the_user_when_they_log_in_from_a_new_device": "Poslat uživateli e-mail, když se přihlásí z nového zařízení.",
-	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Umožňuje uživatelům přihlásit se pomocí přihlašovacího kódu, který je odeslán na jejich e-mail. To výrazně snižuje bezpečnost, protože každý, kdo má přístup k e-mailu uživatele, může získat vstup.",
+	"emai_login_code_requested_by_user": "Email Login Code Requested by User",
+	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Allows users to bypass passkeys by requesting a login code sent to their email. This reduces the security significantly as anyone with access to the user's email can gain entry.",
+	"email_login_code_from_admin": "Email Login Code from Admin",
+	"allows_an_admin_to_send_a_login_code_to_the_user": "Allows an admin to send a login code to the user via email.",
 	"send_test_email": "Odeslat testovací e-mail",
 	"application_configuration_updated_successfully": "Nastavení aplikace bylo úspěšně aktualizováno",
 	"application_name": "Název aplikace",
@@ -322,5 +325,22 @@
 	"see_all_account_activities_from_the_last_3_months": "See all user activity for the last 3 months.",
 	"token_sign_in": "Token Sign In",
 	"client_authorization": "Client Authorization",
-	"new_client_authorization": "New Client Authorization"
+	"new_client_authorization": "New Client Authorization",
+	"disable_animations": "Disable Animations",
+	"turn_off_all_animations_throughout_the_admin_ui": "Turn off all animations throughout the Admin UI.",
+	"user_disabled": "Account Disabled",
+	"disabled_users_cannot_log_in_or_use_services": "Disabled users cannot log in or use services.",
+	"user_disabled_successfully": "User has been disabled successfully.",
+	"user_enabled_successfully": "User has been enabled successfully.",
+	"status": "Status",
+	"disable_firstname_lastname": "Disable {firstName} {lastName}",
+	"are_you_sure_you_want_to_disable_this_user": "Are you sure you want to disable this user? They will not be able to log in or access any services.",
+	"ldap_soft_delete_users": "Keep disabled users from LDAP.",
+	"ldap_soft_delete_users_description": "When enabled, users removed from LDAP will be disabled rather than deleted from the system.",
+	"login_code_email_success": "The login code has been sent to the user.",
+	"send_email": "Send Email",
+	"show_code": "Show Code",
+	"callback_url_description": "URL(s) provided by your client. Wildcards (*) are supported, but best avoided for better security.",
+	"api_key_expiration": "API Key Expiration",
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire."
 }
--- a/frontend/messages/de-DE.json
+++ b/frontend/messages/de-DE.json
@@ -156,7 +156,7 @@
 	"actions": "Aktionen",
 	"images_updated_successfully": "Bild erfolgreich aktualisiert",
 	"general": "Allgemein",
-	"enable_email_notifications_to_alert_users_when_a_login_is_detected_from_a_new_device_or_location": "Aktiviere E-Mail Benachrichtigungen, um Benutzer zu informieren, wenn ein Login von einem neuen Gerät oder Standort erkannt wird.",
+	"configure_smtp_to_send_emails": "Enable email notifications to alert users when a login is detected from a new device or location.",
 	"ldap": "LDAP",
 	"configure_ldap_settings_to_sync_users_and_groups_from_an_ldap_server": "Konfiguriere LDAP-Einstellungen, um Benutzer und Gruppen von einem LDAP-Server zu synchronisieren.",
 	"images": "Bilder",
@@ -180,7 +180,10 @@
 	"enabled_emails": "E-Mails aktivieren",
 	"email_login_notification": "E-Mail Benachrichtigung bei Login",
 	"send_an_email_to_the_user_when_they_log_in_from_a_new_device": "Sende dem Benutzer eine E-Mail, wenn er sich von einem neuen Gerät aus anmeldet.",
-	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Ermöglicht Benutzer, sich mit einem Login-Code anzumelden, der an ihre E-Mail gesendet wurde. Dies reduziert die Sicherheit erheblich, da jeder, der Zugriff auf die E-Mail des Benutzers hat, Zugang bekommen kann.",
+	"emai_login_code_requested_by_user": "Email Login Code Requested by User",
+	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Allows users to bypass passkeys by requesting a login code sent to their email. This reduces the security significantly as anyone with access to the user's email can gain entry.",
+	"email_login_code_from_admin": "Email Login Code from Admin",
+	"allows_an_admin_to_send_a_login_code_to_the_user": "Allows an admin to send a login code to the user via email.",
 	"send_test_email": "Test-E-Mail senden",
 	"application_configuration_updated_successfully": "Anwendungskonfiguration erfolgreich aktualisiert",
 	"application_name": "Anwendungsname",
@@ -322,5 +325,22 @@
 	"see_all_account_activities_from_the_last_3_months": "Sieh dir alle Benutzeraktivitäten der letzten 3 Monate an.",
 	"token_sign_in": "Token-Anmeldung",
 	"client_authorization": "Client-Autorisierung",
-	"new_client_authorization": "Neue Client-Autorisierung"
+	"new_client_authorization": "Neue Client-Autorisierung",
+	"disable_animations": "Disable Animations",
+	"turn_off_all_animations_throughout_the_admin_ui": "Turn off all animations throughout the Admin UI.",
+	"user_disabled": "Account Disabled",
+	"disabled_users_cannot_log_in_or_use_services": "Disabled users cannot log in or use services.",
+	"user_disabled_successfully": "User has been disabled successfully.",
+	"user_enabled_successfully": "User has been enabled successfully.",
+	"status": "Status",
+	"disable_firstname_lastname": "Disable {firstName} {lastName}",
+	"are_you_sure_you_want_to_disable_this_user": "Are you sure you want to disable this user? They will not be able to log in or access any services.",
+	"ldap_soft_delete_users": "Keep disabled users from LDAP.",
+	"ldap_soft_delete_users_description": "When enabled, users removed from LDAP will be disabled rather than deleted from the system.",
+	"login_code_email_success": "The login code has been sent to the user.",
+	"send_email": "Send Email",
+	"show_code": "Show Code",
+	"callback_url_description": "URL(s) provided by your client. Wildcards (*) are supported, but best avoided for better security.",
+	"api_key_expiration": "API Key Expiration",
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire."
 }
--- a/frontend/messages/en-US.json
+++ b/frontend/messages/en-US.json
@@ -156,7 +156,7 @@
 	"actions": "Actions",
 	"images_updated_successfully": "Images updated successfully",
 	"general": "General",
-	"enable_email_notifications_to_alert_users_when_a_login_is_detected_from_a_new_device_or_location": "Enable email notifications to alert users when a login is detected from a new device or location.",
+	"configure_smtp_to_send_emails": "Enable email notifications to alert users when a login is detected from a new device or location.",
 	"ldap": "LDAP",
 	"configure_ldap_settings_to_sync_users_and_groups_from_an_ldap_server": "Configure LDAP settings to sync users and groups from an LDAP server.",
 	"images": "Images",
@@ -180,7 +180,10 @@
 	"enabled_emails": "Enabled Emails",
 	"email_login_notification": "Email Login Notification",
 	"send_an_email_to_the_user_when_they_log_in_from_a_new_device": "Send an email to the user when they log in from a new device.",
-	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Allows users to sign in with a login code sent to their email. This reduces the security significantly as anyone with access to the user's email can gain entry.",
+	"emai_login_code_requested_by_user": "Email Login Code Requested by User",
+	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Allows users to bypass passkeys by requesting a login code sent to their email. This reduces the security significantly as anyone with access to the user's email can gain entry.",
+	"email_login_code_from_admin": "Email Login Code from Admin",
+	"allows_an_admin_to_send_a_login_code_to_the_user": "Allows an admin to send a login code to the user via email.",
 	"send_test_email": "Send test email",
 	"application_configuration_updated_successfully": "Application configuration updated successfully",
 	"application_name": "Application Name",
@@ -324,5 +327,20 @@
 	"client_authorization": "Client Authorization",
 	"new_client_authorization": "New Client Authorization",
 	"disable_animations": "Disable Animations",
-	"turn_off_all_animations_throughout_the_admin_ui": "Turn off all animations throughout the Admin UI"
+	"turn_off_all_animations_throughout_the_admin_ui": "Turn off all animations throughout the Admin UI.",
+	"user_disabled": "Account Disabled",
+	"disabled_users_cannot_log_in_or_use_services": "Disabled users cannot log in or use services.",
+	"user_disabled_successfully": "User has been disabled successfully.",
+	"user_enabled_successfully": "User has been enabled successfully.",
+	"status": "Status",
+	"disable_firstname_lastname": "Disable {firstName} {lastName}",
+	"are_you_sure_you_want_to_disable_this_user": "Are you sure you want to disable this user? They will not be able to log in or access any services.",
+	"ldap_soft_delete_users": "Keep disabled users from LDAP.",
+	"ldap_soft_delete_users_description": "When enabled, users removed from LDAP will be disabled rather than deleted from the system.",
+	"login_code_email_success": "The login code has been sent to the user.",
+	"send_email": "Send Email",
+	"show_code": "Show Code",
+	"callback_url_description": "URL(s) provided by your client. Wildcards (*) are supported, but best avoided for better security.",
+	"api_key_expiration": "API Key Expiration",
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire."
 }
--- a/frontend/messages/es-ES.json
+++ b/frontend/messages/es-ES.json
@@ -156,7 +156,7 @@
 	"actions": "Actions",
 	"images_updated_successfully": "Images updated successfully",
 	"general": "General",
-	"enable_email_notifications_to_alert_users_when_a_login_is_detected_from_a_new_device_or_location": "Enable email notifications to alert users when a login is detected from a new device or location.",
+	"configure_smtp_to_send_emails": "Enable email notifications to alert users when a login is detected from a new device or location.",
 	"ldap": "LDAP",
 	"configure_ldap_settings_to_sync_users_and_groups_from_an_ldap_server": "Configure LDAP settings to sync users and groups from an LDAP server.",
 	"images": "Images",
@@ -180,7 +180,10 @@
 	"enabled_emails": "Enabled Emails",
 	"email_login_notification": "Email Login Notification",
 	"send_an_email_to_the_user_when_they_log_in_from_a_new_device": "Send an email to the user when they log in from a new device.",
-	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Allows users to sign in with a login code sent to their email. This reduces the security significantly as anyone with access to the user's email can gain entry.",
+	"emai_login_code_requested_by_user": "Email Login Code Requested by User",
+	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Allows users to bypass passkeys by requesting a login code sent to their email. This reduces the security significantly as anyone with access to the user's email can gain entry.",
+	"email_login_code_from_admin": "Email Login Code from Admin",
+	"allows_an_admin_to_send_a_login_code_to_the_user": "Allows an admin to send a login code to the user via email.",
 	"send_test_email": "Send test email",
 	"application_configuration_updated_successfully": "Application configuration updated successfully",
 	"application_name": "Application Name",
@@ -322,5 +325,22 @@
 	"see_all_account_activities_from_the_last_3_months": "See all user activity for the last 3 months.",
 	"token_sign_in": "Token Sign In",
 	"client_authorization": "Client Authorization",
-	"new_client_authorization": "New Client Authorization"
+	"new_client_authorization": "New Client Authorization",
+	"disable_animations": "Disable Animations",
+	"turn_off_all_animations_throughout_the_admin_ui": "Turn off all animations throughout the Admin UI.",
+	"user_disabled": "Account Disabled",
+	"disabled_users_cannot_log_in_or_use_services": "Disabled users cannot log in or use services.",
+	"user_disabled_successfully": "User has been disabled successfully.",
+	"user_enabled_successfully": "User has been enabled successfully.",
+	"status": "Status",
+	"disable_firstname_lastname": "Disable {firstName} {lastName}",
+	"are_you_sure_you_want_to_disable_this_user": "Are you sure you want to disable this user? They will not be able to log in or access any services.",
+	"ldap_soft_delete_users": "Keep disabled users from LDAP.",
+	"ldap_soft_delete_users_description": "When enabled, users removed from LDAP will be disabled rather than deleted from the system.",
+	"login_code_email_success": "The login code has been sent to the user.",
+	"send_email": "Send Email",
+	"show_code": "Show Code",
+	"callback_url_description": "URL(s) provided by your client. Wildcards (*) are supported, but best avoided for better security.",
+	"api_key_expiration": "API Key Expiration",
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire."
 }
--- a/frontend/messages/fr-FR.json
+++ b/frontend/messages/fr-FR.json
@@ -156,7 +156,7 @@
 	"actions": "Actions",
 	"images_updated_successfully": "Image mise à jour avec succès",
 	"general": "Général",
-	"enable_email_notifications_to_alert_users_when_a_login_is_detected_from_a_new_device_or_location": "Activer les notifications par e-mail pour alerter les utilisateurs lorsqu'une connexion est détecté à partir d'un nouvel appareil ou d'un nouvel emplacement.",
+	"configure_smtp_to_send_emails": "Enable email notifications to alert users when a login is detected from a new device or location.",
 	"ldap": "LDAP",
 	"configure_ldap_settings_to_sync_users_and_groups_from_an_ldap_server": "Configurer les paramètres LDAP pour synchroniser les utilisateurs et les groupes à partir d'un serveur LDAP.",
