0.8.1

docs/contributing.mdx

@@ -29,7 +29,7 @@ Looking to contribute? Great! Here's how you can help:
 docker run -d -p 3000:8080 -v open-webui:/app/backend/data --name open-webui ghcr.io/open-webui/open-webui:dev
 ```
 
-**Keep it updated regularly** — the dev branch moves fast! If Docker doesn't work for you, the [Local Development Guide](/getting-started/advanced-topics/development) is another great option.
+**Keep it updated regularly** — the dev branch moves fast! If Docker doesn't work for you, the [Local Development Guide](/getting-started/development) is another great option.
 
 By testing dev builds, you help us catch bugs before stable releases. Report issues on [GitHub](https://github.com/open-webui/open-webui/issues) with clear reproduction steps. **We cannot deliver high-quality releases without community testing.**
 

docs/faq.mdx

@@ -158,7 +158,7 @@ docker run -d -p 3000:8080 -e HF_ENDPOINT=https://hf-mirror.com/ --add-host=host
 
 ### Q: Why are my reasoning model's thinking blocks showing as raw text instead of being hidden?
 
-**A:** This happens if the model's thinking tags are not recognized by Open WebUI. You can customize the tags in the model's Advanced Parameters. For more details, see the **[Reasoning & Thinking Models](/features/chat-features/reasoning-models)** guide.
+**A:** This happens if the model's thinking tags are not recognized by Open WebUI. You can customize the tags in the model's Advanced Parameters. For more details, see the **[Reasoning & Thinking Models](/features/chat-conversations/chat-features/reasoning-models)** guide.
 
 ### Q: RAG with Open WebUI is very bad or not working at all. Why?
 
@@ -193,7 +193,7 @@ def wait_for_processing(token, file_id):
         time.sleep(2)  # Wait before checking again
 ```
 
-For complete workflow examples, see the **[API Endpoints documentation](/getting-started/api-endpoints#checking-file-processing-status)** and the **[RAG Troubleshooting guide](/troubleshooting/rag#9-api-file-upload-the-content-provided-is-empty-error)**.
+For complete workflow examples, see the **[API Endpoints documentation](/reference/api-endpoints#checking-file-processing-status)** and the **[RAG Troubleshooting guide](/troubleshooting/rag#9-api-file-upload-the-content-provided-is-empty-error)**.
 
 ### Q: I asked the model what it is and it gave the wrong answer. Is Open WebUI routing to the wrong model?
 
@@ -249,7 +249,7 @@ For more optimization tips, see the **[Performance Tips Guide](troubleshooting/p
 
 ### Q: Why doesn't Open WebUI natively support [Provider X]'s proprietary API?
 
-**A:** Open WebUI is highly modular with a plugin system including tools, functions, and most notably **[pipes](/features/plugin/functions/pipe)**. These modular pipes allow you to add support for virtually any provider you want—you can build your own or choose from the many [community-built](https://openwebui.com/) and usually well-maintained ones already available.
+**A:** Open WebUI is highly modular with a plugin system including tools, functions, and most notably **[pipes](/features/extensibility/plugin/functions/pipe)**. These modular pipes allow you to add support for virtually any provider you want—you can build your own or choose from the many [community-built](https://openwebui.com/) and usually well-maintained ones already available.
 
 That said, Open WebUI's core is built around **universal protocols**, not specific providers. Our stance is to support standard, widely-adopted APIs like the **OpenAI Chat Completions protocol**. 
 

docs/features/access-security/_category_.json

@@ -0,0 +1,6 @@
+{
+	"label": "🔐 Admin & Security",
+	"position": 10,
+	"collapsible": true,
+	"collapsed": true
+}

docs/features/analytics/index.mdx → docs/features/access-security/analytics/index.mdx

@@ -48,7 +48,7 @@ Your selected time period is **automatically saved** and persists across browser
 
 ### Group Filtering
 
-If you have [user groups](/features/rbac/groups) configured, the Analytics dashboard allows filtering by group:
+If you have [user groups](/features/access-security/rbac/groups) configured, the Analytics dashboard allows filtering by group:
 
 - Use the **group dropdown** next to the time period selector
 - Select a specific group to view analytics **only for users in that group**
@@ -231,7 +231,7 @@ Example for GPT-4:
 - Compare **message counts** across models to see adoption rates
 - Check **token efficiency** (tokens per message) to identify verbose models
 - Monitor **trends** in the timeline chart after introducing new models
-- Combine with the [Evaluation feature](../evaluation/index.mdx) for quality insights
+- Combine with the [Evaluation feature](/features/access-security/evaluation/) for quality insights
 
