diff --git a/media/bazarr/ingress.yaml b/media/bazarr/ingress.yaml
index 04c4f4f..c52cb5c 100644
--- a/media/bazarr/ingress.yaml
+++ b/media/bazarr/ingress.yaml
@@ -6,6 +6,7 @@ metadata:
   annotations:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
+    traefik.ingress.kubernetes.io/router.middlewares: authentik-bazarr@kubernetescrd
 spec:
   rules:
   - host: bazarr.michaelthomson.dev
diff --git a/media/prowlarr/ingress.yaml b/media/prowlarr/ingress.yaml
index 19d517d..2c3fe77 100644
--- a/media/prowlarr/ingress.yaml
+++ b/media/prowlarr/ingress.yaml
@@ -6,6 +6,7 @@ metadata:
   annotations:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
+    traefik.ingress.kubernetes.io/router.middlewares: authentik-prowlarr@kubernetescrd
 spec:
   rules:
   - host: prowlarr.michaelthomson.dev
diff --git a/traefik/bazarr-middleware.yaml b/traefik/bazarr-middleware.yaml
new file mode 100644
index 0000000..56e2eee
--- /dev/null
+++ b/traefik/bazarr-middleware.yaml
@@ -0,0 +1,24 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: bazarr
+  namespace: authentik
+spec:
+  forwardAuth:
+    address: https://bazarr.michaelthomson.dev/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+    - X-authentik-username
+    - X-authentik-groups
+    - X-authentik-email
+    - X-authentik-name
+    - X-authentik-uid
+    - X-authentik-jwt
+    - X-authentik-meta-jwks
+    - X-authentik-meta-outpost
+    - X-authentik-meta-provider
+    - X-authentik-meta-app
+    - X-authentik-meta-version
+    - authorization
+    tls:
+      certSecret: letsencrypt-wildcard-cert-michaelthomson.dev
diff --git a/traefik/prowlarr-middleware.yaml b/traefik/prowlarr-middleware.yaml
new file mode 100644
index 0000000..2e1c4ba
--- /dev/null
+++ b/traefik/prowlarr-middleware.yaml
@@ -0,0 +1,24 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: prowlarr
+  namespace: authentik
+spec:
+  forwardAuth:
+    address: https://prowlarr.michaelthomson.dev/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+    - X-authentik-username
+    - X-authentik-groups
+    - X-authentik-email
+    - X-authentik-name
+    - X-authentik-uid
+    - X-authentik-jwt
+    - X-authentik-meta-jwks
+    - X-authentik-meta-outpost
+    - X-authentik-meta-provider
+    - X-authentik-meta-app
+    - X-authentik-meta-version
+    - authorization
+    tls:
+      certSecret: letsencrypt-wildcard-cert-michaelthomson.dev