 	"images": "Images",
@@ -180,7 +180,10 @@
 	"enabled_emails": "Emails activés",
 	"email_login_notification": "Notification de connexion par e-mail",
 	"send_an_email_to_the_user_when_they_log_in_from_a_new_device": "Envoyer un email à l'utilisateur lorsqu'il se connecte à partir d'un nouvel appareil.",
-	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Permet aux utilisateurs de se connecter avec un code de connexion envoyé à leur adresse e-mail. Cela réduit considérablement la sécurité car toute personne ayant accès à l'e-mail de l'utilisateur peuvent se connecter.",
+	"emai_login_code_requested_by_user": "Email Login Code Requested by User",
+	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Allows users to bypass passkeys by requesting a login code sent to their email. This reduces the security significantly as anyone with access to the user's email can gain entry.",
+	"email_login_code_from_admin": "Email Login Code from Admin",
+	"allows_an_admin_to_send_a_login_code_to_the_user": "Allows an admin to send a login code to the user via email.",
 	"send_test_email": "",
 	"application_configuration_updated_successfully": "Mise à jour de l'application avec succès",
 	"application_name": "Nom de l'application",
@@ -322,5 +325,22 @@
 	"see_all_account_activities_from_the_last_3_months": "See all user activity for the last 3 months.",
 	"token_sign_in": "Token Sign In",
 	"client_authorization": "Client Authorization",
-	"new_client_authorization": "New Client Authorization"
+	"new_client_authorization": "New Client Authorization",
+	"disable_animations": "Disable Animations",
+	"turn_off_all_animations_throughout_the_admin_ui": "Turn off all animations throughout the Admin UI.",
+	"user_disabled": "Account Disabled",
+	"disabled_users_cannot_log_in_or_use_services": "Disabled users cannot log in or use services.",
+	"user_disabled_successfully": "User has been disabled successfully.",
+	"user_enabled_successfully": "User has been enabled successfully.",
+	"status": "Status",
+	"disable_firstname_lastname": "Disable {firstName} {lastName}",
+	"are_you_sure_you_want_to_disable_this_user": "Are you sure you want to disable this user? They will not be able to log in or access any services.",
+	"ldap_soft_delete_users": "Keep disabled users from LDAP.",
+	"ldap_soft_delete_users_description": "When enabled, users removed from LDAP will be disabled rather than deleted from the system.",
+	"login_code_email_success": "The login code has been sent to the user.",
+	"send_email": "Send Email",
+	"show_code": "Show Code",
+	"callback_url_description": "URL(s) provided by your client. Wildcards (*) are supported, but best avoided for better security.",
+	"api_key_expiration": "API Key Expiration",
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire."
 }
--- a/frontend/messages/it-IT.json
+++ b/frontend/messages/it-IT.json
@@ -0,0 +1,346 @@
+{
+	"$schema": "https://inlang.com/schema/inlang-message-format",
+	"my_account": "Il mio account",
+	"logout": "Disconnetti",
+	"confirm": "Conferma",
+	"key": "Chiave",
+	"value": "Valore",
+	"remove_custom_claim": "Rimuovi attributo personalizzato",
+	"add_custom_claim": "Aggiungi attributo personalizzato",
+	"add_another": "Aggiungi altro",
+	"select_a_date": "Seleziona una data",
+	"select_file": "Seleziona File",
+	"profile_picture": "Immagine del profilo",
+	"profile_picture_is_managed_by_ldap_server": "L'immagine del profilo è gestita dal server LDAP e non può essere modificata qui.",
+	"click_profile_picture_to_upload_custom": "Clicca sull'immagine del profilo per caricarne una personalizzata dai tuoi file.",
+	"image_should_be_in_format": "L'immagine deve essere in formato PNG o JPEG.",
+	"items_per_page": "Elementi per pagina",
+	"no_items_found": "Nessun elemento trovato",
+	"search": "Cerca...",
+	"expand_card": "Espandi scheda",
+	"copied": "Copiato",
+	"click_to_copy": "Clicca per copiare",
+	"something_went_wrong": "Qualcosa è andato storto",
+	"go_back_to_home": "Torna alla home",
+	"dont_have_access_to_your_passkey": "Non hai accesso alla tua passkey?",
+	"login_background": "Sfondo di accesso",
+	"logo": "Logo",
+	"login_code": "Codice di accesso",
+	"create_a_login_code_to_sign_in_without_a_passkey_once": "Crea un codice di accesso che l'utente può utilizzare per accedere una volta senza passkey.",
+	"one_hour": "1 ora",
+	"twelve_hours": "12 ore",
+	"one_day": "1 giorno",
+	"one_week": "1 settimana",
+	"one_month": "1 mese",
+	"expiration": "Scadenza",
+	"generate_code": "Genera Codice",
+	"name": "Nome",
+	"browser_unsupported": "Browser non supportato",
+	"this_browser_does_not_support_passkeys": "Questo browser non supporta le passkey. Si prega di utilizzare un metodo di accesso alternativo.",
+	"an_unknown_error_occurred": "Si è verificato un errore sconosciuto",
+	"authentication_process_was_aborted": "Il processo di autenticazione è stato interrotto",
+	"error_occurred_with_authenticator": "Si è verificato un errore con l'autenticatore",
+	"authenticator_does_not_support_discoverable_credentials": "L'autenticatore non supporta le credenziali rilevabili",
+	"authenticator_does_not_support_resident_keys": "L'autenticatore non supporta le chiavi residenti",
+	"passkey_was_previously_registered": "Questa passkey è stata registrata in precedenza",
+	"authenticator_does_not_support_any_of_the_requested_algorithms": "L'autenticatore non supporta nessuno degli algoritmi richiesti",
+	"authenticator_timed_out": "L'autenticatore ha superato il tempo limite",
+	"critical_error_occurred_contact_administrator": "Si è verificato un errore critico. Contatta il tuo amministratore.",
+	"sign_in_to": "Accedi a {name}",
+	"client_not_found": "Client non trovato",
+	"client_wants_to_access_the_following_information": "<b>{client}</b> vuole accedere alle seguenti informazioni:",
+	"do_you_want_to_sign_in_to_client_with_your_app_name_account": "Vuoi accedere a <b>{client}</b> con il tuo account <b>{appName}</b>?",
+	"email": "Email",
+	"view_your_email_address": "Visualizza il tuo indirizzo email",
+	"profile": "Profilo",
+	"view_your_profile_information": "Visualizza le informazioni del tuo profilo",
+	"groups": "Gruppi",
+	"view_the_groups_you_are_a_member_of": "Visualizza i gruppi di cui sei membro",
+	"cancel": "Annulla",
+	"sign_in": "Accedi",
+	"try_again": "Riprova",
+	"client_logo": "Logo del client",
+	"sign_out": "Disconnetti",
+	"do_you_want_to_sign_out_of_pocketid_with_the_account": "Vuoi disconnetterti da Pocket ID con l'account <b>{username}</b>?",
+	"sign_in_to_appname": "Accedi a {appName}",
+	"please_try_to_sign_in_again": "Per favore, prova ad accedere di nuovo.",
+	"authenticate_yourself_with_your_passkey_to_access_the_admin_panel": "Autenticati con la tua passkey per accedere al pannello di amministrazione.",
+	"authenticate": "Autentica",
+	"appname_setup": "Configurazione di {appName}",
+	"please_try_again": "Per favore, riprova.",
+	"you_are_about_to_sign_in_to_the_initial_admin_account": "Stai per accedere all'account amministratore iniziale. Chiunque abbia questo link può accedere all'account finché non viene aggiunta una passkey. Configura una passkey il prima possibile per prevenire accessi non autorizzati.",
+	"continue": "Continua",
+	"alternative_sign_in": "Accesso Alternativo",
+	"if_you_do_not_have_access_to_your_passkey_you_can_sign_in_using_one_of_the_following_methods": "Se non hai accesso alla tua passkey, puoi accedere utilizzando uno dei seguenti metodi.",
+	"use_your_passkey_instead": "Usare invece la tua passkey?",
+	"email_login": "Accesso Email",
+	"enter_a_login_code_to_sign_in": "Inserisci un codice di accesso per accedere.",
+	"request_a_login_code_via_email": "Richiedi un codice di accesso via email.",
+	"go_back": "Torna indietro",
+	"an_email_has_been_sent_to_the_provided_email_if_it_exists_in_the_system": "È stata inviata un'email all'indirizzo fornito, se esiste nel sistema.",
+	"enter_code": "Inserisci codice",
+	"enter_your_email_address_to_receive_an_email_with_a_login_code": "Inserisci il tuo indirizzo email per ricevere un'email con un codice di accesso.",
+	"your_email": "La tua email",
+	"submit": "Invia",
+	"enter_the_code_you_received_to_sign_in": "Inserisci il codice che hai ricevuto per accedere.",
+	"code": "Codice",
+	"invalid_redirect_url": "URL di reindirizzamento non valido",
+	"audit_log": "Registro attività",
+	"users": "Utenti",
+	"user_groups": "Gruppi di utenti",
+	"oidc_clients": "Client OIDC",
+	"api_keys": "Chiavi API",
+	"application_configuration": "Configurazione dell'applicazione",
+	"settings": "Impostazioni",
+	"update_pocket_id": "Aggiorna Pocket ID",
+	"powered_by": "Alimentato da",
+	"see_your_account_activities_from_the_last_3_months": "Visualizza le attività del tuo account degli ultimi 3 mesi.",
+	"time": "Ora",
+	"event": "Evento",
+	"approximate_location": "Posizione approssimativa",
+	"ip_address": "Indirizzo IP",
+	"device": "Dispositivo",
+	"client": "Client",
+	"unknown": "Sconosciuto",
+	"account_details_updated_successfully": "Dettagli dell'account aggiornati con successo",
+	"profile_picture_updated_successfully": "Immagine del profilo aggiornata con successo. Potrebbero essere necessari alcuni minuti per l'aggiornamento.",
+	"account_settings": "Impostazioni account",
+	"passkey_missing": "Passkey mancante",
+	"please_provide_a_passkey_to_prevent_losing_access_to_your_account": "Aggiungi una passkey per evitare di perdere l'accesso al tuo account.",
+	"single_passkey_configured": "Singola Passkey Configurata",
+	"it_is_recommended_to_add_more_than_one_passkey": "Si consiglia di aggiungere più di una passkey per evitare di perdere l'accesso al tuo account.",
+	"account_details": "Dettagli account",
+	"passkeys": "Passkey",
+	"manage_your_passkeys_that_you_can_use_to_authenticate_yourself": "Gestisci le tue passkey che puoi utilizzare per autenticarti.",
+	"add_passkey": "Aggiungi Passkey",
+	"create_a_one_time_login_code_to_sign_in_from_a_different_device_without_a_passkey": "Crea un codice di accesso monouso per accedere da un dispositivo diverso senza una passkey.",
+	"create": "Crea",
+	"first_name": "Nome",
+	"last_name": "Cognome",
+	"username": "Nome utente",
+	"save": "Salva",
+	"username_can_only_contain": "Il nome utente può contenere solo lettere minuscole, numeri, underscore, punti, trattini e simboli '@'",
+	"sign_in_using_the_following_code_the_code_will_expire_in_minutes": "Accedi utilizzando il seguente codice. Il codice scadrà tra 15 minuti.",
+	"or_visit": "o visita",
+	"added_on": "Aggiunto il",
+	"rename": "Rinomina",
+	"delete": "Elimina",
+	"are_you_sure_you_want_to_delete_this_passkey": "Sei sicuro di voler eliminare questa passkey?",
+	"passkey_deleted_successfully": "Passkey eliminata con successo",
+	"delete_passkey_name": "Elimina {passkeyName}",
+	"passkey_name_updated_successfully": "Nome della passkey aggiornato con successo",
+	"name_passkey": "Nome Passkey",
+	"name_your_passkey_to_easily_identify_it_later": "Dai un nome alla tua passkey per identificarla facilmente in seguito.",
+	"create_api_key": "Crea Chiave API",
+	"add_a_new_api_key_for_programmatic_access": "Aggiungi una nuova chiave API per l'accesso programmatico.",
+	"add_api_key": "Aggiungi Chiave API",
+	"manage_api_keys": "Gestisci Chiavi API",
+	"api_key_created": "Chiave API Creata",
+	"for_security_reasons_this_key_will_only_be_shown_once": "Per motivi di sicurezza, questa chiave verrà mostrata solo una volta. Conservala in modo sicuro.",
+	"description": "Descrizione",
+	"api_key": "Chiave API",
+	"close": "Chiudi",
+	"name_to_identify_this_api_key": "Nome per identificare questa chiave API.",
+	"expires_at": "Scade il",
+	"when_this_api_key_will_expire": "Quando scadrà questa chiave API.",
+	"optional_description_to_help_identify_this_keys_purpose": "Descrizione opzionale per aiutare a identificare lo scopo di questa chiave.",
+	"name_must_be_at_least_3_characters": "Il nome deve essere di almeno 3 caratteri",
+	"name_cannot_exceed_50_characters": "Il nome non può superare i 50 caratteri",
+	"expiration_date_must_be_in_the_future": "La data di scadenza deve essere nel futuro",
+	"revoke_api_key": "Revoca Chiave API",
+	"never": "Mai",
+	"revoke": "Revoca",
+	"api_key_revoked_successfully": "Chiave API revocata con successo",
+	"are_you_sure_you_want_to_revoke_the_api_key_apikeyname": "Sei sicuro di voler revocare la chiave API \"{apiKeyName}\"? Questo comprometterà qualsiasi integrazione che utilizza questa chiave.",
+	"last_used": "Ultimo utilizzo",
+	"actions": "Azioni",
+	"images_updated_successfully": "Immagini aggiornate con successo",
+	"general": "Generale",
+	"configure_smtp_to_send_emails": "Enable email notifications to alert users when a login is detected from a new device or location.",
+	"ldap": "LDAP",
+	"configure_ldap_settings_to_sync_users_and_groups_from_an_ldap_server": "Configura le impostazioni LDAP per sincronizzare utenti e gruppi da un server LDAP.",
+	"images": "Immagini",
+	"update": "Aggiorna",
+	"email_configuration_updated_successfully": "Configurazione email aggiornata con successo",
+	"save_changes_question": "Salvare le modifiche?",
+	"you_have_to_save_the_changes_before_sending_a_test_email_do_you_want_to_save_now": "Devi salvare le modifiche prima di inviare un'email di prova. Vuoi salvare ora?",
+	"save_and_send": "Salva e invia",
+	"test_email_sent_successfully": "Email di prova inviata con successo al tuo indirizzo email.",
+	"failed_to_send_test_email": "Impossibile inviare l'email di prova. Controlla i log del server per maggiori informazioni.",
+	"smtp_configuration": "Configurazione SMTP",
+	"smtp_host": "Host SMTP",
+	"smtp_port": "Porta SMTP",
+	"smtp_user": "Utente SMTP",
+	"smtp_password": "Password SMTP",
+	"smtp_from": "Da SMTP",
+	"smtp_tls_option": "Opzione TLS SMTP",
+	"email_tls_option": "Opzione TLS Email",
+	"skip_certificate_verification": "Salta Verifica Certificato",
+	"this_can_be_useful_for_selfsigned_certificates": "Questo può essere utile per i certificati autofirmati.",
+	"enabled_emails": "Email Abilitate",
+	"email_login_notification": "Notifica Accesso Email",
+	"send_an_email_to_the_user_when_they_log_in_from_a_new_device": "Invia un'email all'utente quando accede da un nuovo dispositivo.",
+	"emai_login_code_requested_by_user": "Email Login Code Requested by User",
+	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Allows users to bypass passkeys by requesting a login code sent to their email. This reduces the security significantly as anyone with access to the user's email can gain entry.",
+	"email_login_code_from_admin": "Email Login Code from Admin",
+	"allows_an_admin_to_send_a_login_code_to_the_user": "Allows an admin to send a login code to the user via email.",
+	"send_test_email": "Invia email di prova",
+	"application_configuration_updated_successfully": "Configurazione dell'applicazione aggiornata con successo",
+	"application_name": "Nome dell'applicazione",
+	"session_duration": "Durata della sessione",
+	"the_duration_of_a_session_in_minutes_before_the_user_has_to_sign_in_again": "La durata di una sessione in minuti prima che l'utente debba accedere nuovamente.",
+	"enable_self_account_editing": "Abilita modifica del proprio account",
+	"whether_the_users_should_be_able_to_edit_their_own_account_details": "Se gli utenti dovrebbero essere in grado di modificare i dettagli del proprio account.",
+	"emails_verified": "Email verificate",
+	"whether_the_users_email_should_be_marked_as_verified_for_the_oidc_clients": "Se l'email dell'utente deve essere contrassegnata come verificata per i client OIDC.",
+	"ldap_configuration_updated_successfully": "Configurazione LDAP aggiornata con successo",
+	"ldap_disabled_successfully": "LDAP disabilitato con successo",
+	"ldap_sync_finished": "Sincronizzazione LDAP completata",
+	"client_configuration": "Configurazione client",
+	"ldap_url": "URL LDAP",
+	"ldap_bind_dn": "LDAP Bind DN",
+	"ldap_bind_password": "Password LDAP Bind",
+	"ldap_base_dn": "LDAP Base DN",
+	"user_search_filter": "Filtro di ricerca utente",
+	"the_search_filter_to_use_to_search_or_sync_users": "Il filtro di ricerca da utilizzare per cercare/sincronizzare gli utenti.",
+	"groups_search_filter": "Filtro di ricerca gruppi",
+	"the_search_filter_to_use_to_search_or_sync_groups": "Il filtro di ricerca da utilizzare per cercare/sincronizzare i gruppi.",
+	"attribute_mapping": "Mappatura attributi",
+	"user_unique_identifier_attribute": "Attributo identificativo univoco utente",
+	"the_value_of_this_attribute_should_never_change": "Il valore di questo attributo non dovrebbe mai cambiare.",
+	"username_attribute": "Attributo nome utente",
+	"user_mail_attribute": "Attributo email utente",
+	"user_first_name_attribute": "Attributo nome utente",
+	"user_last_name_attribute": "Attributo cognome utente",
+	"user_profile_picture_attribute": "Attributo immagine profilo utente",
+	"the_value_of_this_attribute_can_either_be_a_url_binary_or_base64_encoded_image": "Il valore di questo attributo può essere un URL, un'immagine binaria o codificata in base64.",
+	"group_members_attribute": "Attributo membri del gruppo",
+	"the_attribute_to_use_for_querying_members_of_a_group": "L'attributo da utilizzare per interrogare i membri di un gruppo.",
+	"group_unique_identifier_attribute": "Attributo identificativo univoco gruppo",
+	"group_name_attribute": "Attributo nome gruppo",
+	"admin_group_name": "Nome gruppo amministratori",
+	"members_of_this_group_will_have_admin_privileges_in_pocketid": "I membri di questo gruppo avranno privilegi di amministratore in Pocket ID.",
+	"disable": "Disabilita",
+	"sync_now": "Sincronizza ora",
+	"enable": "Abilita",
+	"user_created_successfully": "Utente creato con successo",
+	"create_user": "Crea Utente",
+	"add_a_new_user_to_appname": "Aggiungi un nuovo utente a {appName}",
+	"add_user": "Aggiungi Utente",
+	"manage_users": "Gestisci Utenti",
+	"admin_privileges": "Privilegi amministratore",
+	"admins_have_full_access_to_the_admin_panel": "Gli amministratori hanno pieno accesso al pannello di amministrazione.",
+	"delete_firstname_lastname": "Elimina {firstName} {lastName}",
+	"are_you_sure_you_want_to_delete_this_user": "Sei sicuro di voler eliminare questo utente?",
+	"user_deleted_successfully": "Utente eliminato con successo",
+	"role": "Ruolo",
+	"source": "Origine",
+	"admin": "Amministratore",
+	"user": "Utente",
+	"local": "Locale",
+	"toggle_menu": "Attiva/disattiva menu",
+	"edit": "Modifica",
+	"user_groups_updated_successfully": "Gruppi utente aggiornati con successo",
+	"user_updated_successfully": "Utente aggiornato con successo",
+	"custom_claims_updated_successfully": "Attributi personalizzati aggiornati con successo",
+	"back": "Indietro",
+	"user_details_firstname_lastname": "Dettagli utente {firstName} {lastName}",
+	"manage_which_groups_this_user_belongs_to": "Gestisci a quali gruppi appartiene questo utente.",
+	"custom_claims": "Attributi personalizzati",
+	"custom_claims_are_key_value_pairs_that_can_be_used_to_store_additional_information_about_a_user": "Gli attributi personalizzati sono coppie chiave-valore che possono essere utilizzate per memorizzare informazioni aggiuntive su un utente. Questi attributi saranno inclusi nel token ID se viene richiesto lo scope 'profile'.",
+	"user_group_created_successfully": "Gruppo utente creato con successo",
+	"create_user_group": "Crea Gruppo Utente",
+	"create_a_new_group_that_can_be_assigned_to_users": "Crea un nuovo gruppo che può essere assegnato agli utenti.",
+	"add_group": "Aggiungi Gruppo",
+	"manage_user_groups": "Gestisci Gruppi Utente",
+	"friendly_name": "Nome amichevole",
+	"name_that_will_be_displayed_in_the_ui": "Nome che verrà visualizzato nell'interfaccia utente",
+	"name_that_will_be_in_the_groups_claim": "Nome che sarà nell'attributo \"groups\"",
+	"delete_name": "Elimina {name}",
+	"are_you_sure_you_want_to_delete_this_user_group": "Sei sicuro di voler eliminare questo gruppo utente?",
+	"user_group_deleted_successfully": "Gruppo utente eliminato con successo",
+	"user_count": "Numero utenti",
+	"user_group_updated_successfully": "Gruppo utente aggiornato con successo",
+	"users_updated_successfully": "Utenti aggiornati con successo",
+	"user_group_details_name": "Dettagli gruppo utente {name}",
+	"assign_users_to_this_group": "Assegna utenti a questo gruppo.",
+	"custom_claims_are_key_value_pairs_that_can_be_used_to_store_additional_information_about_a_user_prioritized": "Gli attributi personalizzati sono coppie chiave-valore che possono essere utilizzate per memorizzare informazioni aggiuntive su un utente. Questi attributi saranno inclusi nel token ID se viene richiesto lo scope 'profile'. Gli attributi personalizzati definiti sull'utente avranno priorità in caso di conflitti.",
+	"oidc_client_created_successfully": "Client OIDC creato con successo",
+	"create_oidc_client": "Crea Client OIDC",
+	"add_a_new_oidc_client_to_appname": "Aggiungi un nuovo client OIDC a {appName}.",
+	"add_oidc_client": "Aggiungi Client OIDC",
+	"manage_oidc_clients": "Gestisci Client OIDC",
+	"one_time_link": "Link monouso",
+	"use_this_link_to_sign_in_once": "Usa questo link per accedere una volta. Necessario per gli utenti che non hanno ancora aggiunto una passkey o l'hanno persa.",
+	"add": "Aggiungi",
+	"callback_urls": "URL di callback",
+	"logout_callback_urls": "URL di callback per il logout",
+	"public_client": "Client pubblico",
+	"public_clients_do_not_have_a_client_secret_and_use_pkce_instead": "I client pubblici non hanno un client secret e utilizzano PKCE. Abilita questa opzione se il tuo client è una SPA o un'app mobile.",
+	"pkce": "PKCE",
+	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Il Public Key Code Exchange è una funzionalità di sicurezza per prevenire attacchi CSRF e intercettazione del codice di autorizzazione.",
+	"name_logo": "Logo di {name}",
+	"change_logo": "Cambia Logo",
+	"upload_logo": "Carica Logo",
+	"remove_logo": "Rimuovi Logo",
+	"are_you_sure_you_want_to_delete_this_oidc_client": "Sei sicuro di voler eliminare questo client OIDC?",
+	"oidc_client_deleted_successfully": "Client OIDC eliminato con successo",
+	"authorization_url": "URL di autorizzazione",
+	"oidc_discovery_url": "URL di discovery OIDC",
+	"token_url": "URL del token",
+	"userinfo_url": "URL delle informazioni utente",
+	"logout_url": "URL di logout",
+	"certificate_url": "URL del certificato",
+	"enabled": "Abilitato",
+	"disabled": "Disabilitato",
+	"oidc_client_updated_successfully": "Client OIDC aggiornato con successo",
+	"create_new_client_secret": "Crea nuovo client secret",
+	"are_you_sure_you_want_to_create_a_new_client_secret": "Sei sicuro di voler creare un nuovo client secret? Quello vecchio sarà invalidato.",
+	"generate": "Genera",
+	"new_client_secret_created_successfully": "Nuovo client secret creato con successo",
+	"allowed_user_groups_updated_successfully": "Gruppi utente consentiti aggiornati con successo",
+	"oidc_client_name": "Client OIDC {name}",
+	"client_id": "ID client",
+	"client_secret": "Client secret",
+	"show_more_details": "Mostra più dettagli",
+	"allowed_user_groups": "Gruppi utente consentiti",
+	"add_user_groups_to_this_client_to_restrict_access_to_users_in_these_groups": "Aggiungi gruppi utente a questo client per limitare l'accesso agli utenti in questi gruppi. Se non viene selezionato alcun gruppo utente, tutti gli utenti avranno accesso a questo client.",
+	"favicon": "Favicon",
+	"light_mode_logo": "Logo modalità chiara",
+	"dark_mode_logo": "Logo modalità scura",
+	"background_image": "Immagine di sfondo",
+	"language": "Lingua",
+	"reset_profile_picture_question": "Reimpostare l'immagine del profilo?",
+	"this_will_remove_the_uploaded_image_and_reset_the_profile_picture_to_default": "Questo rimuoverà l'immagine caricata e reimposterà l'immagine del profilo a quella predefinita. Vuoi continuare?",
+	"reset": "Reimposta",
+	"reset_to_default": "Ripristina valori predefiniti",
+	"profile_picture_has_been_reset": "L'immagine del profilo è stata reimpostata. Potrebbero essere necessari alcuni minuti per l'aggiornamento.",
+	"select_the_language_you_want_to_use": "Seleziona la lingua che desideri utilizzare. Alcune lingue potrebbero non essere completamente tradotte.",
+	"personal": "Personale",
+	"global": "Globale",
+	"all_users": "Tutti gli utenti",
+	"all_events": "Tutti gli eventi",
+	"all_clients": "Tutti i client",
+	"global_audit_log": "Registro attività globale",
+	"see_all_account_activities_from_the_last_3_months": "Visualizza tutte le attività degli utenti degli ultimi 3 mesi.",
+	"token_sign_in": "Accesso con token",
+	"client_authorization": "Autorizzazione client",
+	"new_client_authorization": "Nuova autorizzazione client",
+	"disable_animations": "Disabilita animazioni",
+	"turn_off_all_animations_throughout_the_admin_ui": "Disattiva tutte le animazioni nell'interfaccia di amministrazione.",
+	"user_disabled": "Account disabilitato",
+	"disabled_users_cannot_log_in_or_use_services": "Gli utenti disabilitati non possono accedere o utilizzare i servizi.",
+	"user_disabled_successfully": "Utente disabilitato con successo.",
+	"user_enabled_successfully": "Utente abilitato con successo.",
+	"status": "Stato",
+	"disable_firstname_lastname": "Disabilita {firstName} {lastName}",
+	"are_you_sure_you_want_to_disable_this_user": "Sei sicuro di voler disabilitare questo utente? Non sarà in grado di accedere o utilizzare qualsiasi servizio.",
+	"ldap_soft_delete_users": "Mantieni gli utenti disabilitati da LDAP.",
+	"ldap_soft_delete_users_description": "Se abilitato, gli utenti rimossi da LDAP saranno disabilitati invece che cancellati dal sistema.",
+	"login_code_email_success": "The login code has been sent to the user.",
+	"send_email": "Send Email",
+	"show_code": "Show Code",
+	"callback_url_description": "URL(s) provided by your client. Wildcards (*) are supported, but best avoided for better security.",
+	"api_key_expiration": "API Key Expiration",
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire."
+}
--- a/frontend/messages/nl-NL.json
+++ b/frontend/messages/nl-NL.json
@@ -156,7 +156,7 @@
 	"actions": "Acties",
 	"images_updated_successfully": "Afbeeldingen succesvol bijgewerkt",
 	"general": "Algemeen",
-	"enable_email_notifications_to_alert_users_when_a_login_is_detected_from_a_new_device_or_location": "Schakel e-mailmeldingen in om gebruikers te waarschuwen wanneer er wordt ingelogd vanaf een nieuw apparaat of een nieuwe locatie.",
+	"configure_smtp_to_send_emails": "Enable email notifications to alert users when a login is detected from a new device or location.",
 	"ldap": "LDAP",
 	"configure_ldap_settings_to_sync_users_and_groups_from_an_ldap_server": "Configureer LDAP-instellingen om gebruikers en groepen vanaf een LDAP-server te synchroniseren.",
 	"images": "Afbeeldingen",
@@ -180,7 +180,10 @@
 	"enabled_emails": "Ingeschakelde e-mails",
 	"email_login_notification": "E-mail-inlogmelding",
 	"send_an_email_to_the_user_when_they_log_in_from_a_new_device": "Stuur een e-mail naar de gebruiker wanneer deze zich aanmeldt vanaf een nieuw apparaat.",
-	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Hiermee kunnen gebruikers inloggen met een inlogcode die naar hun e-mail is gestuurd. Dit vermindert de beveiliging aanzienlijk, omdat iedereen met toegang tot de e-mail van de gebruiker toegang kan krijgen.",
+	"emai_login_code_requested_by_user": "Email Login Code Requested by User",
