dev

docs/features/authentication-access/auth/sso/index.mdx

@@ -40,6 +40,7 @@ You cannot have Microsoft **and** Google as OIDC providers simultaneously.
 | `OAUTH_CLIENT_INFO_ENCRYPTION_KEY`    | `WEBUI_SECRET_KEY` | A secret key for encrypting OAuth client information stored on the server - used for OAuth 2.1 authentication for MCP servers. |
 | `ENABLE_OAUTH_ID_TOKEN_COOKIE`        | `true`             | For backward compatibility. Controls if the legacy `oauth_id_token` cookie is set. Recommended to set to `false`. |
 | `ENABLE_OAUTH_TOKEN_EXCHANGE`         | `false`            | Enables the token exchange endpoint for external apps to exchange OAuth tokens for Open WebUI JWTs. |
+| `ENABLE_OAUTH_BACKCHANNEL_LOGOUT`     | `false`            | Enables OIDC Back-Channel Logout endpoint (`POST /oauth/backchannel-logout`) for IdP-initiated logout. Requires Redis for JWT revocation. |
 | `OAUTH_MAX_SESSIONS_PER_USER`         | `10`               | Maximum concurrent OAuth sessions per user per provider. Prevents unbounded growth while allowing multi-device usage. |
 
 :::warning
@@ -80,6 +81,29 @@ Open WebUI also supports **OAuth Token Exchange**, allowing external application
 
 To enable this feature, set `ENABLE_OAUTH_TOKEN_EXCHANGE=true`. See the [`ENABLE_OAUTH_TOKEN_EXCHANGE`](/reference/env-configuration#enable_oauth_token_exchange) environment variable documentation for details on usage, request/response examples, and security considerations.
 
+### OIDC Back-Channel Logout
+
+Open WebUI supports **OIDC Back-Channel Logout**, which allows your identity provider (IdP) to notify Open WebUI of user logout events directly server-to-server, without requiring a browser redirect.
+
+To enable this feature, set `ENABLE_OAUTH_BACKCHANNEL_LOGOUT=true`.
+
+When enabled, Open WebUI exposes:
+
+- `POST /oauth/backchannel-logout`
+
+The endpoint expects a form-encoded `logout_token` issued by your IdP and validates it against your configured OAuth/OIDC provider metadata and JWKS.
+
+:::warning
+
+Redis is strongly recommended and effectively required for full logout enforcement.
+
+- With Redis configured, Open WebUI revokes existing JWTs for affected users and removes stored OAuth sessions.
+- Without Redis, Open WebUI can delete stored OAuth sessions, but already issued JWTs remain valid until expiration.
+
+:::
+
+See [`ENABLE_OAUTH_BACKCHANNEL_LOGOUT`](/reference/env-configuration#enable_oauth_backchannel_logout) for implementation details and behavior notes.
+
 ### Google
 
 To configure a Google OAuth client, please refer to [Google's documentation](https://support.google.com/cloud/answer/6158849) on how to create a Google OAuth client for a **web application**.
@@ -147,6 +171,12 @@ No additional configuration is required in Microsoft Entra ID. The `offline_acce
 
 :::
 
+:::tip Role Mapping with Microsoft Entra ID
+
+If you use Entra ID **app roles** to control who gets `admin` vs `user` access in Open WebUI, you also need to configure [OAuth Role Management](#oauth-role-management) below. In particular, make sure you set `OAUTH_ALLOWED_ROLES` and `OAUTH_ADMIN_ROLES` in addition to `ENABLE_OAUTH_ROLE_MANAGEMENT=true` — otherwise all users will be created with the default role regardless of their Entra ID assignment.
+
+:::
+
 ### GitHub
 
 To configure a GitHub OAuth Client, please refer to [GitHub's documentation](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps) on how to create a OAuth App or GitHub App for a **web application**.

