diff --git a/api/src/auth/drivers/oauth2.ts b/api/src/auth/drivers/oauth2.ts
index 27d7b91c6..f1951cf40 100644
--- a/api/src/auth/drivers/oauth2.ts
+++ b/api/src/auth/drivers/oauth2.ts
@@ -148,7 +148,7 @@ export class OAuth2AuthDriver extends BaseOAuthDriver {
 			email: email,
 			external_identifier: identifier,
 			role: this.config['defaultRoleId'],
-			auth_data: tokenSet.refresh_token && JSON.stringify({ refreshToken: tokenSet.refresh_token }),
+			auth_data: tokenSet.refresh_token ? JSON.stringify({ refreshToken: tokenSet.refresh_token }) : null,
 		};
 
 		return [tokenSet, userInfo, userPayload];
diff --git a/api/src/auth/drivers/openid.ts b/api/src/auth/drivers/openid.ts
index af1f594aa..d15fdead1 100644
--- a/api/src/auth/drivers/openid.ts
+++ b/api/src/auth/drivers/openid.ts
@@ -179,7 +179,7 @@ export class OpenIDAuthDriver extends BaseOAuthDriver {
 			email: email,
 			external_identifier: identifier,
 			role: this.config['defaultRoleId'],
-			auth_data: tokenSet.refresh_token && JSON.stringify({ refreshToken: tokenSet.refresh_token }),
+			auth_data: tokenSet.refresh_token ? JSON.stringify({ refreshToken: tokenSet.refresh_token }) : null,
 		};
 
 		return [tokenSet, userInfo, userPayload];
diff --git a/api/src/services/authorization.ts b/api/src/services/authorization.ts
index 9c623584b..2caa6c567 100644
--- a/api/src/services/authorization.ts
+++ b/api/src/services/authorization.ts
@@ -623,7 +623,7 @@ export class AuthorizationService {
 
 						for (let i = 0; i < originalItems.length; i++) {
 							const originalItem: Item = originalItems[i]!;
-							const emptyItemsToAdd = originalItem[fieldKey].length - field.update?.length - field.delete?.length;
+							const emptyItemsToAdd = field.update?.length - originalItem[fieldKey].length - field.delete?.length;
 							const finalArrayToValidate = arrayToValidate.concat(Array(emptyItemsToAdd).fill({}));
 
 							// validate partial items until the last key
diff --git a/api/src/utils/get-ip-from-req.ts b/api/src/utils/get-ip-from-req.ts
index 75d725546..18c12f695 100644
--- a/api/src/utils/get-ip-from-req.ts
+++ b/api/src/utils/get-ip-from-req.ts
@@ -4,7 +4,7 @@ import env from '../env.js';
 import logger from '../logger.js';
 
 export function getIPFromReq(req: Request): string {
-	let ip = req.ip;
+	let ip = req.ip || '';
 
 	if (env['IP_CUSTOM_HEADER']) {
 		const customIPHeaderValue = req.get(env['IP_CUSTOM_HEADER']) as unknown;
diff --git a/docs/self-hosted/sso-examples.md b/docs/self-hosted/sso-examples.md
index a97656505..9fcc70009 100644
--- a/docs/self-hosted/sso-examples.md
+++ b/docs/self-hosted/sso-examples.md
@@ -91,6 +91,18 @@ AUTH_KEYCLOAK_ISSUER_URL="http://<your_keycloak_domain>/realms/<your_keycloak_re
 AUTH_KEYCLOAK_IDENTIFIER_KEY="email"
 ```
 
+## Authentik
+
+Ensure RSA signing key
+
+```
+AUTH_AUTHENTIK_DRIVER="openid"
+AUTH_AUTHENTIK_CLIENT_ID="..."
+AUTH_AUTHENTIK_CLIENT_SECRET="..."
+AUTH_AUTHENTIK_ISSUER_URL="http://<your_authentik_domain>/application/o/<your_app_name>/.well-known/openid-configuration"
+AUTH_AUTHENTIK_SCOPE="openid profile email offline_access"  # offline_access is required to get refresh_token
+```
+
 ## GitHub
 
 ```