+	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Allows users to bypass passkeys by requesting a login code sent to their email. This reduces the security significantly as anyone with access to the user's email can gain entry.",
+	"email_login_code_from_admin": "Email Login Code from Admin",
+	"allows_an_admin_to_send_a_login_code_to_the_user": "Allows an admin to send a login code to the user via email.",
 	"send_test_email": "Test-e-mail verzenden",
 	"application_configuration_updated_successfully": "Toepassingsconfiguratie succesvol bijgewerkt",
 	"application_name": "Toepassingsnaam",
@@ -322,5 +325,22 @@
 	"see_all_account_activities_from_the_last_3_months": "Bekijk alle gebruikersactiviteit van de afgelopen 3 maanden.",
 	"token_sign_in": "Token Sign In",
 	"client_authorization": "Client autorisatie",
-	"new_client_authorization": "Nieuwe clientautorisatie"
+	"new_client_authorization": "Nieuwe clientautorisatie",
+	"disable_animations": "Disable Animations",
+	"turn_off_all_animations_throughout_the_admin_ui": "Turn off all animations throughout the Admin UI.",
+	"user_disabled": "Account Disabled",
+	"disabled_users_cannot_log_in_or_use_services": "Disabled users cannot log in or use services.",
+	"user_disabled_successfully": "User has been disabled successfully.",
+	"user_enabled_successfully": "User has been enabled successfully.",
+	"status": "Status",
+	"disable_firstname_lastname": "Disable {firstName} {lastName}",
+	"are_you_sure_you_want_to_disable_this_user": "Are you sure you want to disable this user? They will not be able to log in or access any services.",
+	"ldap_soft_delete_users": "Keep disabled users from LDAP.",
+	"ldap_soft_delete_users_description": "When enabled, users removed from LDAP will be disabled rather than deleted from the system.",
+	"login_code_email_success": "The login code has been sent to the user.",
+	"send_email": "Send Email",
+	"show_code": "Show Code",
+	"callback_url_description": "URL(s) provided by your client. Wildcards (*) are supported, but best avoided for better security.",
+	"api_key_expiration": "API Key Expiration",
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire."
 }
--- a/frontend/messages/pt-BR.json
+++ b/frontend/messages/pt-BR.json
@@ -156,7 +156,7 @@
 	"actions": "Ações",
 	"images_updated_successfully": "Imagens atualizadas com sucesso",
 	"general": "Geral",
-	"enable_email_notifications_to_alert_users_when_a_login_is_detected_from_a_new_device_or_location": "Enable email notifications to alert users when a login is detected from a new device or location.",
+	"configure_smtp_to_send_emails": "Enable email notifications to alert users when a login is detected from a new device or location.",
 	"ldap": "LDAP",
 	"configure_ldap_settings_to_sync_users_and_groups_from_an_ldap_server": "Configure LDAP settings to sync users and groups from an LDAP server.",
 	"images": "Imagens",
@@ -180,7 +180,10 @@
 	"enabled_emails": "Enabled Emails",
 	"email_login_notification": "Email Login Notification",
 	"send_an_email_to_the_user_when_they_log_in_from_a_new_device": "Send an email to the user when they log in from a new device.",
-	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Allows users to sign in with a login code sent to their email. This reduces the security significantly as anyone with access to the user's email can gain entry.",
+	"emai_login_code_requested_by_user": "Email Login Code Requested by User",
+	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Allows users to bypass passkeys by requesting a login code sent to their email. This reduces the security significantly as anyone with access to the user's email can gain entry.",
+	"email_login_code_from_admin": "Email Login Code from Admin",
+	"allows_an_admin_to_send_a_login_code_to_the_user": "Allows an admin to send a login code to the user via email.",
 	"send_test_email": "Send test email",
 	"application_configuration_updated_successfully": "Application configuration updated successfully",
 	"application_name": "Application Name",
@@ -322,5 +325,22 @@
 	"see_all_account_activities_from_the_last_3_months": "See all user activity for the last 3 months.",
 	"token_sign_in": "Token Sign In",
 	"client_authorization": "Client Authorization",
-	"new_client_authorization": "New Client Authorization"
+	"new_client_authorization": "New Client Authorization",
+	"disable_animations": "Disable Animations",
+	"turn_off_all_animations_throughout_the_admin_ui": "Turn off all animations throughout the Admin UI.",
+	"user_disabled": "Account Disabled",
+	"disabled_users_cannot_log_in_or_use_services": "Disabled users cannot log in or use services.",
+	"user_disabled_successfully": "User has been disabled successfully.",
+	"user_enabled_successfully": "User has been enabled successfully.",
+	"status": "Status",
+	"disable_firstname_lastname": "Disable {firstName} {lastName}",
+	"are_you_sure_you_want_to_disable_this_user": "Are you sure you want to disable this user? They will not be able to log in or access any services.",
+	"ldap_soft_delete_users": "Keep disabled users from LDAP.",
+	"ldap_soft_delete_users_description": "When enabled, users removed from LDAP will be disabled rather than deleted from the system.",
+	"login_code_email_success": "The login code has been sent to the user.",
+	"send_email": "Send Email",
+	"show_code": "Show Code",
+	"callback_url_description": "URL(s) provided by your client. Wildcards (*) are supported, but best avoided for better security.",
+	"api_key_expiration": "API Key Expiration",
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire."
 }
--- a/frontend/messages/pt-PT.json
+++ b/frontend/messages/pt-PT.json
@@ -156,7 +156,7 @@
 	"actions": "Actions",
 	"images_updated_successfully": "Images updated successfully",
 	"general": "General",
-	"enable_email_notifications_to_alert_users_when_a_login_is_detected_from_a_new_device_or_location": "Enable email notifications to alert users when a login is detected from a new device or location.",
+	"configure_smtp_to_send_emails": "Enable email notifications to alert users when a login is detected from a new device or location.",
 	"ldap": "LDAP",
 	"configure_ldap_settings_to_sync_users_and_groups_from_an_ldap_server": "Configure LDAP settings to sync users and groups from an LDAP server.",
 	"images": "Images",
@@ -180,7 +180,10 @@
 	"enabled_emails": "Enabled Emails",
 	"email_login_notification": "Email Login Notification",
 	"send_an_email_to_the_user_when_they_log_in_from_a_new_device": "Send an email to the user when they log in from a new device.",
-	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Allows users to sign in with a login code sent to their email. This reduces the security significantly as anyone with access to the user's email can gain entry.",
+	"emai_login_code_requested_by_user": "Email Login Code Requested by User",
+	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Allows users to bypass passkeys by requesting a login code sent to their email. This reduces the security significantly as anyone with access to the user's email can gain entry.",
+	"email_login_code_from_admin": "Email Login Code from Admin",
+	"allows_an_admin_to_send_a_login_code_to_the_user": "Allows an admin to send a login code to the user via email.",
 	"send_test_email": "Send test email",
 	"application_configuration_updated_successfully": "Application configuration updated successfully",
 	"application_name": "Application Name",
@@ -322,5 +325,22 @@
 	"see_all_account_activities_from_the_last_3_months": "See all user activity for the last 3 months.",
 	"token_sign_in": "Token Sign In",
 	"client_authorization": "Client Authorization",
-	"new_client_authorization": "New Client Authorization"
+	"new_client_authorization": "New Client Authorization",
+	"disable_animations": "Disable Animations",
+	"turn_off_all_animations_throughout_the_admin_ui": "Turn off all animations throughout the Admin UI.",
+	"user_disabled": "Account Disabled",
+	"disabled_users_cannot_log_in_or_use_services": "Disabled users cannot log in or use services.",
+	"user_disabled_successfully": "User has been disabled successfully.",
+	"user_enabled_successfully": "User has been enabled successfully.",
+	"status": "Status",
+	"disable_firstname_lastname": "Disable {firstName} {lastName}",
+	"are_you_sure_you_want_to_disable_this_user": "Are you sure you want to disable this user? They will not be able to log in or access any services.",
+	"ldap_soft_delete_users": "Keep disabled users from LDAP.",
+	"ldap_soft_delete_users_description": "When enabled, users removed from LDAP will be disabled rather than deleted from the system.",
+	"login_code_email_success": "The login code has been sent to the user.",
+	"send_email": "Send Email",
+	"show_code": "Show Code",
+	"callback_url_description": "URL(s) provided by your client. Wildcards (*) are supported, but best avoided for better security.",
+	"api_key_expiration": "API Key Expiration",
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire."
 }
--- a/frontend/messages/ru-RU.json
+++ b/frontend/messages/ru-RU.json
@@ -156,7 +156,7 @@
 	"actions": "Действия",
 	"images_updated_successfully": "Изображения успешно обновлены",
 	"general": "Основное",
-	"enable_email_notifications_to_alert_users_when_a_login_is_detected_from_a_new_device_or_location": "Включить уведомления пользователей по электронной почте при обнаружении логина с нового устройства или локации.",
+	"configure_smtp_to_send_emails": "Enable email notifications to alert users when a login is detected from a new device or location.",
 	"ldap": "LDAP",
 	"configure_ldap_settings_to_sync_users_and_groups_from_an_ldap_server": "Настроить конфигурацию LDAP для синхронизации пользователей и групп с сервером LDAP.",
 	"images": "Изображения",
@@ -180,7 +180,10 @@
 	"enabled_emails": "Отправляемые письма",
 	"email_login_notification": "Уведомление о логине по электронной почте",
 	"send_an_email_to_the_user_when_they_log_in_from_a_new_device": "Отправлять пользователю письмо при входе с нового устройства.",
-	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Позволяет пользователям войти с помощью кода входа, отправленного на их электронную почту. Это значительно снижает безопасность так как любой человек, имеющий доступ к электронной почте пользователя, сможет получить доступ.",
+	"emai_login_code_requested_by_user": "Email Login Code Requested by User",
+	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Allows users to bypass passkeys by requesting a login code sent to their email. This reduces the security significantly as anyone with access to the user's email can gain entry.",
+	"email_login_code_from_admin": "Email Login Code from Admin",
+	"allows_an_admin_to_send_a_login_code_to_the_user": "Allows an admin to send a login code to the user via email.",
 	"send_test_email": "Отправить тестовое письмо",
 	"application_configuration_updated_successfully": "Конфигурация приложения успешно обновлена",
 	"application_name": "Название приложения",
@@ -322,5 +325,22 @@
 	"see_all_account_activities_from_the_last_3_months": "Смотрите всю активность пользователей за последние 3 месяца.",
 	"token_sign_in": "Вход с помощью токена",
 	"client_authorization": "Авторизация в клиенте",
-	"new_client_authorization": "Новая авторизация в клиенте"
+	"new_client_authorization": "Новая авторизация в клиенте",
+	"disable_animations": "Отключить анимации",
+	"turn_off_all_animations_throughout_the_admin_ui": "Выключить все анимации в интерфейсе администратора.",
+	"user_disabled": "Аккаунт отключен",
+	"disabled_users_cannot_log_in_or_use_services": "Отключенные пользователи не могут войти или использовать сервисы.",
+	"user_disabled_successfully": "Пользователь успешно отключен.",
+	"user_enabled_successfully": "Пользователь успешно включен.",
+	"status": "Статус",
+	"disable_firstname_lastname": "Отключить {firstName} {lastName}",
+	"are_you_sure_you_want_to_disable_this_user": "Вы уверены, что хотите отключить этого пользователя? Они не смогут войти в систему или получить доступ к любым сервисам.",
+	"ldap_soft_delete_users": "Оставить отключенных пользователей от LDAP.",
+	"ldap_soft_delete_users_description": "Когда включено, пользователи удалённые из LDAP будут отключены вместо удаления из системы.",
+	"login_code_email_success": "The login code has been sent to the user.",
+	"send_email": "Send Email",
+	"show_code": "Show Code",
+	"callback_url_description": "URL(s) provided by your client. Wildcards (*) are supported, but best avoided for better security.",
+	"api_key_expiration": "API Key Expiration",
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire."
 }
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,6 +1,6 @@
 {
  "name": "pocket-id-frontend",
-  "version": "0.47.0",
+  "version": "0.49.0",
  "private": true,
  "type": "module",
  "scripts": {
--- a/frontend/project.inlang/settings.json
+++ b/frontend/project.inlang/settings.json
@@ -1,7 +1,7 @@
 {
 	"$schema": "https://inlang.com/schema/project-settings",
 	"baseLocale": "en-US",
-	"locales": ["en-US", "nl-NL", "ru-RU", "de-DE", "fr-FR", "cs-CZ", "pt-BR"],
+	"locales": ["en-US", "nl-NL", "ru-RU", "de-DE", "fr-FR", "cs-CZ", "pt-BR", "it-IT"],
 	"modules": [
 		"./node_modules/@inlang/plugin-message-format/dist/index.js",
 		"./node_modules/@inlang/plugin-m-function-matcher/dist/index.js"
--- a/frontend/src/lib/components/one-time-link-modal.svelte
+++ b/frontend/src/lib/components/one-time-link-modal.svelte
@@ -9,8 +9,10 @@
 	import { Separator } from '$lib/components/ui/separator';
 	import { m } from '$lib/paraglide/messages';
 	import UserService from '$lib/services/user-service';
+	import appConfigStore from '$lib/stores/application-configuration-store';
 	import { axiosErrorToast } from '$lib/utils/error-util';
 	import { mode } from 'mode-watcher';
+	import { toast } from 'svelte-sonner';

