diff --git a/mon-system/monitoring.yaml b/mon-system/monitoring.yaml
index 7c664e1..71aad0d 100644
--- a/mon-system/monitoring.yaml
+++ b/mon-system/monitoring.yaml
@@ -196,15 +196,43 @@ data:
         static_configs:
           - targets: ['version-checker.version-checker-system:8080']
 
-      # Authentik server metrics (HTTP request latency, outpost connection state)
+      # Authentik server metrics (HTTP latency, outposts connected, flow/policy cache)
       - job_name: 'authentik-server'
         static_configs:
           - targets: ['authentik-server-metrics.auth-system:9300']
+            labels:
+              namespace: 'auth-system'
 
-      # Authentik worker metrics (task queue depth, DB query latency)
+      # Authentik worker metrics (task queue depth/throughput, DB query latency)
       - job_name: 'authentik-worker'
         static_configs:
           - targets: ['authentik-worker-metrics.auth-system:9300']
+            labels:
+              namespace: 'auth-system'
+
+      # Authentik outposts - SD with ports 9300 on ak-outpost-* services
+      - job_name: 'authentik-outposts'
+        kubernetes_sd_configs:
+          - role: endpoints
+            namespaces:
+              names: ['auth-system']
+        relabel_configs:
+          - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+            action: keep
+            regex: 'ak-outpost-.*-outpost;metrics'
+          - action: labelmap
+            regex: __meta_kubernetes_service_label_(.+)
+          - source_labels: [__meta_kubernetes_namespace]
+            action: replace
+            target_label: namespace
+          - source_labels: [__meta_kubernetes_service_name]
+            action: replace
+            target_label: service
+          - source_labels: [__meta_kubernetes_service_name]
+            action: replace
+            target_label: outpost
+            regex: 'ak-outpost-(.*)-outpost'
+            replacement: '$1'
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim