diff --git a/CHANGELOG.md b/CHANGELOG.md
index ad6ed44..8315268 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 <!-- towncrier release notes start -->
 
+## [v1.2.1] - 2026-06-05
+
+### Features
+
+- heph-pwa: added a **Login with Authentik** button — a proper browser OIDC sign-in (Authorization Code + PKCE) that replaces the manual bearer-token paste. The hub exposes an unauthenticated `GET /config` (`{issuer, client_id}`) so the app is zero-config when served from the hub; the PWA discovers the IdP endpoints, runs the PKCE redirect, exchanges the code for a token, and silently refreshes it (`offline_access`). The manual token field remains as a fallback. Requires the PWA origin registered as a redirect URI on the Authentik `heph` provider.
+
+
 ## [v1.2.0] - 2026-06-04
 
 ### Features
diff --git a/docs/changelog.d/heph-pwa-oidc-login.feature.md b/docs/changelog.d/heph-pwa-oidc-login.feature.md
deleted file mode 100644
index aae9d26..0000000
--- a/docs/changelog.d/heph-pwa-oidc-login.feature.md
+++ /dev/null
@@ -1 +0,0 @@
-heph-pwa: added a **Login with Authentik** button — a proper browser OIDC sign-in (Authorization Code + PKCE) that replaces the manual bearer-token paste. The hub exposes an unauthenticated `GET /config` (`{issuer, client_id}`) so the app is zero-config when served from the hub; the PWA discovers the IdP endpoints, runs the PKCE redirect, exchanges the code for a token, and silently refreshes it (`offline_access`). The manual token field remains as a fallback. Requires the PWA origin registered as a redirect URI on the Authentik `heph` provider.