@thewk yes that's possible. There are 2 ways you can use (and combine). One is using authentik with forward auth via Middleware. That means authentik (and therefore also possible MFA) is shown before you can reach your service. The other way is when your service supports oidc, saml etc. Then authentik is called from that service at login.