docs/features/authentication-access/rbac/index.mdx

@@ -13,6 +13,14 @@ Open WebUI implements a flexible and secure **Role-Based Access Control (RBAC)**
 The security model is **Additive**. Users start with their default rights, and Group memberships **add** capabilities. A user effectively has the *union* of all rights granted by their Roles and Groups.
 :::
 
+:::warning Scope of RBAC vs Provider Credentials
+RBAC controls what users can do **inside Open WebUI** (features, resources, and UI/API actions).
+
+RBAC does **not** replace least-privilege configuration for external providers. If you connect an OpenAI-compatible proxy/provider (for example LiteLLM, OpenRouter, or custom gateways), use provider credentials that are scoped for inference usage in your deployment.
+
+Avoid configuring management/master keys for general user traffic unless your deployment explicitly requires that level of trust.
+:::
+
 ## Documentation Guide
 
 *   [‍🔑 **Roles**](./roles.md)

docs/features/authentication-access/rbac/permissions.md

@@ -12,6 +12,12 @@ Administrators can manage permissions in two primary ways:
 
 Users with the `Pending` role have no access until approved, `Admin` users have full administrative access, and `User` accounts are subject to the permission system described below.
 
+:::warning RBAC Scope Boundary
+RBAC permissions control what users can do inside Open WebUI.
+
+RBAC does not replace provider-side least-privilege design. For OpenAI-compatible providers/proxies (including LiteLLM), configure credentials with the minimum required scope for your deployment.
+:::
+
 :::info Permission Logic
 Permissions in Open WebUI are **additive**.
 *   A user's effective permissions are the combination of **Global Defaults** and all their **Group Memberships**.
@@ -111,6 +117,18 @@ Controls access to broad platform capabilities.
 | **Code Interpreter** | Ability to use the Python Code Interpreter. |
 | **Direct Tool Servers** | Ability to connect to custom Tool Servers in settings. |
 | **Memories** | Access to the Memories feature for persistent user context. |
+| **Automations** | Ability for non-admin users to access the Automations page and create, edit, run, pause, or delete their own scheduled automations. |
+
+:::info Automations Permission Scope
+
+For Automations access:
+
+1. **Permission Check for Non-Admins**: Users with the `user` role need **Features > Automations** (`features.automations`).
+2. **Admins Are Exempt from `features.automations`**: Users with the `admin` role can access Automations without that specific permission.
+
+Default permission can be configured via [`USER_PERMISSIONS_FEATURES_AUTOMATIONS`](/reference/env-configuration#user_permissions_features_automations).
+
+:::
 
 ### 5. Settings Permissions
 Controls access to user settings areas.

docs/features/chat-conversations/audio/speech-to-text/env-variables.md

@@ -80,10 +80,10 @@ If using the `:cuda` Docker image with an older GPU, set `WHISPER_COMPUTE_TYPE=f
 
 | Variable | Description | Default |
 |----------|-------------|---------|
-| `AUDIO_TTS_ENGINE` | TTS engine: empty (disabled), `openai`, `elevenlabs`, `azure`, `transformers` | empty |
+| `AUDIO_TTS_ENGINE` | TTS engine: empty (disabled), `openai`, `mistral`, `elevenlabs`, `azure`, `transformers` | empty |
 | `AUDIO_TTS_MODEL` | TTS model | `tts-1` |
 | `AUDIO_TTS_VOICE` | Default voice | `alloy` |
-| `AUDIO_TTS_SPLIT_ON` | Split text on: `punctuation` or `none` | `punctuation` |
+| `AUDIO_TTS_SPLIT_ON` | Split text on: `punctuation`, `paragraphs`, or `none` | `punctuation` |
 | `AUDIO_TTS_API_KEY` | API key for ElevenLabs or Azure TTS | empty |
 
 ### OpenAI-Compatible TTS
@@ -94,6 +94,17 @@ If using the `:cuda` Docker image with an older GPU, set `WHISPER_COMPUTE_TYPE=f
 | `AUDIO_TTS_OPENAI_API_KEY` | OpenAI TTS API key | empty |
 | `AUDIO_TTS_OPENAI_PARAMS` | Additional JSON params for OpenAI TTS | empty |
 