 	let {
 		userId = $bindable()
@@ -32,7 +34,7 @@
 		[m.one_month()]: 60 * 60 * 24 * 30
 	};

-	async function createOneTimeAccessToken() {
+	async function createLoginCode() {
 		try {
 			const expiration = new Date(Date.now() + availableExpirations[selectedExpiration] * 1000);
 			code = await userService.createOneTimeAccessToken(expiration, userId!);
@@ -42,6 +44,17 @@
 		}
 	}

+	async function sendLoginCodeEmail() {
+		try {
+			const expiration = new Date(Date.now() + availableExpirations[selectedExpiration] * 1000);
+			await userService.requestOneTimeAccessEmailAsAdmin(userId!, expiration);
+			toast.success(m.login_code_email_success());
+			onOpenChange(false);
+		} catch (e) {
+			axiosErrorToast(e);
+		}
+	}
+
 	function onOpenChange(open: boolean) {
 		if (!open) {
 			oneTimeLink = null;
@@ -81,13 +94,20 @@
 					</Select.Content>
 				</Select.Root>
 			</div>
-			<Button
-				onclick={() => createOneTimeAccessToken()}
-				disabled={!selectedExpiration}
-				class="mt-2 w-full"
-			>
-				{m.generate_code()}
-			</Button>
+			<Dialog.Footer class="mt-2">
+				{#if $appConfigStore.emailOneTimeAccessAsAdminEnabled}
+					<Button
+						onclick={() => sendLoginCodeEmail()}
+						variant="secondary"
+						disabled={!selectedExpiration}
+					>
+						{m.send_email()}
+					</Button>
+				{/if}
+				<Button onclick={() => createLoginCode()} disabled={!selectedExpiration}
+					>{m.show_code()}</Button
+				>
+			</Dialog.Footer>
 		{:else}
 			<div class="flex flex-col items-center gap-2">
 				<CopyToClipboard value={code!}>
--- a/frontend/src/lib/components/ui/command/command-empty.svelte
+++ b/frontend/src/lib/components/ui/command/command-empty.svelte
@@ -1,9 +1,10 @@
 <script lang="ts">
 	import { Command as CommandPrimitive } from "cmdk-sv";
 	import { cn } from "$lib/utils/style.js";
+	import type { ClassValue } from "svelte/elements";

