Monitoring Authentik with Vigilmon: Metrics Health Check, Admin API Uptime, Outpost TCP & SSL Alerts

Authentik is the open-source identity provider teams use to add SSO, OAuth2, and SAML authentication to their self-hosted services. Because Authentik sits in front of every protected application, its availability is a single point of failure for your entire authentication stack: if Authentik goes down, no one can log in to anything. If the outpost TCP port stops responding, forward auth on your reverse proxy fails silently. If the SSL certificate expires, every browser login attempt is blocked by a TLS error. Vigilmon gives you external visibility into Authentik's health metrics endpoint, login redirect, admin API, outpost TCP port, and SSL certificate.

What You'll Build

• A monitor on Authentik's /api/v3/-/metrics/ health endpoint
• An HTTP monitor that verifies the login redirect is working
• A monitor for the Authentik admin API
• A TCP monitor for outpost availability (port 9443)
• SSL certificate monitoring for your Authentik domain

Prerequisites

• A running Authentik instance with a public or network-reachable domain
• HTTPS configured (e.g., https://auth.example.com)
• An Authentik outpost deployed (embedded or standalone)
• A free account at vigilmon.online

Step 1: Verify Authentik's Metrics Endpoint

Authentik exposes a Prometheus-compatible metrics endpoint that also serves as a health signal:

curl https://auth.example.com/api/v3/-/metrics/

A healthy Authentik returns HTTP 200 with Prometheus-format metrics including lines like:

authentik_system_workers{...} 1

This endpoint confirms Authentik's API server is running, workers are processing tasks, and the core system is operational. It requires no authentication by default but may be restricted in hardened configurations.

If your metrics endpoint requires authentication: Use an API token in the Authorization header, or switch to monitoring /if/user/ (the user interface root) as an alternative health signal.

Step 2: Create a Vigilmon HTTP Monitor for the Metrics Endpoint

1. Log in to Vigilmon → Add Monitor → HTTP.
2. URL: https://auth.example.com/api/v3/-/metrics/.
3. Check interval: 60 seconds.
4. Response timeout: 15 seconds.
5. Expected status: 200.
6. Keyword: authentik_system.
7. Click Save.

This monitor catches:

• Authentik server crashes or restarts
• Worker process failures (background tasks like email delivery stop working)
• Database connectivity issues (Authentik requires PostgreSQL)
• Redis connectivity failures (Authentik uses Redis for caching and task queues)

Step 3: Monitor the Login Redirect

Authentik's root path (/) redirects unauthenticated users to the login flow. This redirect is the first thing users hit when they try to log in — a broken redirect means no one can authenticate, even if the API backend is healthy.

curl -I https://auth.example.com/

Authentik returns HTTP 302 redirecting to /if/flow/default-authentication-flow/ or similar. The exact destination depends on your configured default authentication flow.

1. Add Monitor → HTTP.
2. URL: https://auth.example.com/.
3. Check interval: 60 seconds.
4. Expected status: 302.
5. Label: Authentik Login Redirect.
6. Click Save.

Alternative: If you prefer to follow the redirect, set expected status to 200 and keyword to authentik (appears in the login page HTML). This also validates that the flow rendering is working.

When the login redirect monitor fires but the metrics endpoint is green, you have a routing or flow configuration issue — the backend is alive but the authentication flow isn't being served correctly.

Step 4: Monitor the Authentik Admin API

The Authentik REST API powers integrations, SCIM provisioning, and automation. Monitor it independently to catch API-specific failures:

curl https://auth.example.com/api/v3/core/users/me/ \
  -H "Authorization: Bearer <your-api-token>"

For a simpler unauthenticated check, use the schema endpoint:

curl https://auth.example.com/api/v3/schema/?format=json

1. Add Monitor → HTTP.
2. URL: https://auth.example.com/api/v3/schema/?format=json.
3. Check interval: 5 minutes.
4. Expected status: 200.
5. Keyword: openapi.
6. Label: Authentik Admin API.
7. Click Save.

Step 5: Create a TCP Monitor for Outpost Port 9443

Authentik outposts are the components that handle forward auth on your reverse proxy. The embedded outpost exposes port 9443 for HTTPS forward auth. If this port stops responding, all applications using Authentik for authentication will fail their auth checks.

1. Add Monitor → TCP.
2. Host: auth.example.com.
3. Port: 9443.
4. Check interval: 60 seconds.
5. Response timeout: 10 seconds.
6. Label: Authentik Outpost TCP 9443.
7. Click Save.

When the TCP monitor fires but the metrics endpoint is green, the Authentik server is running but the outpost is down — forward auth will fail across all protected applications while the Authentik UI itself may still appear reachable.

Custom outpost ports: If you've configured the outpost on a different port (e.g., 9300), update the port accordingly. Check your Authentik outpost configuration under System → Outposts.

Step 6: Monitor SSL Certificates

Authentik's SSL certificate covers every login flow your users go through. Expiry is particularly damaging because:

• All SSO logins fail with TLS certificate errors
• OAuth2 and SAML callbacks fail, breaking third-party integrations
• Every service relying on Authentik for authentication goes down simultaneously

1. Add Monitor → SSL Certificate.
2. Domain: auth.example.com.
3. Alert when expiry is within: 30 days.
4. Alert again: 14 days, 7 days, 3 days, 1 day.
5. Click Save.

A 30-day warning gives you ample time to renew before impact. If you're using Let's Encrypt via Certbot or a Caddy-managed certificate, the warning means automatic renewal has failed.

Step 7: Configure Alerting

In Vigilmon under Settings → Notifications, configure your alert channels:

| Monitor | Trigger | Action | |---|---|---| | /api/v3/-/metrics/ | Non-200 or keyword missing | Check Authentik server container; inspect PostgreSQL and Redis connectivity | | Login redirect | Non-302 (or non-200 if following redirect) | Check authentication flow configuration; review Authentik logs | | Admin API schema | Non-200 or keyword missing | API routing issue; check reverse proxy config | | Outpost TCP 9443 | Connection refused or timeout | Check outpost container status; review outpost logs | | SSL certificate | < 30 days to expiry | Renew certificate; check ACME automation or reverse proxy TLS config |

Alert after: 2 consecutive failures for HTTP monitors (the login redirect can occasionally return a different code during flow updates). 1 failure for TCP monitors.

Common Authentik Failure Modes and What Vigilmon Catches

| Scenario | Vigilmon monitor | |---|---| | Authentik server crash | Metrics endpoint unreachable; alert within 60 s | | PostgreSQL goes down | Metrics endpoint non-200; all logins fail | | Redis goes down | Workers stop; background tasks halt; metrics may still return 200 | | Outpost container stops | TCP monitor fires; all forward-auth protected apps fail | | Flow configuration breaks login | Login redirect monitor fires; metrics may stay green | | SSL certificate expires | SSL monitor alerts at 30 days; all browser logins blocked | | DNS misconfiguration | All HTTP and SSL monitors fire simultaneously | | Upgrade migration failure | Metrics endpoint may return 500 during migration |

Authentik is the gatekeeper for your entire self-hosted stack — every application that delegates authentication to it is dependent on its availability. Vigilmon watches the metrics endpoint, login redirect, admin API, outpost TCP port, and SSL certificate so you know the moment Authentik has a problem, before your users discover they can't log in to anything.

Start monitoring Authentik in under 5 minutes — register free at vigilmon.online.