+### Mistral TTS
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `AUDIO_TTS_MISTRAL_API_KEY` | Mistral TTS API key | empty |
+| `AUDIO_TTS_MISTRAL_API_BASE_URL` | Mistral API base URL | `https://api.mistral.ai/v1` |
+
+:::info
+When `AUDIO_TTS_ENGINE=mistral`, Open WebUI uses `mistral-tts-latest` when `AUDIO_TTS_MODEL` is empty.
+:::
+
 ### Azure TTS
 
 | Variable | Description | Default |

docs/features/chat-conversations/audio/speech-to-text/mistral-voxtral-integration.md

@@ -7,6 +7,10 @@ title: "Mistral Voxtral STT"
 
 This guide covers how to use Mistral's Voxtral model for Speech-to-Text with Open WebUI. Voxtral is Mistral's speech-to-text model that provides accurate transcription.
 
+:::tip Looking for TTS?
+See the companion guide: [Using Mistral for Text-to-Speech](/features/chat-conversations/audio/text-to-speech/mistral-tts-integration)
+:::
+
 ## Requirements
 
 - A Mistral API key

docs/features/chat-conversations/audio/text-to-speech/mistral-tts-integration.md

@@ -0,0 +1,107 @@
+---
+sidebar_position: 2
+title: "Mistral TTS Integration"
+---
+
+# Using Mistral for Text-to-Speech
+
+This guide covers how to use Mistral's Text-to-Speech API with Open WebUI.
+
+:::tip Looking for STT?
+See the companion guide: [Using Mistral Voxtral for Speech-to-Text](/features/media-generation/audio/speech-to-text/mistral-voxtral-integration)
+:::
+
+## Requirements
+
+- A Mistral API key
+- Open WebUI installed and running
+
+## Quick Setup (UI)
+
+1. Click your **profile icon** (bottom-left corner)
+2. Select **Admin Panel**
+3. Click **Settings** -> **Audio** tab
+4. Configure the following:
+
+| Setting | Value |
+|---------|-------|
+| **Text-to-Speech Engine** | `MistralAI` |
+| **API Base URL** | `https://api.mistral.ai/v1` |
+| **API Key** | Your Mistral API key |
+| **TTS Model** | `mistral-tts-latest` (or leave empty for default) |
+| **TTS Voice** | Choose from available voices |
+
+5. Click **Save**
+
+## Available Models
+
+| Model | Description |
+|-------|-------------|
+| `mistral-tts-latest` | Default model used for Mistral TTS |
+
+:::info
+If `AUDIO_TTS_MODEL` is empty, Open WebUI defaults to `mistral-tts-latest` for Mistral TTS.
+:::
+
+## Environment Variables Setup
+
+If you prefer to configure via environment variables:
+
+```yaml
+services:
+  open-webui:
+    image: ghcr.io/open-webui/open-webui:main
+    environment:
+      - AUDIO_TTS_ENGINE=mistral
+      - AUDIO_TTS_MISTRAL_API_KEY=your-mistral-api-key
+      - AUDIO_TTS_MISTRAL_API_BASE_URL=https://api.mistral.ai/v1
+      - AUDIO_TTS_MODEL=mistral-tts-latest
+      - AUDIO_TTS_VOICE=<voice-id>
+    # ... other configuration
+```
+
+### All Mistral TTS Environment Variables
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `AUDIO_TTS_ENGINE` | Set to `mistral` | empty (uses browser-only TTS) |
+| `AUDIO_TTS_MISTRAL_API_KEY` | Your Mistral API key | empty |
+| `AUDIO_TTS_MISTRAL_API_BASE_URL` | Mistral API base URL | `https://api.mistral.ai/v1` |
+| `AUDIO_TTS_MODEL` | TTS model | `mistral-tts-latest` (effective default for Mistral engine) |
+| `AUDIO_TTS_VOICE` | Voice ID | empty |
+
+## Choosing Voices
+
+Open WebUI queries the configured Mistral endpoint for available voices and shows them in the **TTS Voice** selector.
+
+If voices are not listed:
+- Confirm your API key is valid
+- Verify the API base URL is reachable from the Open WebUI server/container
+- Check logs for `/audio/voices` request errors
+
+## Testing TTS
+
+1. Start a new chat
+2. Send a message to any model
+3. Click the **speaker icon** on the AI response to hear it read aloud
+
+## Troubleshooting
+
+### "Mistral API key is required for Mistral TTS"
+
+1. Confirm `AUDIO_TTS_MISTRAL_API_KEY` is set (or entered in Admin Audio settings)
+2. Save settings and retry
+
+### No voices shown in the dropdown
+
+1. Verify network access from Open WebUI to `AUDIO_TTS_MISTRAL_API_BASE_URL`
+2. Check Open WebUI logs for Mistral voice list errors
+3. Confirm your key has permission to access Mistral audio APIs
+
+### TTS request fails
+
+1. Verify `AUDIO_TTS_ENGINE=mistral`
+2. Try leaving the model empty (uses `mistral-tts-latest`)
+3. Try another voice ID from the fetched list
+
+For broader audio debugging, see the [Audio Troubleshooting Guide](/troubleshooting/audio).

