Skip to main content

Forward auth

Using forward auth uses your existing reverse proxy to do the proxying, and only uses the authentik outpost to check authentication and authorization.

To use forward auth instead of proxying, you have to change a couple of settings. In the Proxy Provider, make sure to use one of the Forward auth modes.

Single application

Single application mode works for a single application hosted on its dedicated subdomain. This has the advantage that you can still do per-application access policies in authentik.

Domain level

To use forward auth instead of proxying, you have to change a couple of settings. In the Proxy Provider, make sure to use the Forward auth (domain level) mode.

This mode differs from the Forward auth (single application) mode in the following points:

  • You don't have to configure an application in authentik for each domain
  • Users don't have to authorize multiple times

There are however also some downsides, mainly the fact that you can't restrict individual applications to different users.

The only configuration difference between single application and domain level is the host you specify.

For single application, you'd use the domain which the application is running on, and only / is redirected to the outpost.

For domain level, you'd use the same domain as authentik.


example-outpost is used as a placeholder for the outpost name. is used as a placeholder for the authentik install. is used as a placeholder for the external domain for the application. is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as


server {
# SSL and VHost configuration
listen 443 ssl http2;
server_name _;

ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

location / {
# Put your proxy_pass to your application here
# proxy_pass http://localhost:5000;

# authentik-specific config
auth_request /;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;

# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;

# all requests to / must be accessible without authentication
location / {
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;

# required for POST requests to work
proxy_pass_request_body off;
proxy_set_header Content-Length "";

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
add_header Set-Cookie $auth_cookie;
return 302 /$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302$scheme://$http_host$request_uri;


trustForwardHeader: true
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
rule: "Host(``)"
- name: authentik
priority: 10
services: # Unchanged
match: "Host(``) && PathPrefix(`/`)"
priority: 15