 	type $$Props = CommandPrimitive.EmptyProps;
-	let className: string | undefined | null = undefined;
+	let className: ClassValue | undefined | null = undefined;
 	export { className as class };
 </script>

--- a/frontend/src/lib/components/ui/command/command-group.svelte
+++ b/frontend/src/lib/components/ui/command/command-group.svelte
@@ -1,9 +1,10 @@
 <script lang="ts">
 	import { Command as CommandPrimitive } from "cmdk-sv";
 	import { cn } from "$lib/utils/style.js";
+	import type { ClassValue } from "svelte/elements";
 	type $$Props = CommandPrimitive.GroupProps;

-	let className: string | undefined | null = undefined;
+	let className: ClassValue | undefined | null = undefined;
 	export { className as class };
 </script>

--- a/frontend/src/lib/components/ui/command/command-item.svelte
+++ b/frontend/src/lib/components/ui/command/command-item.svelte
@@ -1,12 +1,13 @@
 <script lang="ts">
 	import { Command as CommandPrimitive } from "cmdk-sv";
 	import { cn } from "$lib/utils/style.js";
+	import type { ClassValue } from "svelte/elements";

 	type $$Props = CommandPrimitive.ItemProps;

 	export let asChild = false;

-	let className: string | undefined | null = undefined;
+	let className: ClassValue | undefined | null = undefined;
 	export { className as class };
 </script>

--- a/frontend/src/lib/components/ui/command/command-list.svelte
+++ b/frontend/src/lib/components/ui/command/command-list.svelte
@@ -1,9 +1,10 @@
 <script lang="ts">
 	import { Command as CommandPrimitive } from "cmdk-sv";
 	import { cn } from "$lib/utils/style.js";
+	import type { ClassValue } from "svelte/elements";

 	type $$Props = CommandPrimitive.ListProps;
-	let className: string | undefined | null = undefined;
+	let className: ClassValue | undefined | null = undefined;
 	export { className as class };
 </script>

--- a/frontend/src/lib/components/ui/command/command-separator.svelte
+++ b/frontend/src/lib/components/ui/command/command-separator.svelte
@@ -1,9 +1,10 @@
 <script lang="ts">
 	import { Command as CommandPrimitive } from "cmdk-sv";
 	import { cn } from "$lib/utils/style.js";
+	import type { ClassValue } from "svelte/elements";

 	type $$Props = CommandPrimitive.SeparatorProps;
-	let className: string | undefined | null = undefined;
+	let className: ClassValue | undefined | null = undefined;
 	export { className as class };
 </script>

--- a/frontend/src/lib/components/ui/command/command-shortcut.svelte
+++ b/frontend/src/lib/components/ui/command/command-shortcut.svelte
@@ -1,10 +1,10 @@
 <script lang="ts">
-	import type { HTMLAttributes } from "svelte/elements";
+	import type { ClassValue, HTMLAttributes } from "svelte/elements";
 	import { cn } from "$lib/utils/style.js";

 	type $$Props = HTMLAttributes<HTMLSpanElement>;

-	let className: string | undefined | null = undefined;
+	let className: ClassValue | undefined | null = undefined;
 	export { className as class };
 </script>

--- a/frontend/src/lib/components/ui/command/command.svelte
+++ b/frontend/src/lib/components/ui/command/command.svelte
@@ -1,12 +1,13 @@
 <script lang="ts">
 	import { Command as CommandPrimitive } from "cmdk-sv";
 	import { cn } from "$lib/utils/style.js";
+	import type { ClassValue } from "svelte/elements";

 	type $$Props = CommandPrimitive.CommandProps;

 	export let value: $$Props["value"] = undefined;

-	let className: string | undefined | null = undefined;
+	let className: ClassValue | undefined | null = undefined;
 	export { className as class };
 </script>

--- a/frontend/src/lib/services/user-service.ts
+++ b/frontend/src/lib/services/user-service.ts
@@ -87,10 +87,14 @@ export default class UserService extends APIService {
 		return res.data as User;
 	}

-	async requestOneTimeAccessEmail(email: string, redirectPath?: string) {
+	async requestOneTimeAccessEmailAsUnauthenticatedUser(email: string, redirectPath?: string) {
 		await this.api.post('/one-time-access-email', { email, redirectPath });
 	}

+	async requestOneTimeAccessEmailAsAdmin(userId: string, expiresAt: Date) {
+		await this.api.post(`/users/${userId}/one-time-access-email`, { expiresAt });
+	}
+
 	async updateUserGroups(id: string, userGroupIds: string[]) {
 		const res = await this.api.put(`/users/${id}/user-groups`, { userGroupIds });
 		return res.data as User;
--- a/frontend/src/lib/types/application-configuration.ts
+++ b/frontend/src/lib/types/application-configuration.ts
@@ -1,7 +1,8 @@
 export type AppConfig = {
 	appName: string;
 	allowOwnAccountEdit: boolean;
-	emailOneTimeAccessEnabled: boolean;
+	emailOneTimeAccessAsUnauthenticatedEnabled: boolean;
+	emailOneTimeAccessAsAdminEnabled: boolean;
 	ldapEnabled: boolean;
 	disableAnimations: boolean;
 };
@@ -19,6 +20,7 @@ export type AllAppConfig = AppConfig & {
 	smtpTls: 'none' | 'starttls' | 'tls';
 	smtpSkipCertVerify: boolean;
 	emailLoginNotificationEnabled: boolean;
+	emailApiKeyExpirationEnabled: boolean;
 	// LDAP
 	ldapUrl: string;
 	ldapBindDn: string;
@@ -37,6 +39,7 @@ export type AllAppConfig = AppConfig & {
 	ldapAttributeGroupUniqueIdentifier: string;
 	ldapAttributeGroupName: string;
 	ldapAttributeAdminGroup: string;
+	ldapSoftDeleteUsers: boolean;
 };

 export type AppConfigRawResponse = {
--- a/frontend/src/lib/types/user.type.ts
+++ b/frontend/src/lib/types/user.type.ts
@@ -13,6 +13,7 @@ export type User = {
 	customClaims: CustomClaim[];
 	locale?: Locale;
 	ldapId?: string;
+	disabled?: boolean;
 };

 export type UserCreate = Omit<User, 'id' | 'customClaims' | 'ldapId' | 'userGroups'>;
--- a/frontend/src/lib/utils/error-util.ts
+++ b/frontend/src/lib/utils/error-util.ts
@@ -14,7 +14,10 @@ export function getAxiosErrorMessage(
 	return message;
 }

-export function axiosErrorToast(e: unknown, defaultMessage: string = m.an_unknown_error_occurred()) {
+export function axiosErrorToast(
+	e: unknown,
+	defaultMessage: string = m.an_unknown_error_occurred()
+) {
 	const message = getAxiosErrorMessage(e, defaultMessage);
 	toast.error(message);
 }
@@ -29,7 +32,8 @@ export function getWebauthnErrorMessage(e: unknown) {
 			m.authenticator_does_not_support_resident_keys(),
 		ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED: m.passkey_was_previously_registered(),
 		ERROR_AUTHENTICATOR_NO_SUPPORTED_PUBKEYCREDPARAMS_ALG:
-			m.authenticator_does_not_support_any_of_the_requested_algorithms()
+			m.authenticator_does_not_support_any_of_the_requested_algorithms(),
+		ERROR_USER_DISABLED_MSG: m.user_disabled()
 	};

 	let message = m.an_unknown_error_occurred();
--- a/frontend/src/routes/authorize/+page.svelte
+++ b/frontend/src/routes/authorize/+page.svelte
@@ -2,6 +2,7 @@
 	import SignInWrapper from '$lib/components/login-wrapper.svelte';
 	import { Button } from '$lib/components/ui/button';
 	import * as Card from '$lib/components/ui/card';
+	import { m } from '$lib/paraglide/messages';
 	import OidcService from '$lib/services/oidc-service';
 	import WebAuthnService from '$lib/services/webauthn-service';
 	import appConfigStore from '$lib/stores/application-configuration-store';
@@ -14,7 +15,6 @@
 	import type { PageData } from './$types';
 	import ClientProviderImages from './components/client-provider-images.svelte';
 	import ScopeItem from './components/scope-item.svelte';
-	import { m } from '$lib/paraglide/messages';

 	const webauthnService = new WebAuthnService();
 	const oidService = new OidcService();
@@ -84,7 +84,7 @@
 {#if client == null}
 	<p>{m.client_not_found()}</p>
 {:else}
-	<SignInWrapper animate showAlternativeSignInMethodButton>
+	<SignInWrapper animate={!$appConfigStore.disableAnimations} showAlternativeSignInMethodButton={$userStore == null}>
 		<ClientProviderImages {client} {success} error={!!errorMessage} />
 		<h1 class="font-playfair mt-5 text-3xl font-bold sm:text-4xl">
 			{m.sign_in_to({ name: client.name })}
--- a/frontend/src/routes/login/alternative/+page.svelte
+++ b/frontend/src/routes/login/alternative/+page.svelte
@@ -17,7 +17,7 @@
 		}
 	];

-	if ($appConfigStore.emailOneTimeAccessEnabled) {
+	if ($appConfigStore.emailOneTimeAccessAsUnauthenticatedEnabled) {
 		methods.push({
 			icon: LucideMail,
 			title: m.email_login(),
--- a/frontend/src/routes/login/alternative/email/+page.svelte
+++ b/frontend/src/routes/login/alternative/email/+page.svelte
@@ -20,7 +20,7 @@
 	async function requestEmail() {
 		isLoading = true;
 		await userService
-			.requestOneTimeAccessEmail(email, data.redirect)
+			.requestOneTimeAccessEmailAsUnauthenticatedUser(email, data.redirect)
 			.then(() => (success = true))
 			.catch((e) => (error = e.response?.data.error || m.an_unknown_error_occurred()));

--- a/frontend/src/routes/logout/+page.svelte
+++ b/frontend/src/routes/logout/+page.svelte
@@ -5,6 +5,7 @@
 	import { Button } from '$lib/components/ui/button';
 	import { m } from '$lib/paraglide/messages';
 	import WebAuthnService from '$lib/services/webauthn-service';
+	import appConfigStore from '$lib/stores/application-configuration-store';
 	import userStore from '$lib/stores/user-store.js';
 	import { axiosErrorToast } from '$lib/utils/error-util.js';

@@ -26,7 +27,7 @@
 	<title>{m.logout()}</title>
 </svelte:head>

-<SignInWrapper animate>
+<SignInWrapper animate={!$appConfigStore.disableAnimations}>
 	<div class="flex justify-center">
 		<div class="bg-muted rounded-2xl p-3">
 			<Logo class="h-10 w-10" />
--- a/frontend/src/routes/settings/account/locale-picker.svelte
+++ b/frontend/src/routes/settings/account/locale-picker.svelte
@@ -14,15 +14,16 @@
 		'fr-FR': 'Français',
 		'nl-NL': 'Nederlands',
 		'pt-BR': 'Português brasileiro',
-		'ru-RU': 'Русский'
+		'ru-RU': 'Русский',
+		'it-IT': 'Italiano'
 	};

-	function updateLocale(locale: Locale) {
-		setLocale(locale);
-		userService.updateCurrent({
+	async function updateLocale(locale: Locale) {
+		await userService.updateCurrent({
 			...$userStore!,
 			locale
 		});
+		setLocale(locale);
 	}
 </script>