docs/features/chat-conversations/chat-features/automations.mdx

@@ -0,0 +1,119 @@
+---
+sidebar_position: 11
+title: "Automations"
+---
+
+# Automations
+
+Automations let you schedule prompts to run automatically at recurring times. Each run creates a chat and executes through the normal chat completion pipeline, so model defaults, tools, filters, and other pipeline behavior still apply.
+
+## What You Can Automate
+
+- Run a prompt on a schedule (hourly, daily, weekly, monthly, custom RRULE)
+- Trigger a run manually with **Run Now**
+- Pause/resume automations without deleting them
+- Review execution history for each automation
+- Optionally attach a terminal server and working directory for runs that need terminal context
+
+## Access Control
+
+Automations are permission-gated for non-admin users.
+
+- **Admins**: always have access to Automations
+- **Users**: require the **Features > Automations** permission
+
+See [RBAC Permissions](/features/authentication-access/rbac/permissions#4-features-permissions) for the permission category.
+
+To grant user access:
+
+1. Open **Admin Panel > Users > Groups**
+2. Edit **Default permissions** or a specific group
+3. Enable **Features > Automations**
+
+You can also set this default via [`USER_PERMISSIONS_FEATURES_AUTOMATIONS`](/reference/env-configuration#user_permissions_features_automations).
+
+## Admin Limits
+
+Administrators can set global limits on automation usage for non-admin users. These are configured via environment variables. **Admins bypass all limits.**
+
+| Setting | Effect | Env Variable |
+|---------|--------|--------------|
+| **Max Automation Count** | Caps the number of automations a user can create | [`AUTOMATION_MAX_COUNT`](/reference/env-configuration#automation_max_count) |
+| **Min Recurrence Interval** | Rejects schedules that run more frequently than the configured interval (in seconds) | [`AUTOMATION_MIN_INTERVAL`](/reference/env-configuration#automation_min_interval) |
+
+- **Max count** is checked only on creation. Existing automations are not deleted if the limit is lowered.
+- **Min interval** is checked on both creation and update. One-time automations (`COUNT=1`) are exempt.
+- Both default to empty (no limit). Set to a positive integer to enforce.
+
+## Create an Automation
+
+1. Open **User Menu > Automations**
+2. Click **New Automation**
+3. Set:
+   - **Title**
+   - **Instructions** (prompt)
+   - **Model**
+   - **Schedule**
+4. (Optional) Select a **Terminal** server and **Working Directory**
+5. Click **Create**
+
+After creation, Open WebUI opens the dedicated automation editor page at `/automations/{id}`.
+
+## Edit and Manage
+
+From the Automations list, click an automation to open its dedicated editor page.
+
+On the editor page, you can:
+
+- Update title, instructions, model, schedule, and terminal settings
+- Save changes
+- Run immediately with **Run now**
+- Pause/resume automation state
+- Delete the automation
+- Review execution logs and open run chats
+
+Execution logs are paginated with infinite scroll in the editor, so large run histories load incrementally.
+
+## Scheduling
+
+Supported schedule modes:
+
+- **Once**
+- **Hourly**
+- **Daily**
+- **Weekly**
+- **Monthly**
+- **Custom** (`RRULE`)
+
+Custom schedules accept standard RRULE syntax. Invalid or exhausted rules are rejected.
+
+## Notes
+
+- Automations run in the background worker loop on a polling interval.
+- Every run records a status (`success` or `error`) and optional error details.
+- Deleting an automation also removes its run history.
+
+## Managing Automations from Chat
+
+When using **Native Function Calling Mode** with a capable model, automations can also be created and managed directly from within a chat conversation using builtin tools. This allows you to say things like *"Schedule a daily summary report at 9am"* and the model will create the automation for you.
+
+### Available tools
+
+| Tool | What it does |
+|------|-------------|
+| `create_automation` | Create a new scheduled automation with a name, prompt, RRULE schedule, and optional model ID |
+| `update_automation` | Update an existing automation's name, prompt, schedule, or model |
+| `list_automations` | List your scheduled automations with status, schedule, and next runs |
+| `toggle_automation` | Pause or resume a scheduled automation |
+| `delete_automation` | Delete a scheduled automation and all its run history |
+
+### Requirements
+
+For chat-based automation tools to be available:
+
+1. **Native Function Calling** must be enabled for the model
+2. **Builtin Tools** capability must be enabled for the model
+3. **Automations** category must be enabled in the model's Builtin Tools settings (enabled by default)
+4. The user must have the **Features > Automations** permission (admins always pass)
+
+See the [Builtin Tools reference](/features/extensibility/plugin/tools#built-in-system-tools-nativeagentic-mode) for full details on all builtin tools.

