diff --git a/apps/authentik/AUTHENTIK.md b/apps/authentik/AUTHENTIK.md
new file mode 100644
index 0000000..e40f2d2
--- /dev/null
+++ b/apps/authentik/AUTHENTIK.md
@@ -0,0 +1,79 @@
+# Authentik SSO — Setup & Status
+
+## Server
+- **Host:** `100.90.13.55` (Assassin, Debian 6.12.90 amd64)
+- **Authentik version:** 2025.2.4 (Enterprise)
+- **Stack location:** `/home/kenpat/docker/authentik/docker-compose.yml`
+- **Web UI:** `http://100.90.13.55:9001` / `http://100.90.13.55:9001/if/admin/`
+- **API base:** `http://100.90.13.55:9001/api/v3/`
+
+## Architecture
+
+Authentik runs as a 4-container stack:
+
+| Container | Role |
+|-----------|------|
+| `authentik` | Web server (port 9001) |
+| `authentik-worker` | Background task worker |
+| `authentik-postgres` | PostgreSQL 16 database |
+| `authentik-redis` | Redis cache |
+
+Both server and worker are on the `kitestacks` external Docker network.
+
+## Configured Applications
+
+| App | Provider ID | Status |
+|-----|-------------|--------|
+| Grafana | 1 | Configured |
+| Kavita | 2 | Configured |
+| Open WebUI | 3 | Configured |
+| Forgejo | 4 | Configured |
+
+> SSO verification pending — not yet tested end-to-end.
+
+## All Services Running on Server
+
+| Service | Image | External Port |
+|---------|-------|---------------|
+| forgejo | forgejo:11 | 3006 (HTTP), 2222 (SSH) |
+| kite-openwebui | open-webui | 3100 |
+| grafana | grafana-oss | 3150 |
+| cloudflared | cloudflared | — (tunnel) |
+| shaarli | shaarli | 8085 |
+| homepage | nginx | 3005 |
+| homepage-test | gethomepage | 3007 |
+| kitestacks-portal | nginx | 3008 |
+| openproject | openproject:13 | 8080 |
+| kite-litellm | litellm | 4000 |
+| bookstack | bookstack | 6875 |
+| authentik | server:latest | 9001 |
+| kavita | kavita | 5000 |
+| portainer | portainer-ce | 9443 |
+| prometheus | prometheus | 9090 |
+| node-exporter | node-exporter | 9100 |
+| uptime-kuma | uptime-kuma | 3001 |
+
+## External Access (Cloudflare Tunnel)
+
+Tunnel is token-based — ingress rules live in the Cloudflare dashboard:  
+**dash.cloudflare.com → Zero Trust → Networks → Tunnels**
+
+No local `config.yml` — all routing configured via the dashboard.
+
+## Pending Integrations
+
+Services not yet added to Authentik SSO:
+
+- [ ] Bookstack
+- [ ] OpenProject
+- [ ] Portainer
+- [ ] Homepage
+- [ ] Shaarli
+- [ ] Uptime Kuma
+
+## Next Steps
+
+1. Confirm public domain from Cloudflare tunnel dashboard
+2. Test SSO login on Forgejo, Grafana, Kavita, Open WebUI
+3. Add remaining services (see Pending Integrations above)
+4. Set up SSH key auth on the server (currently password only)