diff --git a/clusters/cl01tl/manifests/sonarr-4k/HTTPRoute-sonarr-4k.yaml b/clusters/cl01tl/manifests/sonarr-4k/HTTPRoute-sonarr-4k.yaml
index 32e70244b..b69fd9779 100644
--- a/clusters/cl01tl/manifests/sonarr-4k/HTTPRoute-sonarr-4k.yaml
+++ b/clusters/cl01tl/manifests/sonarr-4k/HTTPRoute-sonarr-4k.yaml
@@ -28,3 +28,9 @@ spec:
         - path:
             type: PathPrefix
             value: /
+      filters:
+        - extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: oidc-forward-auth
+          type: ExtensionRef
diff --git a/clusters/cl01tl/manifests/sonarr-4k/Middleware-oidc-forward-auth.yaml b/clusters/cl01tl/manifests/sonarr-4k/Middleware-oidc-forward-auth.yaml
new file mode 100644
index 000000000..5008fe867
--- /dev/null
+++ b/clusters/cl01tl/manifests/sonarr-4k/Middleware-oidc-forward-auth.yaml
@@ -0,0 +1,26 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: oidc-forward-auth
+  namespace: sonarr-4k
+  labels:
+    app.kubernetes.io/name: oidc-forward-auth
+    app.kubernetes.io/instance: sonarr-4k
+    app.kubernetes.io/part-of: sonarr-4k
+spec:
+  forwardAuth:
+    address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-entitlements
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version