 ### 3. Cost Management
 
@@ -402,6 +402,6 @@ Whether you're managing a personal instance or a large organizational deployment
 
 ## Related Features
 
-- [**Evaluation**](../evaluation/index.mdx) - Measure model quality through user feedback
+- [**Evaluation**](/features/access-security/evaluation/) - Measure model quality through user feedback
 - [**RBAC**](../rbac/index.mdx) - Control access to models and features per user
-- [**Data Controls**](../data-controls/index.mdx) - Manage chat history and exports
+- [**Data Controls**](/features/chat-conversations/data-controls/) - Manage chat history and exports

docs/features/auth/scim.mdx → docs/features/access-security/auth/scim.mdx

@@ -25,6 +25,7 @@ Configure SCIM by setting these environment variables:
 
 - **`SCIM_ENABLED`**: Set to `true` to enable SCIM support (default: `false`)
 - **`SCIM_TOKEN`**: The bearer token for SCIM authentication (required when SCIM is enabled)
+- **`SCIM_AUTH_PROVIDER`**: The OAuth provider name to associate with SCIM `externalId` values (e.g., `microsoft`, `oidc`). Required for `externalId` storage and account linking.
 
 :::warning
 
@@ -46,6 +47,9 @@ export SCIM_ENABLED=true
 
 # Set a secure token (replace with your own generated token)
 export SCIM_TOKEN="your-secure-token-here"
+
+# Set the OAuth provider name for externalId linking
+export SCIM_AUTH_PROVIDER="microsoft"
 ```
 
 ## SCIM API Configuration
@@ -88,9 +92,9 @@ Open WebUI's SCIM implementation supports the following operations:
 - `userName`: The user's email address (required, unique)
 - `name.givenName`: First name
 - `name.familyName`: Last name
-- `emails`: Email addresses
+- `emails`: Email addresses (when multiple are provided, the entry marked `primary: true` is used)
 - `active`: User status (active/inactive)
-- `externalId`: External identifier from the identity provider
+- `externalId`: External identifier from the identity provider (stored per-provider in the user's `scim` JSON field, see [externalId and Account Linking](#externalid-and-account-linking))
 
 #### Group Attributes
 - `displayName`: Group name (required)
@@ -103,6 +107,7 @@ The SCIM API supports filtering for both users and groups:
 
