2021-04-29 16:17:10 +00:00
---
2021-06-08 21:10:17 +00:00
title: Forward auth
2021-04-29 16:17:10 +00:00
---
2023-03-13 16:29:51 +00:00
Using forward auth uses your existing reverse proxy to do the proxying, and only uses the authentik outpost to check authentication and authorization.
2021-04-29 16:17:10 +00:00
2021-06-08 21:10:17 +00:00
To use forward auth instead of proxying, you have to change a couple of settings.
In the Proxy Provider, make sure to use one of the Forward auth modes.
## Single application
2023-03-13 16:29:51 +00:00
Single application mode works for a single application hosted on its dedicated subdomain. This has the advantage that you can still do per-application access policies in authentik.
2021-04-29 16:17:10 +00:00
2021-06-08 21:10:17 +00:00
## Domain level
2021-04-29 16:17:10 +00:00
2021-06-08 21:10:17 +00:00
To use forward auth instead of proxying, you have to change a couple of settings.
2022-05-09 19:22:41 +00:00
In the Proxy Provider, make sure to use the _Forward auth (domain level)_ mode.
2021-04-29 16:17:10 +00:00
2022-05-09 19:22:41 +00:00
This mode differs from the _Forward auth (single application)_ mode in the following points:
- You don't have to configure an application in authentik for each domain
- Users don't have to authorize multiple times
2021-05-14 09:42:03 +00:00
2023-03-13 16:29:51 +00:00
There are however also some downsides, mainly the fact that you **can't** restrict individual applications to different users.
2021-05-14 09:42:03 +00:00
2021-06-08 21:10:17 +00:00
The only configuration difference between single application and domain level is the host you specify.
2021-05-14 09:42:03 +00:00
2023-03-13 16:29:51 +00:00
For single application, you'd use the domain which the application is running on, and only `/outpost.goauthentik.io` is redirected to the outpost.
2021-04-29 16:17:10 +00:00
2021-06-08 21:10:17 +00:00
For domain level, you'd use the same domain as authentik.
