diff --git a/README.md b/README.md
index a01bf95..df2bb81 100644
--- a/README.md
+++ b/README.md
@@ -5,14 +5,14 @@ The configs, tweaks, and pieces that make up the `id.starcat.systems` accounts s
 [![Forgejo Last Commit (main)](https://img.shields.io/gitea/last-commit/starcat-infra/auth-server/main?gitea_url=https%3A%2F%2Fgit.starcat.systems&style=flat&logo=git&logoColor=fff&logoSize=auto&label=last%20commit%20(main))](https://git.starcat.systems/starcat-infra/auth-server/src/branch/main)
 
 ## Contents
--   `pockey-id`:
-    -   `docker-compose.yml`: the Docker Compose file that runs Pocket ID
-    -   `.env`: environment variables to configure Pocket ID
+-   `authentik`:
+    -   `docker-compose.yml`: the Docker Compose file that runs Authentik
+    -   `.env`: environment variables to configure Authentik
 -   `caddy`:
-    -   `Caddyfile`: the Caddy server configuration (reverse proxies Pocket ID)
+    -   `Caddyfile`: the Caddy server configuration (reverse proxies Authentik)
 
 ## More Information
-For more information on this repo, please see [Pocket ID in the handbook](https://about.starcat.systems/handbook/infrastructure/security/pocket-id/).
+For more information on this repo, please see [Authentik in the handbook](https://about.starcat.systems/handbook/infrastructure/security/authentik/).
 
