goauthentik · melizeche · Apr 28, 2026 · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026
@@ -4,7 +4,7 @@
 from copy import copy
 
 from django.core.cache import cache
-from django.db.models import Case, Q, QuerySet
+from django.db.models import Case, QuerySet
 from django.db.models.expressions import When
 from django.shortcuts import get_object_or_404
 from django.utils.translation import gettext as _
@@ -120,6 +120,7 @@ class Meta:
             "meta_publisher",
             "policy_engine_mode",
             "group",
+            "meta_hide",
         ]
         extra_kwargs = {
             "backchannel_providers": {"required": False},
@@ -283,14 +284,12 @@ def list(self, request: Request) -> Response:
         ) == "true"
 
         queryset = self._filter_queryset_for_list(self.get_queryset())
+        queryset = queryset.exclude(meta_hide=True)
         if only_with_launch_url:
             # Pre-filter at DB level to skip expensive per-app policy evaluation
-            # for apps that can never appear in the launcher:
-            # - No meta_launch_url AND no provider: no possible launch URL
-            # - meta_launch_url="blank://blank": documented convention to hide from launcher
-            queryset = queryset.exclude(
-                Q(meta_launch_url="", provider__isnull=True) | Q(meta_launch_url="blank://blank")
-            )
+            # for apps that can never appear in the launcher (no meta_launch_url
+            # and no provider, so no possible launch URL).
+            queryset = queryset.exclude(meta_launch_url="", provider__isnull=True)
         paginator: Pagination = self.paginator
         paginated_apps = paginator.paginate_queryset(queryset, request)
 

@@ -0,0 +1,33 @@
+# Generated by Django 5.2.12 on 2026-04-09 18:04
+
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def migrate_blank_launch_url(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    db_alias = schema_editor.connection.alias
+    Application = apps.get_model("authentik_core", "Application")
+
+    Application.objects.using(db_alias).filter(meta_launch_url="blank://blank").update(
+        meta_hide=True, meta_launch_url=""
+    )
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0058_setup"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="application",
+            name="meta_hide",
+            field=models.BooleanField(
+                default=False,
+                help_text="Hide this application from the user's My applications page.",
+            ),
+        ),
+        migrations.RunPython(migrate_blank_launch_url, migrations.RunPython.noop),
+    ]
@@ -735,6 +735,9 @@ class Application(SerializerModel, PolicyBindingModel):
     meta_icon = FileField(default="", blank=True)
     meta_description = models.TextField(default="", blank=True)
     meta_publisher = models.TextField(default="", blank=True)
+    meta_hide = models.BooleanField(
+        default=False, help_text=_("Hide this application from the user's My applications page.")
+    )
 
     objects = ApplicationQuerySet.as_manager()
 

@@ -129,6 +129,7 @@ def test_list(self):
                         "meta_icon_url": None,
                         "meta_icon_themed_urls": None,
                         "meta_description": "",
+                        "meta_hide": False,
                         "meta_publisher": "",
                         "policy_engine_mode": "any",
                     },
@@ -187,12 +188,14 @@ def test_list_superuser_full_list(self):
                         "meta_icon_url": None,
                         "meta_icon_themed_urls": None,
                         "meta_description": "",
+                        "meta_hide": False,
                         "meta_publisher": "",
                         "policy_engine_mode": "any",
                     },
                     {
                         "launch_url": None,
                         "meta_description": "",
+                        "meta_hide": False,
                         "meta_icon": "",
                         "meta_icon_url": None,
                         "meta_icon_themed_urls": None,

@@ -353,7 +353,7 @@ def get_challenge(self) -> Challenge:
                 PLAN_CONTEXT_APPLICATION, Application()
             )
             challenge.initial_data["application_pre"] = app.name
-            if launch_url := app.get_launch_url():
+            if not app.meta_hide and (launch_url := app.get_launch_url()):
                 challenge.initial_data["application_pre_launch"] = launch_url
         if (
             PLAN_CONTEXT_DEVICE in self.executor.plan.context

@@ -5215,6 +5215,11 @@
                     "type": "string",
                     "title": "Group"
                 },
+                "meta_hide": {
+                    "type": "boolean",
+                    "title": "Meta hide",
+                    "description": "Hide this application from the user's My applications page."
+                },
                 "icon": {
                     "type": "string",
                     "minLength": 1,