 ```
 GET /api/v1/scim/v2/Users?filter=userName eq "[email protected]"
+GET /api/v1/scim/v2/Users?filter=externalId eq "abc-123"
 GET /api/v1/scim/v2/Groups?filter=displayName eq "Engineering"
 ```
 
@@ -118,6 +123,29 @@ Supported filter operators:
 - `lt`: Less than
 - `le`: Less than or equal
 
+## externalId and Account Linking
+
+When `SCIM_AUTH_PROVIDER` is configured, Open WebUI stores `externalId` values in a per-provider structure within the user's `scim` JSON field:
+
+```json
+{
+  "microsoft": { "external_id": "abc-123" },
+  "okta": { "external_id": "def-456" }
+}
+```
+
+This enables several behaviors:
+
+- **User lookup by externalId**: When an identity provider sends a `filter=externalId eq "..."` request, Open WebUI searches the `scim` field for a matching entry under the configured provider.
+- **OAuth fallback**: If no user is found by `externalId`, Open WebUI falls back to matching against OAuth `sub` values, automatically linking SCIM-provisioned accounts with existing OAuth-authenticated users.
+- **Create and update**: When creating or updating users via SCIM, the `externalId` is stored in the `scim` field and returned in subsequent responses.
+
+:::warning
+
+If `SCIM_AUTH_PROVIDER` is not set while SCIM is enabled, any operation that requires `externalId` (creation, lookup, or update) will return a `500` error. A warning is also logged on startup to alert you.
+
+:::
+
 ## Troubleshooting
 
 ### Common Issues
@@ -133,7 +161,10 @@ Supported filter operators:
 
 3. **User Creation Failures**
    - Ensure the `userName` field contains a valid email address
-   - Check that the email is not already in use
+   - Check that the email or `externalId` is not already in use
+
+4. **500 Error on externalId Operations**
+   - Verify that `SCIM_AUTH_PROVIDER` is set to the correct OAuth provider name
 
 ### Testing SCIM Endpoints
 
@@ -156,6 +187,7 @@ curl -X POST \
   -d '{
     "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
     "userName": "[email protected]",
+    "externalId": "idp-user-id-123",
     "displayName": "Test User",
     "name": {
       "givenName": "Test",
@@ -191,4 +223,4 @@ SCIM works best when combined with SSO (Single Sign-On). A typical setup include
 
 This ensures users are automatically created and can immediately authenticate using their corporate credentials.
 
-For SSO configuration, see the [SSO documentation](https://docs.openwebui.com/features/auth/sso/).
+For SSO configuration, see the [SSO documentation](https://docs.openwebui.com/features/access-security/auth/sso/).

docs/features/auth/sso/index.mdx → docs/features/access-security/auth/sso/index.mdx

@@ -5,7 +5,7 @@ title: "SSO (OAuth, OIDC, Trusted Header)"
 
 :::info
 
-For more information about all environment variables, check out the [environment variable docs page](https://docs.openwebui.com/getting-started/env-configuration/).
+For more information about all environment variables, check out the [environment variable docs page](https://docs.openwebui.com/reference/env-configuration/).
 It is highly recommended to check the environment variable page, to get more details about how to set the variable and what values are expected.
 
 :::
@@ -21,7 +21,7 @@ Check out our [troubleshooting guide](https://docs.openwebui.com/troubleshooting
 Right now, you can only configure **one** OpenID Connect (OIDC) provider at a time via `OPENID_PROVIDER_URL`.
 You cannot have Microsoft **and** Google as OIDC providers simultaneously.
 
-*However, there is a community workaround for using both! See our [Dual OAuth Tutorial](/tutorials/tips/dual-oauth-configuration) for more details.*
+*However, there is a community workaround for using both! See our [Dual OAuth Tutorial](/tutorials/integrations/auth-identity/dual-oauth-configuration) for more details.*
 :::
 
 ## OAuth Configuration Overview
@@ -51,7 +51,7 @@ You cannot have Microsoft **and** Google as OIDC providers simultaneously.
    - Set `ENABLE_OAUTH_PERSISTENT_CONFIG=false` to always read from environment variables
    - Update settings through the Admin Panel instead of environment variables
 
-3. **Required Variables**: Always verify you're using the exact variable names from the [environment configuration documentation](https://docs.openwebui.com/getting-started/env-configuration/). Common mistakes include using non-existent variables like `OIDC_CONFIG`.
+3. **Required Variables**: Always verify you're using the exact variable names from the [environment configuration documentation](https://docs.openwebui.com/reference/env-configuration/). Common mistakes include using non-existent variables like `OIDC_CONFIG`.
 
 :::
 
@@ -68,15 +68,15 @@ To solve issues related to large tokens (e.g., with AD FS group claims exceeding
 
 This system is enabled by default but can be fine-tuned with the environment variables detailed above.
 
-For more information, check out the [environment variable docs page](https://docs.openwebui.com/getting-started/env-configuration/).
+For more information, check out the [environment variable docs page](https://docs.openwebui.com/reference/env-configuration/).
 
 ### OAuth Token Exchange for External Applications
 
 Open WebUI also supports **OAuth Token Exchange**, allowing external applications to authenticate with Open WebUI by exchanging an OAuth provider's access token for an Open WebUI JWT session token. This is useful for programmatic access from scripts, CLI tools, or services that already have OAuth tokens from your identity provider.
 
 **Example use case:** A CLI tool that has obtained an OAuth access token from your identity provider can exchange it for an Open WebUI token to make API calls to Open WebUI.
 
-To enable this feature, set `ENABLE_OAUTH_TOKEN_EXCHANGE=true`. See the [`ENABLE_OAUTH_TOKEN_EXCHANGE`](/getting-started/env-configuration#enable_oauth_token_exchange) environment variable documentation for details on usage, request/response examples, and security considerations.
+To enable this feature, set `ENABLE_OAUTH_TOKEN_EXCHANGE=true`. See the [`ENABLE_OAUTH_TOKEN_EXCHANGE`](/reference/env-configuration#enable_oauth_token_exchange) environment variable documentation for details on usage, request/response examples, and security considerations.
 
 ### Google
 
@@ -174,7 +174,7 @@ The following environment variables are used:
 :::
 
 :::tip Community Workaround: Multi-Provider OAuth
-If you need to support both Microsoft and Google simultaneously, check out our **[Dual OAuth Configuration Tutorial](/tutorials/tips/dual-oauth-configuration)**. 
+If you need to support both Microsoft and Google simultaneously, check out our **[Dual OAuth Configuration Tutorial](/tutorials/integrations/auth-identity/dual-oauth-configuration)**. 
 :::
 ### OAuth Role Management