docs/features/chat-conversations/chat-features/history-search.mdx

@@ -13,9 +13,12 @@ All your conversations are automatically saved in the **Sidebar**.
 
 *   **Persistence**: Chats are saved to the internal database (`webui.db`) and are available across all your devices.
 *   **Organization**: Chats are grouped by time period (Today, Yesterday, Previous 7 Days, etc.).
+*   **Unread Indicator**: Chats with new activity show an unread dot in the sidebar until you open them.
 *   **Renaming**: Titles are automatically generated by a task model, but you can manually rename any chat by clicking the pencil icon next to its title.
 *   **Archivial**: Instead of deleting, you can **Archive** chats to remove them from the main list while keeping them downloadable and searchable.
 
+Open WebUI tracks read state per chat and updates it when you open a conversation, so unread indicators stay in sync across sessions.
+
 ## Searching Your History
 
 You can search through your conversations using the global search bar in the sidebar.

docs/features/chat-conversations/chat-features/index.mdx

@@ -27,6 +27,10 @@ Open WebUI provides a comprehensive set of chat features designed to enhance you
 
 - **[💬 Follow-Up Prompts](./follow-up-prompts.md)**: Automatic generation of suggested follow-up questions after model responses.
 
+- **[⏱️ Automations](./automations.mdx)**: Schedule prompts to run automatically (hourly/daily/weekly/monthly/custom RRULE) and manage recurring runs.
+
+- **[✅ Task Management](./task-management.mdx)**: Let agentic models keep a structured task/todo list in chat for multi-step workflows and transparent progress tracking.
+
 - **Skill Mentions**: Use `$` in the chat input to mention and activate [Skills](/features/workspace/skills) on-the-fly, injecting their manifests into the conversation.
 
 - **Writing & Content Blocks**: Responses from models that include colon-fence blocks (e.g., `:::writing`, `:::code_execution`, `:::search_results`) are automatically rendered as formatted content in a styled container with a copy button. This is commonly used by newer OpenAI models to distinguish different types of output (prose, code results, search results) from the main response text.