@@ -34111,6 +34111,9 @@ components:
           $ref: '#/components/schemas/PolicyEngineMode'
         group:
           type: string
+        meta_hide:
+          type: boolean
+          description: Hide this application from the user's My applications page.
       required:
       - backchannel_providers_obj
       - launch_url
@@ -34192,6 +34195,9 @@ components:
           $ref: '#/components/schemas/PolicyEngineMode'
         group:
           type: string
+        meta_hide:
+          type: boolean
+          description: Hide this application from the user's My applications page.
       required:
       - name
       - slug
@@ -47428,6 +47434,9 @@ components:
           $ref: '#/components/schemas/PolicyEngineMode'
         group:
           type: string
+        meta_hide:
+          type: boolean
+          description: Hide this application from the user's My applications page.
     PatchedAuthenticatorDuoStageRequest:
       type: object
       description: AuthenticatorDuoStage Serializer

@@ -201,6 +201,15 @@ export class ApplicationForm extends WithCapabilitiesConfig(ModelForm<Applicatio
                         )}
                     >
                     </ak-switch-input>
+                    <ak-switch-input
+                        name="metaHide"
+                        ?checked=${this.instance?.metaHide ?? false}
+                        label=${msg("Hide from My applications")}
+                        help=${msg(
+                            "If checked, this application will not be shown on the user's My applications page.",
+                        )}
+                    >
+                    </ak-switch-input>
                     <ak-file-search-input
                         name="metaIcon"
                         label=${msg("Icon")}

@@ -187,6 +187,15 @@ export class ApplicationWizardApplicationStep extends ApplicationWizardStep {
                             )}
                         >
                         </ak-switch-input>
+                        <ak-switch-input
+                            name="metaHide"
+                            ?checked=${app.metaHide ?? false}
+                            label=${msg("Hide from My applications")}
+                            help=${msg(
+                                "If checked, this application will not be shown on the user's My applications page.",
+                            )}
+                        >
+                        </ak-switch-input>
                         <ak-file-search-input
                             name="metaIcon"
                             label=${msg("Icon")}

@@ -40,11 +40,7 @@ export class FlowMultitabController implements ReactiveController {
             return;
         }
 
-        if (
-            isIdentificationChallenge(challenge) &&
-            challenge.applicationPreLaunch &&
-            challenge.applicationPreLaunch !== "blank://blank"
-        ) {
+        if (isIdentificationChallenge(challenge) && challenge.applicationPreLaunch) {
             multiTabOrchestrateLeave();
             window.location.assign(challenge.applicationPreLaunch);
             return;

@@ -30,7 +30,7 @@ The following options can be configured:
 
     For a reference of all fields available, see [the API schema for the User object](https://api.goauthentik.io/reference/core-users-retrieve/).
 
-    Only applications whose launch URL starts with `http://` or `https://` or are relative URLs are shown on the users' **My applications** page. This can also be used to hide applications that shouldn't be visible on the **My applications** page but are still accessible by users, by setting the _Launch URL_ to `blank://blank`.
+    Only apps with launch URLs that begin with `http://` or `https://`, or that use relative paths, appear on the user's **My applications** page. To keep an app accessible but remove it from that page, use the **Hide from My applications** option (see [Hide applications](./manage_apps.mdx#hide-applications)).
 
 - _Icon (URL)_: Optionally configure an icon for the application. You can select from files uploaded to the [Files](../../customize/files.md) library or enter an absolute URL.
 

@@ -104,10 +104,14 @@ return {
 
 ## Hide applications
 
-To hide an application without modifying its policy settings or removing it, you can simply set the _Launch URL_ to `blank://blank`, which will hide the application from users.
+To hide an application without modifying its policy settings or removing it, you can use the **Hide from My applications** option on the application. The application will no longer appear on the **My applications** page.
 
 Keep in mind that users still have access, so they can still authorize access when the login process is started from the application.
 
+:::info Hiding applications before 2026.5
+Before authentik 2026.5, an application was hidden by setting its **Launch URL** to `blank://blank`. Existing applications using that value are automatically migrated to using the **Hide from My applications** option upon upgrading.
+:::
+
 ## Launch URLs
 
 To give users direct links to applications, you can now use a URL like `https://authentik.company/application/launch/<slug>/`. If the user is already logged in, they will be redirected to the application automatically. Otherwise, they'll be sent to the authentication flow and, if successful, forwarded to the application.