diff --git a/docs/authentik-sso-setup.md b/docs/authentik-sso-setup.md
index 5b16353..2c88aee 100644
--- a/docs/authentik-sso-setup.md
+++ b/docs/authentik-sso-setup.md
@@ -22,7 +22,7 @@ Internet → Cloudflare → cloudflared → [service container]
 
 | Pattern | How it works | Services |
 |---------|-------------|---------|
-| Native OIDC/OAuth2 | App calls Authentik directly for login | Grafana, OpenWebUI, Forgejo, BookStack, OpenProject, Kavita |
+| Native OIDC/OAuth2 | App calls Authentik directly for login | Grafana, OpenWebUI, Forgejo, OpenProject, Kavita |
 | Authentik Proxy Provider | Cloudflare tunnel → Authentik (embedded outpost) → service | Shaarli, Uptime Kuma, LiteLLM |
 
 ---
@@ -35,7 +35,7 @@ Internet → Cloudflare → cloudflared → [service container]
 | Grafana | grafana.kitestacks.com | 3000 | OAuth2 | ⚠️ env set, Authentik app needed |
 | Kite AI (OpenWebUI) | ai.kitestacks.com | 8080 | OIDC | ⚠️ env set, Authentik app needed |
 | Forgejo | gitforge.kitestacks.com | 3000 | OAuth2 | ⚠️ Forgejo admin UI config needed |
-| BookStack | books.kitestacks.com* | 80 | OIDC | ⚠️ env set, Authentik app needed, CF tunnel needed |
+| BookStack | — | — | — | 🚫 Retired — books hosted on Kavita |
 | OpenProject | tasks.kitestacks.com | 80 | OIDC | ⚠️ env set, Authentik app needed |
 | Kavita | kavita.kitestacks.com | 5000 | OIDC | ⚠️ appsettings.json updated, Authentik app needed |
 | Shaarli | links.kitestacks.com | 80 | Proxy | ⚠️ Authentik Proxy Provider needed + CF tunnel update |
@@ -46,7 +46,7 @@ Internet → Cloudflare → cloudflared → [service container]
 | Node Exporter | node-exporter.kitestacks.com | 9100 | — | 🚫 SSO excluded |
 | OpenRouter | openrouter.ai | — | — | 🚫 external, excluded |
 
-*BookStack subdomain placeholder — update `APP_URL` in `apps/bookstack/docker-compose.yml`.
+*BookStack has been retired. All books are hosted on Kavita (`kavita.kitestacks.com`).
 
 ---
 
@@ -116,24 +116,7 @@ Go to **https://auth.kitestacks.com** → Admin Interface.
   ```
 - Restart: `cd ~/docker/kavita && docker compose restart` (if a compose exists) or `docker restart kavita`
 
-#### 4. BookStack
-
-- **Providers → Create → OAuth2/OpenID Provider**
-  - Name: `BookStack`, Client ID: `bookstack`
-  - Redirect URIs: `https://books.kitestacks.com/oidc/callback`
-    *(adjust to your actual BookStack subdomain)*
-  - Scopes: `openid`, `email`, `profile`
-- **Applications → Create**: Name: `BookStack`, Slug: `bookstack`
-- Copy secret → `/home/kenpat/docker/bookstack/.env`:
-  ```
-  BOOKSTACK_OIDC_SECRET=<paste_secret>
-  ```
-- Set the real subdomain in `/home/kenpat/docker/bookstack/docker-compose.yml`:
-  - Update `APP_URL=https://<your-actual-bookstack-subdomain>.kitestacks.com`
-- Restart: `cd ~/docker/bookstack && docker compose up -d`
-- In Cloudflare dashboard: add tunnel route `<bookstack-subdomain>.kitestacks.com` → `http://bookstack:80`
-
-#### 5. OpenProject
+#### 4. OpenProject
 
 - **Providers → Create → OAuth2/OpenID Provider**
   - Name: `OpenProject`, Client ID: `openproject`
@@ -226,7 +209,6 @@ In the Cloudflare Zero Trust Dashboard → Networks → Tunnels → your tunnel
 | `status.kitestacks.com` | `http://uptime-kuma:3001` | `http://authentik:9000` |
 | `llm.kitestacks.com` | (new) | `http://authentik:9000` |
 | `tasks.kitestacks.com` | `http://openproject:8080` | `http://openproject:80` *(after OpenProject upgrade)* |
-| `<bookstack-subdomain>.kitestacks.com` | (new) | `http://bookstack:80` |
 
 ---