eliott/authentik
1
0
Fork 0
mirror of https://github.com/goauthentik/authentik synced 2026-04-25 17:15:26 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
ea4848c7c680e2d3d0e57260bd9b046135de10d4
authentik/website/docs/add-secure-apps/outposts/embedded/embedded.mdx
Dominic R 028ec05a8b website: Merge branch (#21684) 
Co-authored-by: Codex <codex@openai.com>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
2026-04-23 01:46:10 +00:00

55 lines
3.0 KiB
Plaintext
Raw Blame History

---
title: Embedded Outpost
---
authentik includes an embedded outpost to simplify deployments that use the Proxy provider.
The embedded outpost runs as part of the main authentik server deployment and is managed by authentik itself. It authenticates to the authentik API by using the secret key.
You can access the embedded outpost on the same ports as authentik itself, `9000` and `9443`.
## When to use the embedded outpost
Use the embedded outpost when you are using the proxy provider and want the simplest deployment model. It is a good fit when authentik is already behind a reverse proxy and you want proxy provider traffic to be handled by the same authentik deployment, without a separate outpost deployment.
Use a [managed outpost](../index.mdx) instead when you want authentik to deploy and update a separate outpost through the [Docker](../integrations/docker.md) or [Kubernetes](../integrations/kubernetes.md) integrations, or when you want the outpost lifecycle to be separate from the core server.
If the embedded outpost does not fit your deployment, you can ignore it and use a [managed outpost](../index.mdx) instead.
## Configuration
Because authentik does not know its own primary URL, you might need to configure the embedded outpost after installation.
By default, when you open the Admin interface on a fresh install, authentik automatically configures the outpost to use the same URL that was used to access authentik.
If this is not correct, navigate to **Applications** > **Outposts**, edit **authentik Embedded Outpost**, and set `authentik_host` to the correct URL.
Make sure that you set a full URL. A hostname or FQDN by itself does not work.
Most other outpost configuration options also apply to the embedded outpost, except for items that are marked as `non-embedded`.
import Configuration from "../_config.md";
<Configuration />
## Routing
Requests are routed as follows:
1. Paths starting with `/static`, `/media`, and `/help` return packaged CSS and JavaScript files, and user-uploaded media files.
2. Paths starting with `/outpost.goauthentik.io` are sent to the embedded outpost.
3. Any hosts configured in the providers assigned to the embedded outpost are sent to the outpost.
4. Everything remaining is sent to the authentik backend server.
## How the embedded outpost differs from managed outposts
There are a few differences between managed outposts and the embedded outpost because authentik cannot fully manage the main authentik server deployment in the same way that it manages a separate outpost deployment.
1. Docker only: no automatic Traefik labels are added to the server container.
When you deploy a managed outpost on Docker, the container includes labels that can configure Traefik automatically. The embedded outpost does not add those labels to the server container.
2. Kubernetes only: an additional Service is created.
Because authentik does not know the name of the primary authentik Service, it creates another Service with a common set of labels that is always present.
Reference in New Issue View Git Blame Copy Permalink