--- a/frontend/src/routes/settings/admin/application-configuration/+page.svelte
+++ b/frontend/src/routes/settings/admin/application-configuration/+page.svelte
@@ -73,7 +73,7 @@
 		id="application-configuration-email"
 		icon={Mail}
 		title={m.email()}
-		description={m.enable_email_notifications_to_alert_users_when_a_login_is_detected_from_a_new_device_or_location()}
+		description={m.configure_smtp_to_send_emails()}
 	>
 		<AppConfigEmailForm {appConfig} callback={updateAppConfig} />
 	</CollapsibleCard>
--- a/frontend/src/routes/settings/admin/application-configuration/application-image.svelte
+++ b/frontend/src/routes/settings/admin/application-configuration/application-image.svelte
@@ -11,7 +11,7 @@
 		label,
 		image = $bindable(),
 		imageURL,
-		accept = 'image/png, image/jpeg, image/svg+xml',
+		accept = 'image/png, image/jpeg, image/svg+xml, image/gif',
 		forceColorScheme,
 		...restProps
 	}: HTMLAttributes<HTMLDivElement> & {
--- a/frontend/src/routes/settings/admin/application-configuration/forms/app-config-email-form.svelte
+++ b/frontend/src/routes/settings/admin/application-configuration/forms/app-config-email-form.svelte
@@ -39,8 +39,10 @@
 		smtpFrom: z.string().email(),
 		smtpTls: z.enum(['none', 'starttls', 'tls']),
 		smtpSkipCertVerify: z.boolean(),
-		emailOneTimeAccessEnabled: z.boolean(),
-		emailLoginNotificationEnabled: z.boolean()
+		emailOneTimeAccessAsUnauthenticatedEnabled: z.boolean(),
+		emailOneTimeAccessAsAdminEnabled: z.boolean(),
+		emailLoginNotificationEnabled: z.boolean(),
+		emailApiKeyExpirationEnabled: z.boolean()
 	});

 	const { inputs, ...form } = createForm<typeof formSchema>(formSchema, appConfig);
@@ -88,9 +90,7 @@
 		await appConfigService
 			.sendTestEmail()
 			.then(() => toast.success(m.test_email_sent_successfully()))
-			.catch(() =>
-				toast.error(m.failed_to_send_test_email())
-			)
+			.catch(() => toast.error(m.failed_to_send_test_email()))
 			.finally(() => (isSendingTestEmail = false));
 	}
 </script>
@@ -135,11 +135,24 @@
 				description={m.send_an_email_to_the_user_when_they_log_in_from_a_new_device()}
 				bind:checked={$inputs.emailLoginNotificationEnabled.value}
 			/>
+
 			<CheckboxWithLabel
-				id="email-login"
-				label={m.email_login()}
+				id="email-login-admin"
+				label={m.email_login_code_from_admin()}
+				description={m.allows_an_admin_to_send_a_login_code_to_the_user()}
+				bind:checked={$inputs.emailOneTimeAccessAsAdminEnabled.value}
+			/>
+			<CheckboxWithLabel
+				id="api-key-expiration"
+				label={m.api_key_expiration()}
+				description={m.send_an_email_to_the_user_when_their_api_key_is_about_to_expire()}
+				bind:checked={$inputs.emailApiKeyExpirationEnabled.value}
+			/>
+			<CheckboxWithLabel
+				id="email-login-user"
+				label={m.emai_login_code_requested_by_user()}
 				description={m.allow_users_to_sign_in_with_a_login_code_sent_to_their_email()}
-				bind:checked={$inputs.emailOneTimeAccessEnabled.value}
+				bind:checked={$inputs.emailOneTimeAccessAsUnauthenticatedEnabled.value}
 			/>
 		</div>
 	</fieldset>
--- a/frontend/src/routes/settings/admin/application-configuration/forms/app-config-ldap-form.svelte
+++ b/frontend/src/routes/settings/admin/application-configuration/forms/app-config-ldap-form.svelte
@@ -43,7 +43,8 @@
 		ldapAttributeGroupMember: appConfig.ldapAttributeGroupMember,
 		ldapAttributeGroupUniqueIdentifier: appConfig.ldapAttributeGroupUniqueIdentifier,
 		ldapAttributeGroupName: appConfig.ldapAttributeGroupName,
-		ldapAttributeAdminGroup: appConfig.ldapAttributeAdminGroup
+		ldapAttributeAdminGroup: appConfig.ldapAttributeAdminGroup,
+		ldapSoftDeleteUsers: appConfig.ldapSoftDeleteUsers || true
 	};

 	const formSchema = z.object({
@@ -63,7 +64,8 @@
 		ldapAttributeGroupMember: z.string(),
 		ldapAttributeGroupUniqueIdentifier: z.string().min(1),
 		ldapAttributeGroupName: z.string().min(1),
-		ldapAttributeAdminGroup: z.string()
+		ldapAttributeAdminGroup: z.string(),
+		ldapSoftDeleteUsers: z.boolean()
 	});

 	const { inputs, ...form } = createForm<typeof formSchema>(formSchema, updatedAppConfig);
@@ -116,7 +118,11 @@
 				placeholder="cn=people,dc=example,dc=com"
 				bind:input={$inputs.ldapBindDn}
 			/>
-			<FormInput label={m.ldap_bind_password()} type="password" bind:input={$inputs.ldapBindPassword} />
+			<FormInput
+				label={m.ldap_bind_password()}
+				type="password"
+				bind:input={$inputs.ldapBindPassword}
+			/>
 			<FormInput
 				label={m.ldap_base_dn()}
 				placeholder="dc=example,dc=com"
@@ -140,6 +146,12 @@
 				description={m.this_can_be_useful_for_selfsigned_certificates()}
 				bind:checked={$inputs.ldapSkipCertVerify.value}
 			/>
+			<CheckboxWithLabel
+				id="ldap-soft-delete-users"
+				label={m.ldap_soft_delete_users()}
+				description={m.ldap_soft_delete_users_description()}
+				bind:checked={$inputs.ldapSoftDeleteUsers.value}
+			/>
 		</div>
 		<h4 class="mt-10 text-lg font-semibold">{m.attribute_mapping()}</h4>
 		<div class="mt-4 grid grid-cols-1 items-end gap-5 md:grid-cols-2">
@@ -203,7 +215,9 @@

 	<div class="mt-8 flex flex-wrap justify-end gap-3">
 		{#if ldapEnabled}
-			<Button variant="secondary" onclick={onDisable} disabled={uiConfigDisabled}>{m.disable()}</Button>
+			<Button variant="secondary" onclick={onDisable} disabled={uiConfigDisabled}
+				>{m.disable()}</Button
+			>
 			<Button variant="secondary" onclick={syncLdap} isLoading={ldapSyncing}>{m.sync_now()}</Button>
 			<Button type="submit" disabled={uiConfigDisabled}>{m.save()}</Button>
 		{:else}
--- a/frontend/src/routes/settings/admin/oidc-clients/oidc-callback-url-input.svelte
+++ b/frontend/src/routes/settings/admin/oidc-clients/oidc-callback-url-input.svelte
@@ -20,12 +20,10 @@
 		allowEmpty?: boolean;
 		children?: Snippet;
 	} = $props();
-
-	const limit = 20;
 </script>

 <div {...restProps}>
-	<FormInput {label}>
+	<FormInput {label} description={m.callback_url_description()}>
 		<div class="flex flex-col gap-y-2">
 			{#each callbackURLs as _, i}
 				<div class="flex gap-x-2">
@@ -46,15 +44,13 @@
 	{#if error}
 		<p class="mt-1 text-sm text-red-500">{error}</p>
 	{/if}
-	{#if callbackURLs.length < limit}
-		<Button
-			class="mt-2"
-			variant="secondary"
-			size="sm"
-			on:click={() => (callbackURLs = [...callbackURLs, ''])}
-		>
-			<LucidePlus class="mr-1 h-4 w-4" />
-			{callbackURLs.length === 0 ? m.add() : m.add_another()}
-		</Button>
-	{/if}
+	<Button
+		class="mt-2"
+		variant="secondary"
+		size="sm"
+		on:click={() => (callbackURLs = [...callbackURLs, ''])}
+	>
+		<LucidePlus class="mr-1 h-4 w-4" />
+		{callbackURLs.length === 0 ? m.add() : m.add_another()}
+	</Button>
 </div>
--- a/frontend/src/routes/settings/admin/oidc-clients/oidc-client-form.svelte
+++ b/frontend/src/routes/settings/admin/oidc-clients/oidc-client-form.svelte
@@ -4,6 +4,7 @@
 	import FormInput from '$lib/components/form/form-input.svelte';
 	import { Button } from '$lib/components/ui/button';
 	import Label from '$lib/components/ui/label/label.svelte';
+	import { m } from '$lib/paraglide/messages';
 	import type {
 		OidcClient,
 		OidcClientCreate,
@@ -12,7 +13,6 @@
 	import { createForm } from '$lib/utils/form-util';
 	import { z } from 'zod';
 	import OidcCallbackUrlInput from './oidc-callback-url-input.svelte';
-	import { m } from '$lib/paraglide/messages';

 	let {
 		callback,
@@ -38,8 +38,8 @@

 	const formSchema = z.object({
 		name: z.string().min(2).max(50),
-		callbackURLs: z.array(z.string()).nonempty(),
-		logoutCallbackURLs: z.array(z.string()),
+		callbackURLs: z.array(z.string().nonempty()).nonempty(),
+		logoutCallbackURLs: z.array(z.string().nonempty()),
 		isPublic: z.boolean(),
 		pkceEnabled: z.boolean()
 	});
@@ -79,7 +79,7 @@
 </script>

 <form onsubmit={onSubmit}>
-	<div class="grid grid-cols-1 md:grid-cols-2 gap-x-3 gap-y-7 sm:flex-row">
+	<div class="grid grid-cols-1 gap-x-3 gap-y-7 sm:flex-row md:grid-cols-2">
 		<FormInput label={m.name()} class="w-full" bind:input={$inputs.name} />
 		<div></div>
 		<OidcCallbackUrlInput
@@ -120,7 +120,7 @@
 					<img
 						class="m-auto max-h-full max-w-full object-contain"
 						src={logoDataURL}
-						alt={m.name_logo({name: $inputs.name.value})}
+						alt={m.name_logo({ name: $inputs.name.value })}
 					/>
 				</div>
 			{/if}
--- a/frontend/src/routes/settings/admin/users/user-form.svelte
+++ b/frontend/src/routes/settings/admin/users/user-form.svelte
@@ -24,7 +24,8 @@
 		lastName: existingUser?.lastName || '',
 		email: existingUser?.email || '',
 		username: existingUser?.username || '',
-		isAdmin: existingUser?.isAdmin || false
+		isAdmin: existingUser?.isAdmin || false,
+		disabled: existingUser?.disabled || false
 	};

 	const formSchema = z.object({
@@ -34,12 +35,10 @@
 			.string()
 			.min(2)
 			.max(30)
-			.regex(
-				/^[a-z0-9_@.-]+$/,
-				m.username_can_only_contain()
-			),
+			.regex(/^[a-z0-9_@.-]+$/, m.username_can_only_contain()),
 		email: z.string().email(),
-		isAdmin: z.boolean()
+		isAdmin: z.boolean(),
+		disabled: z.boolean()
 	});
 	type FormSchema = typeof formSchema;

