diff --git a/.env-example b/.env-example
index 5becafb..fc55e99 100644
--- a/.env-example
+++ b/.env-example
@@ -26,3 +26,7 @@ CLICKHOUSE_TCP_PORT=9000
 CLICKHOUSE_DB=default
 CLICKHOUSE_USER=default
 CLICKHOUSE_PASSWORD=
+
+# Authentik Clients
+GF_AUTH_GENERIC_OAUTH_CLIENT_ID=
+GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=
diff --git a/monitoring/docker-compose.yaml b/monitoring/docker-compose.yaml
index 8208b58..61e95cc 100644
--- a/monitoring/docker-compose.yaml
+++ b/monitoring/docker-compose.yaml
@@ -17,6 +17,17 @@ services:
       LETSENCRYPT_HOST: grafana.devlock.net
       GF_SERVER_DOMAIN: grafana.devlock.net
       GF_SERVER_ROOT_URL: https://grafana.devlock.net
+      GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
+      GF_AUTH_GENERIC_OAUTH_NAME: "authentik"
+      GF_AUTH_GENERIC_OAUTH_SCOPES: "openid profile email offline_access"
+      GF_AUTH_GENERIC_OAUTH_AUTH_URL: "https://auth.devlock.net/application/o/authorize/"
+      GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "https://auth.devlock.net/application/o/token/"
+      GF_AUTH_GENERIC_OAUTH_API_URL: "https://auth.devlock.net/application/o/userinfo/"
+      GF_AUTH_SIGNOUT_REDIRECT_URL: "https://auth.devlock.net/application/o/grafana/end-session/"
+      GF_AUTH_OAUTH_AUTO_LOGIN: "true"
+      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups, 'Grafana Admins') && 'Admin'\
+        \ || contains(groups, 'Grafana Editors') && 'Editor' || contains(groups, 'Grafana Viewers')\
+        \ && 'Viewer' || 'None'"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:3000/api/health"]
       interval: 10s