website/docs/add-secure-apps/providers/proxy/forward_auth.mdx
Using forward auth uses your existing reverse proxy to do the proxying, and only uses the authentik outpost to check authentication and authorization.
To use forward auth instead of proxying, you have to change a couple of settings. In the Proxy Provider, make sure to use one of the Forward auth modes.
The only configuration difference between single application mode and domain level mode is the host that you specify.
For single application, you'd use the domain that the application is running on, and only /outpost.goauthentik.io is redirected to the outpost.
For domain level, you'd use the same domain as authentik.
Single application mode works for a single application hosted on its dedicated subdomain. This has the advantage that you can still do per-application access policies in authentik.
To use forward auth instead of proxying, you have to change a couple of settings. In the Proxy Provider, make sure to use the Forward auth (domain level) mode.
This mode differs from the Forward auth (single application) mode in the following points:
There are, however, also some downsides, mainly the fact that you can't restrict individual applications to different users.
For configuration templates for each web server, refer to the following:
import DocCardList from "@theme/DocCardList";
<DocCardList />