 ## Repo Mirrors
 Repo contents are automatically pushed to the following mirrors:
diff --git a/authentik/.env b/authentik/.env
new file mode 100644
index 0000000..9953599
--- /dev/null
+++ b/authentik/.env
@@ -0,0 +1,22 @@
+# Authentik .env app configuration
+# Configures the Authentik application
+# File location: /srv/authentik/.env
+# More information - git repo: https://git.starcat.systems/starcat-infra/auth-server
+# More information - handbook: https://about.starcat.systems/handbook/infrastructure/security/authentik/
+# See the documentation for more information: https://docs.goauthentik.io/docs/install-config/configuration/
+PG_PASS=*REDACTED*
+AUTHENTIK_SECRET_KEY=*REDACTED*
+AUTHENTIK_ERROR_REPORTING__ENABLED=true
+# SMTP Host Emails are sent to
+AUTHENTIK_EMAIL__HOST=*REDACTED*
+AUTHENTIK_EMAIL__PORT=465
+# Optionally authenticate (don't add quotation marks to your password)
+AUTHENTIK_EMAIL__USERNAME=accounts-noreply@starcat.systems
+AUTHENTIK_EMAIL__PASSWORD=*REDACTED*
+# Use StartTLS
+AUTHENTIK_EMAIL__USE_TLS=false
+# Use SSL
+AUTHENTIK_EMAIL__USE_SSL=true
+AUTHENTIK_EMAIL__TIMEOUT=10
+# Email address authentik will send from, should have a correct @domain
+AUTHENTIK_EMAIL__FROM=accounts-noreply@starcat.systems
\ No newline at end of file
diff --git a/authentik/README.md b/authentik/README.md
new file mode 100644
index 0000000..4192f36
--- /dev/null
+++ b/authentik/README.md
@@ -0,0 +1,29 @@
+# Authentik README
+## what
+The Docker Compose and `.env` files that run Authentik
+
+## where
+```
+/srv/authentik/docker-compose.yml
+/srv/authentik/.env
+```
+
+## redacted values
+For security, secrets have been redacted from these files. StarCat team members can find these values in [1Password](https://start.1password.com/open/i?a=B5NVCNGFJBCCLCDCN5FKFPGVBI&v=35hhast2kp5lgw3iud374426oa&i=wulgiodikbbu4x5rxvco4zren4&h=starcatsys.1password.com). Soon, these values will be autofilled from Vault when the container starts.
+
+## making changes
+If you make changes to `.env`, just pull the latest image and restart the service:
+
+```
+docker compose pull
+docker compose up -d
+```
+
+## upgrading
+To upgrade Authentik, download the latest `docker-compose.yml` file, (optionally) put our comments at the top of the file, pull the latest images, and restart the service:
+
+```
+wget -O docker-compose.yml https://goauthentik.io/docker-compose.yml
+docker compose pull
+docker compose up -d
+```
\ No newline at end of file
diff --git a/authentik/docker-compose.yml b/authentik/docker-compose.yml
new file mode 100644
index 0000000..8502812
--- /dev/null
+++ b/authentik/docker-compose.yml
@@ -0,0 +1,98 @@
+# Docker Compose file for Authentik
+# Location: /srv/authentik/docker-compose.yml
+# IMPORTANT: When Authentik upgrades versions, the docker-compose.yml file changes. This file on Git may not be up to date. See the following for details:
+# https://git.starcat.systems/starcat-infra/auth-server/src/branch/main/authentik/README.md
+# https://docs.goauthentik.io/docs/install-config/upgrade
+
+---
+
+services:
+  postgresql:
+    image: docker.io/library/postgres:16-alpine
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
+      POSTGRES_USER: ${PG_USER:-authentik}
+      POSTGRES_DB: ${PG_DB:-authentik}
+    env_file:
+      - .env
+  redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - redis:/data
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.3}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+    volumes:
+      - ./media:/media
+      - ./custom-templates:/templates
+    env_file:
+      - .env
+    ports:
+      - "${COMPOSE_PORT_HTTP:-9000}:9000"
+      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.3}
+    restart: unless-stopped
+    command: worker
+    environment:
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+    # `user: root` and the docker socket volume are optional.
+    # See more for the docker socket integration here:
+    # https://goauthentik.io/docs/outposts/integrations/docker
+    # Removing `user: root` also prevents the worker from fixing the permissions
+    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+    # (1000:1000 by default)
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./media:/media
+      - ./certs:/certs
+      - ./custom-templates:/templates
+    env_file:
+      - .env
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+
+volumes:
+  database:
+    driver: local
+  redis:
+    driver: local
diff --git a/pocket-id.png b/pocket-id.png
deleted file mode 100644
index 8aa7f00..0000000
Binary files a/pocket-id.png and /dev/null differ
diff --git a/pocket-id/.env b/pocket-id/.env
deleted file mode 100644
index cc5cb8d..0000000
--- a/pocket-id/.env
+++ /dev/null
@@ -1,11 +0,0 @@
-# Pocket ID .env app configuration
-# Configures the Pocket ID application
-# File location: /srv/pocket-id/.env
-# More information - git repo: https://git.starcat.systems/starcat-infra/auth-server
-# More information - handbook: https://about.starcat.systems/handbook/infrastructure/security/pocket-id/
-# See the documentation for more information: https://pocket-id.org/docs/configuration/environment-variables
-APP_URL=https://id.starcat.systems
-TRUST_PROXY=true
-MAXMIND_LICENSE_KEY=*REDACTED*
-PUID=1000
-PGID=1000
\ No newline at end of file
diff --git a/pocket-id/README.md b/pocket-id/README.md
deleted file mode 100644
index ad9373d..0000000
--- a/pocket-id/README.md
+++ /dev/null
@@ -1,20 +0,0 @@
-# Pocket ID README
-## what
-The Docker Compose and `.env` files that run Pocket ID
-
-## where
-```
-/srv/pocket-id/docker-compose.yml
-/srv/pocket-id/.env
-```
-
-## redacted values
-For security, secrets have been redacted from this file. StarCat team members can find these values in [1Password](https://start.1password.com/open/i?a=B5NVCNGFJBCCLCDCN5FKFPGVBI&v=35hhast2kp5lgw3iud374426oa&i=ahsb5ohjmkyvfuoudj564xucgy&h=starcatsys.1password.com). Soon, these values will be autofilled from Vault when the container starts.
-
-## making changes
-If you make changes to `.env` or need to upgrade Pocket ID, just pull the latest image and restart the service:
-
-```
-docker compose pull
-docker compose up -d
-```
\ No newline at end of file
diff --git a/pocket-id/docker-compose.yml b/pocket-id/docker-compose.yml
deleted file mode 100644
index 5f15efb..0000000
--- a/pocket-id/docker-compose.yml
+++ /dev/null
@@ -1,19 +0,0 @@
-# Docker Compose file for PocketID
-# Location: /srv/pocket-id/docker-compose.yml
-
-services:
-  pocket-id:
-    image: ghcr.io/pocket-id/pocket-id:v1
-    restart: unless-stopped
-    env_file: .env
-    ports:
-      - 1411:1411
-    volumes:
-      - "./data:/app/data"
-    # Optional healthcheck
-    healthcheck:
-      test: "curl -f http://localhost:1411/healthz"
-      interval: 1m30s
-      timeout: 5s
-      retries: 2
-      start_period: 10s
\ No newline at end of file