@@ -68,6 +67,12 @@
 				description={m.admins_have_full_access_to_the_admin_panel()}
 				bind:checked={$inputs.isAdmin.value}
 			/>
+			<CheckboxWithLabel
+				id="user-disabled"
+				label={m.user_disabled()}
+				description={m.disabled_users_cannot_log_in_or_use_services()}
+				bind:checked={$inputs.disabled.value}
+			/>
 		</div>
 		<div class="mt-5 flex justify-end">
 			<Button {isLoading} type="submit">{m.save()}</Button>
--- a/frontend/src/routes/settings/admin/users/user-list.svelte
+++ b/frontend/src/routes/settings/admin/users/user-list.svelte
@@ -2,20 +2,26 @@
 	import { goto } from '$app/navigation';
 	import AdvancedTable from '$lib/components/advanced-table.svelte';
 	import { openConfirmDialog } from '$lib/components/confirm-dialog/';
+	import OneTimeLinkModal from '$lib/components/one-time-link-modal.svelte';
 	import { Badge } from '$lib/components/ui/badge/index';
 	import { buttonVariants } from '$lib/components/ui/button';
 	import * as DropdownMenu from '$lib/components/ui/dropdown-menu';
 	import * as Table from '$lib/components/ui/table';
+	import { m } from '$lib/paraglide/messages';
 	import UserService from '$lib/services/user-service';
 	import appConfigStore from '$lib/stores/application-configuration-store';
 	import type { Paginated, SearchPaginationSortRequest } from '$lib/types/pagination.type';
 	import type { User } from '$lib/types/user.type';
 	import { axiosErrorToast } from '$lib/utils/error-util';
-	import { LucideLink, LucidePencil, LucideTrash } from 'lucide-svelte';
+	import {
+		LucideLink,
+		LucidePencil,
+		LucideTrash,
+		LucideUserCheck,
+		LucideUserX
+	} from 'lucide-svelte';
 	import Ellipsis from 'lucide-svelte/icons/ellipsis';
 	import { toast } from 'svelte-sonner';
-	import OneTimeLinkModal from '$lib/components/one-time-link-modal.svelte';
-	import { m } from '$lib/paraglide/messages';

 	let {
 		users = $bindable(),
@@ -28,7 +34,7 @@

 	async function deleteUser(user: User) {
 		openConfirmDialog({
-			title: m.delete_firstname_lastname({firstName: user.firstName, lastName: user.lastName}),
+			title: m.delete_firstname_lastname({ firstName: user.firstName, lastName: user.lastName }),
 			message: m.are_you_sure_you_want_to_delete_this_user(),
 			confirm: {
 				label: m.delete(),
@@ -45,6 +51,42 @@
 			}
 		});
 	}
+
+	async function enableUser(user: User) {
+		await userService
+			.update(user.id, {
+				...user,
+				disabled: false
+			})
+			.then(() => {
+				toast.success(m.user_enabled_successfully());
+				userService.list(requestOptions!).then((updatedUsers) => (users = updatedUsers));
+			})
+			.catch(axiosErrorToast);
+	}
+
+	async function disableUser(user: User) {
+		openConfirmDialog({
+			title: m.disable_firstname_lastname({ firstName: user.firstName, lastName: user.lastName }),
+			message: m.are_you_sure_you_want_to_disable_this_user(),
+			confirm: {
+				label: m.disable(),
+				destructive: true,
+				action: async () => {
+					try {
+						await userService.update(user.id, {
+							...user,
+							disabled: true
+						});
+						users = await userService.list(requestOptions!);
+						toast.success(m.user_disabled_successfully());
+					} catch (e) {
+						axiosErrorToast(e);
+					}
+				}
+			}
+		});
+	}
 </script>

 <AdvancedTable
@@ -57,7 +99,8 @@
 		{ label: m.email(), sortColumn: 'email' },
 		{ label: m.username(), sortColumn: 'username' },
 		{ label: m.role(), sortColumn: 'isAdmin' },
-		...($appConfigStore.ldapEnabled ? [{ label: m.source()}] : []),
+		{ label: m.status(), sortColumn: 'disabled' },
+		...($appConfigStore.ldapEnabled ? [{ label: m.source() }] : []),
 		{ label: m.actions(), hidden: true }
 	]}
 >
@@ -69,9 +112,15 @@
 		<Table.Cell>
 			<Badge variant="outline">{item.isAdmin ? m.admin() : m.user()}</Badge>
 		</Table.Cell>
+		<Table.Cell>
+			<Badge variant={item.disabled ? 'destructive' : 'default'}>
+				{item.disabled ? m.disabled() : m.enabled()}
+			</Badge>
+		</Table.Cell>
 		{#if $appConfigStore.ldapEnabled}
 			<Table.Cell>
-				<Badge variant={item.ldapId ? 'default' : 'outline'}>{item.ldapId ? m.ldap() : m.local()}</Badge
+				<Badge variant={item.ldapId ? 'default' : 'outline'}
+					>{item.ldapId ? m.ldap() : m.local()}</Badge
 				>
 			</Table.Cell>
 		{/if}
@@ -89,6 +138,17 @@
 						><LucidePencil class="mr-2 h-4 w-4" /> {m.edit()}</DropdownMenu.Item
 					>
 					{#if !item.ldapId || !$appConfigStore.ldapEnabled}
+						{#if item.disabled}
+							<DropdownMenu.Item onclick={() => enableUser(item)}
+								><LucideUserCheck class="mr-2 h-4 w-4" />{m.enable()}</DropdownMenu.Item
+							>
+						{:else}
+							<DropdownMenu.Item onclick={() => disableUser(item)}
+								><LucideUserX class="mr-2 h-4 w-4" />{m.disable()}</DropdownMenu.Item
+							>
+						{/if}
+					{/if}
+					{#if !item.ldapId || (item.ldapId && item.disabled)}
 						<DropdownMenu.Item
 							class="text-red-500 focus:!text-red-700"
 							onclick={() => deleteUser(item)}
@@ -101,4 +161,4 @@
 	{/snippet}
 </AdvancedTable>

-<OneTimeLinkModal userId={userIdToCreateOneTimeLink} />
+<OneTimeLinkModal bind:userId={userIdToCreateOneTimeLink} />
--- a/frontend/src/routes/settings/audit-log/global/+page.server.ts
+++ b/frontend/src/routes/settings/audit-log/global/+page.server.ts
@@ -1,7 +1,7 @@
 import { ACCESS_TOKEN_COOKIE_NAME } from '$lib/constants';
 import AuditLogService from '$lib/services/audit-log-service';
 import type { SearchPaginationSortRequest } from '$lib/types/pagination.type';
-import type { PageServerLoad } from '../../global-audit-log/$types';
+import type { PageServerLoad } from './$types';

 export const load: PageServerLoad = async ({ cookies }) => {
 	const auditLogService = new AuditLogService(cookies.get(ACCESS_TOKEN_COOKIE_NAME));
--- a/frontend/tests/application-configuration.spec.ts
+++ b/frontend/tests/application-configuration.spec.ts
@@ -32,7 +32,9 @@ test('Update email configuration', async ({ page }) => {
 	await page.getByLabel('SMTP Password').fill('password');
 	await page.getByLabel('SMTP From').fill('test@gmail.com');
 	await page.getByLabel('Email Login Notification').click();
-	await page.getByLabel('Email Login', { exact: true }).click();
+	await page.getByLabel('Email Login Code Requested by User').click();
+	await page.getByLabel('Email Login Code from Admin').click();
+	await page.getByLabel('API Key Expiration').click();

 	await page.getByRole('button', { name: 'Save' }).nth(1).click();

@@ -46,7 +48,9 @@ test('Update email configuration', async ({ page }) => {
 	await expect(page.getByLabel('SMTP Password')).toHaveValue('password');
 	await expect(page.getByLabel('SMTP From')).toHaveValue('test@gmail.com');
 	await expect(page.getByLabel('Email Login Notification')).toBeChecked();
-	await expect(page.getByLabel('Email Login', { exact: true })).toBeChecked();
+	await expect(page.getByLabel('Email Login Code Requested by User')).toBeChecked();
+	await expect(page.getByLabel('Email Login Code from Admin')).toBeChecked();
+	await expect(page.getByLabel('API Key Expiration')).toBeChecked();
 });

 test('Update LDAP configuration', async ({ page }) => {
--- a/frontend/tests/user-settings.spec.ts
+++ b/frontend/tests/user-settings.spec.ts
@@ -64,7 +64,7 @@ test('Create one time access token', async ({ page, context }) => {

 	await page.getByLabel('Login Code').getByRole('combobox').click();
 	await page.getByRole('option', { name: '12 hours' }).click();
-	await page.getByRole('button', { name: 'Generate Code' }).click();
+	await page.getByRole('button', { name: 'Show Code' }).click();

 	const link = await page.getByTestId('login-code-link').textContent();
 	await context.clearCookies();
Author	SHA1	Message	Date
Elias Schneider	453a765107	release: 0.49.0	2025-04-20 20:00:09 +02:00
Elias Schneider	f03645d545	chore(translations): update translations via Crowdin (#467 )	2025-04-20 17:59:49 +00:00
Elias Schneider	55273d68c9	chore(translations): fix typo in key	2025-04-20 19:51:12 +02:00
Elias Schneider	4e05b82f02	fix: hide alternative sign in button if user is already authenticated	2025-04-20 19:03:58 +02:00
Elias Schneider	2597907578	refactor: fix type errors	2025-04-20 18:54:45 +02:00
Kyle Mendell	debef9a66b	ci/cd: setup caching and improve ci job performance (#465 )	2025-04-20 11:48:46 -05:00
Elias Schneider	9122e75101	feat: add ability to disable API key expiration email	2025-04-20 18:41:03 +02:00
Elias Schneider	fe1c4b18cd	feat: add ability to send login code via email (#457 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-04-20 18:32:40 +02:00
Elias Schneider	e571996cb5	fix: disable animations not respected on authorize and logout page	2025-04-20 17:04:00 +02:00
Elias Schneider	fb862d3ec3	chore(translations): update translations via Crowdin (#459 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-04-20 09:43:27 -05:00
Kyle Mendell	26f01f205b	feat: send email to user when api key expires within 7 days (#451 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-04-20 14:40:20 +00:00
Elias Schneider	c37a3e0ed1	fix: remove limit of 20 callback URLs	2025-04-20 16:32:11 +02:00
Elias Schneider	eb689eb56e	feat: add description to callback URL inputs	2025-04-20 00:32:27 +02:00
Elias Schneider	60bad9e985	fix: locale change in dropdown doesn't work on first try	2025-04-20 00:31:33 +02:00
Elias Schneider	e21ee8a871	chore: add kmendell to `FUNDING.yml`	2025-04-19 18:51:01 +02:00
Elias Schneider	04006eb5cc	release: 0.48.0	2025-04-18 18:34:52 +02:00
Elias Schneider	84f1d5c906	fix: user querying fails on global audit log page with Postgres	2025-04-18 18:33:14 +02:00
Elias Schneider	983e989be1	chore(translations): update translations via Crowdin (#456 )	2025-04-18 18:21:04 +02:00
Kyle Mendell	c843a60131	feat: disable/enable users (#437 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-04-18 15:38:50 +00:00
Elias Schneider	56a8b5d0c0	feat: add gif support for logo and background image	2025-04-18 17:31:04 +02:00
Elias Schneider	f0dce41fbc	fix: callback URL doesn't get rejected if it starts with a different string	2025-04-17 20:52:58 +02:00
Elias Schneider	0111a58dac	fix: add "type" as reserved claim	2025-04-17 20:41:21 +02:00
Elias Schneider	50e4c5c314	chore(translations): update translations via Crowdin (#444 )	2025-04-17 20:19:50 +02:00
Kyle Mendell	5a6dfd9e50	fix: profile picture empty for users without first or last name (#449 )	2025-04-17 20:19:10 +02:00
Elias Schneider	75fbfee4d8	chore(translations): add Italian	2025-04-17 19:13:47 +02:00
dependabot[bot]	65ee500ef3	chore(deps): bump golang.org/x/net from 0.36.0 to 0.38.0 in /backend in the go_modules group across 1 directory (#450 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-04-16 18:26:55 -05:00
@@ -1 +1 @@
 .47.0
 .49.0